Last year Microsoft announced the public preview of their own Mobile Threat Defense Solution for Android and iOS: Microsoft Defender for Endpoint. Since that time Defender for Endpoint made it to general availability and new features have been added. And still, Microsoft is developing the software to expand it with new features.
One of the features which are supported for a couple of months is mobile application management (MAM) support for non-Intune enrolled devices. With MAM the device itself isn`t managed by Intune, but the applications which are allowed to access corporate data, are managed. More information on MAM can be found here.
The availability of MAM support means we can also secure the personally owned mobile devices (BYOD) which are used by our employees to access corporate data with Defender. For this, we use an App Protection Policy in which we set the max allowed device threat level and the action to take when a threat is found on the device.
Let’s see what we need to set up to get this to work.
Integrate Microsoft Defender with Intune
Microsoft Defender doesn’t share device information by default with Intune. We need to enable this in the Microsoft 365 Defender portal.
To set up this connection follow the below steps.
- Sign in to the Microsoft 365 Defender portal
- Browse to Settings – Endpoints
- On the Advanced features tab switch on Microsoft Intune connection
- Click Save preferences
As soon as the connection is established, we need to connect Android and iOS devices to Microsoft Defender for Endpoint for App Protection Policy evaluation in the Intune portal.
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Tenant administration – Connectors and tokens
- Open the Microsoft Defender for Endpoint tab
- Under App Protection Policy settings switch on both options for Android and iOS
Configure Conditional Access policy
We first create a Conditional Access (CA) policy in the Azure portal. We do this to make sure the App Protection Policy is always applied when a user tries to access corporate data on a mobile device. Therefore we only allow access to corporate data when an Approved client app is used.
In this example, we set up a CA policy for cloud app Office 365 which contains multiple applications, like Exchange Online. This is just an example configuration.
- Sign in to the Azure portal
- Open Security (direct or under Azure AD)
- On the Conditional Access tab click +New policy
- Provide a name for the policy
- On the Users and groups tab select All Users or select a role or security group
- On the Cloud apps or actions tab choose All cloud apps or select an app
- Browse to Conditions – Device platforms
- Select Android and iOS (or select Any device and exclude Windows and macOS)
- On the Client apps tab select Configure Yes
- Browse to Access controls – Grant
- Select Require approved app and Require app protection policy
- Select Require all the selected controls
- Click Create
Configure App Protection Policy
Next, we set up an App Protection Policy in the Intune portal. Here we configure Data protection, Access requirements and Conditional launch settings. Under Conditional launch, we configure the Max allowed device threat level. This adds the requirement to install Microsoft Defender on the mobile device. Depending on our needs, as an action, we can choose from Block access or Wipe data.
- Switch back to the Microsoft Endpoint Manager admin center
- Browse to Apps – App protection policies
- Click +Create policy
- Choose iOS/iPadOS or Android
- Give the policy a Name
- Enter a Description (Optional)
- Click Next
- Choose No
- Select Unmanaged from the drop-down list
- Click Select public apps
- Select all apps you want to target the policy to
- Click Select – Click Next
- Configure the settings on the Data protection tab
- Click Next
- Configure the settings in the Access requirements tab
- Click Next
- Scroll down to Device conditions
- Add Max allowed device threat level
- Choose the threat level under Value
- Select the action; Block access or Wipe data
- click Next
- Finish the creation of the policy
Everything is in place to protect our corporate data with an App protection policy and Microsoft Defender for Endpoint.
End-user experience – Android
Now let’s have a look at the end-user experience. For this example, we use Microsoft Outlook on an Android device to access a user’s mailbox.
As soon as the account is added to Outlook, the user is asked to install the Company Portal app. When the user clicks on Get the app, the user is redirected to the Google Play Store to install the Company Portal app.
The app only needs to be installed, no need to sign in to the app. The app is used as a broker app, to apply the App Protection Policy.
After installing the Company Portal app, the user might be asked to provide the credentials again. After authentication is successful, the user is asked to register the device.
During registration, a couple of checks are done. The Device health check will fail as Defender isn’t installed yet.
The user is shown a message with information on how to get access to the mailbox.
By clicking on Download, the Google Play Store is opened to install Microsoft Defender.
Install Microsoft Defender Endpoint.
Set up Microsoft Defender by allowing the required permissions.
As soon as everything is in place below message is shown; Onboarding completed.
Return to Outlook.
The user needs to recheck for the health status. This might take some time as sync needs to be done between the device and the Defender and Intune services.
