Secure personal mobile devices with Microsoft Intune and Defender for Endpoint

Last year Microsoft announced the public preview of their own Mobile Threat Defense Solution for Android and iOS: Microsoft Defender for Endpoint. Since that time Defender for Endpoint made it to general availability and new features have been added. And still, Microsoft is developing the software to expand it with new features.

One of the features which are supported for a couple of months is mobile application management (MAM) support for non-Intune enrolled devices. With MAM the device itself isn`t managed by Intune, but the applications which are allowed to access corporate data, are managed. More information on MAM can be found here.

The availability of MAM support means we can also secure the personally owned mobile devices (BYOD) which are used by our employees to access corporate data with Defender. For this, we use an App Protection Policy in which we set the max allowed device threat level and the action to take when a threat is found on the device.

Let’s see what we need to set up to get this to work.

Integrate Microsoft Defender with Intune

Microsoft Defender doesn’t share device information by default with Intune. We need to enable this in the Microsoft 365 Defender portal.

To set up this connection follow the below steps.

• Sign in to the Microsoft 365 Defender portal
• Browse to Settings – Endpoints
• On the Advanced features tab switch on Microsoft Intune connection
• Click Save preferences

As soon as the connection is established, we need to connect Android and iOS devices to Microsoft Defender for Endpoint for App Protection Policy evaluation in the Intune portal.

• Sign in to the Microsoft Endpoint Manager admin center
• Browse to Tenant administration – Connectors and tokens
• Open the Microsoft Defender for Endpoint tab
• Under App Protection Policy settings switch on both options for Android and iOS

Configure Conditional Access policy

We first create a Conditional Access (CA) policy in the Azure portal. We do this to make sure the App Protection Policy is always applied when a user tries to access corporate data on a mobile device. Therefore we only allow access to corporate data when an Approved client app is used.

In this example, we set up a CA policy for cloud app Office 365 which contains multiple applications, like Exchange Online. This is just an example configuration.

• Sign in to the Azure portal
• Open Security (direct or under Azure AD)
• On the Conditional Access tab click +New policy

• Provide a name for the policy
• On the Users and groups tab select All Users or select a role or security group

• On the Cloud apps or actions tab choose All cloud apps or select an app

• Browse to Conditions – Device platforms
• Select Android and iOS (or select Any device and exclude Windows and macOS)

• On the Client apps tab select Configure Yes

• Browse to Access controls – Grant
• Select Require approved app and Require app protection policy
• Select Require all the selected controls
• Click Create

Configure App Protection Policy

Next, we set up an App Protection Policy in the Intune portal. Here we configure Data protection, Access requirements and Conditional launch settings. Under Conditional launch, we configure the Max allowed device threat level. This adds the requirement to install Microsoft Defender on the mobile device. Depending on our needs, as an action, we can choose from Block access or Wipe data.

• Switch back to the Microsoft Endpoint Manager admin center
• Browse to Apps – App protection policies
• Click +Create policy
• Choose iOS/iPadOS or Android

• Give the policy a Name
• Enter a Description (Optional)
• Click Next

• Choose No
• Select Unmanaged from the drop-down list
• Click Select public apps
• Select all apps you want to target the policy to
• Click Select – Click Next

• Configure the settings on the Data protection tab
• Click Next

• Configure the settings in the Access requirements tab
• Click Next

• Scroll down to Device conditions
• Add Max allowed device threat level
• Choose the threat level under Value
• Select the action; Block access or Wipe data
• click Next
• Finish the creation of the policy

Everything is in place to protect our corporate data with an App protection policy and Microsoft Defender for Endpoint.

End-user experience – Android

Now let’s have a look at the end-user experience. For this example, we use Microsoft Outlook on an Android device to access a user’s mailbox.

As soon as the account is added to Outlook, the user is asked to install the Company Portal app. When the user clicks on Get the app, the user is redirected to the Google Play Store to install the Company Portal app.

The app only needs to be installed, no need to sign in to the app. The app is used as a broker app, to apply the App Protection Policy.

After installing the Company Portal app, the user might be asked to provide the credentials again. After authentication is successful, the user is asked to register the device.

During registration, a couple of checks are done. The Device health check will fail as Defender isn’t installed yet.

The user is shown a message with information on how to get access to the mailbox.
By clicking on Download, the Google Play Store is opened to install Microsoft Defender.

Install Microsoft Defender Endpoint.

Set up Microsoft Defender by allowing the required permissions.

As soon as everything is in place below message is shown; Onboarding completed.
Return to Outlook.

The user needs to recheck for the health status. This might take some time as sync needs to be done between the device and the Defender and Intune services.

As soon as the device is healthy, the user is presented below screen.
Device is healthy.

Access to the mailbox is granted.

Now let’s install a test virus app from the Google Play Store to see what happens when Defender finds a threat.

Access to the mailbox is blocked or the mailbox is wiped (with a small delay), depending on the action set in the App Protection Policy.
After the threat is removed, return to Outlook and click Recheck, to recheck the device’s health and get access to the mailbox again.

Outlook confirms app status…
As soon as everything is OK again, access is granted.

The enrollment of an Android device in a video:

End-user experience – iOS

For iOS I only show the enrollment experience on an iPhone.

As soon as authentication is done, we are also asked to install the broker app. But on iOS the Microsoft Authenticator app functions as the broker app. Click on Get the app to open the App Store.

Install the Authenticator app and sign in when you’re asked to sign in.

When the Authenticator app is installed and we’re signed in, return to Outlook.
Click Register.

The registration is performed and app status checked.

The App Protection Policy is applied on the device and we’re required to install Microsoft Defender for Endpoint.
Click Download from App Store.

Install Microsoft Defender.

Sign in to the app and perform the configuration to activate Defender.

Return to Outlook to recheck the status.

And we have access to our mailbox!

The enrollment experience with Intune Mobile Application Management on Android is in my opinion a bit better compared to