As soon as the device is healthy, the user is presented below screen.
Device is healthy.
Access to the mailbox is granted.
Now let’s install a test virus app from the Google Play Store to see what happens when Defender finds a threat.
Access to the mailbox is blocked or the mailbox is wiped (with a small delay), depending on the action set in the App Protection Policy.
After the threat is removed, return to Outlook and click Recheck, to recheck the device’s health and get access to the mailbox again.
Outlook confirms app status…
As soon as everything is OK again, access is granted.
The enrollment of an Android device in a video:
End-user experience – iOS
For iOS I only show the enrollment experience on an iPhone.
As soon as authentication is done, we are also asked to install the broker app. But on iOS the Microsoft Authenticator app functions as the broker app. Click on Get the app to open the App Store.
Install the Authenticator app and sign in when you’re asked to sign in.
When the Authenticator app is installed and we’re signed in, return to Outlook.
Click Register.
The registration is performed and app status checked.
The App Protection Policy is applied on the device and we’re required to install Microsoft Defender for Endpoint.
Click Download from App Store.
Install Microsoft Defender.
Sign in to the app and perform the configuration to activate Defender.
Return to Outlook to recheck the status.
And we have access to our mailbox!
The enrollment experience with Intune Mobile Application Management on Android is in my opinion a bit better compared to iOS. On iOS I don’t have a constant enrollment experience. Sometimes it takes some time before the App Protection Policy is applied and therefore I’m not directly asked for a PIN and to install Defender. And besides that, after installing and activating Defender, sometimes I’ve direct access to my mailbox, and the other time I need to manually recheck the status.
If you’re testing the enrollment multiple times on an iOS device, I suggest resetting the device between every enrollment. When you only remove the apps (Outlook. Authenticator and Defender etc.), restart the device and perform another enrollment, you’re most of the time not asked to install the Authenticator app.
That’s it for this post.
Thank you for reading!
10 Comments
Have you tried this with iOS? It does not seem to work with the “Require App Protection Policy” option in CA. I noted your instructions were created using Android. I have some notes I am happy to pass over. Briefly, Authenticator kicked in and asked for my account details. I added them then received an access denied error. It seems like this process kicks in before the App Protection policy is applied. I think I have followed the instructions correctly.
I’ve not tested this particular setup (don’t have an iPhone on my desk atm), but tested App Protection Policies in the past on iOS. I doubt if you also need to authenticate in the Authenticator app. You don’t have to authenticate in the Company Portal app on Android and if I remember correctly that’s the same for the Authenticator app on iOS. But unfortunately not able to verify at this moment.
Regards,
Peter
Hi Peter, thanks for your reply. I have found a problem with provisioning on this account (it would be the account I picked for testing 🙂 ) I will try again today and let you know what happens.
Hi Terry,
I was able to get an iPhone for testing;
After authenticating in Outlook, I’m asked to register the device. I install the Authenticator app and I do need to sign in to Authenticator. When that’s done I can finish the setup of Outlook. But it takes pretty long (compared to Android) before I’m asked to provide a PIN (as part of the APP) and install Defender. Installing and configuring a second app seems to speed up that process (probably a new sync to the back-end is done).
When I’ve some time, I’ll expand the post with the end-user experience on iOS.
Regards,
Peter
That’s great, thanks for testing that. I will continue testing on my new tenancy and let you know if I find anything interesting. Thanks again.
Hi Peter, I have setup a new test tenancy. It looks like Microsoft called time on my previous test tenancy about a week early so the mailboxes were no longer provisioned, but there were no signs of it in the tenancy. I am assuming it was affecting other services too. Having tested it with my new tenancy I can confirm it works without the need for authenticating in Authenticator. In fact, it didn’t ask me to download Authenticator. I will continue testing and let you know what I find.
You probably used an existing iPhone I guess?
When you just remove the apps and start testing again, it doesn’t ask for the Authenticator app. Do a factory reset and it does ask to install the app.
Yes, I found the same. I think between a change in the CA policy and troubleshooting it got itself in a twist. A reset sorted that side of it.
I have totally taken over your comment section but I can report that I have tested it after ironing out those wrinkles and it works perfectly. Thank you for the article and for taking the time to test the iOS configuration.
In my test env. A device can go through enrolment successfully but if they signout out of defender or uninstall it. They still gain access to outlook email, teams and other m365 apps. How do you stop access once defender is removed or signedout on byod devices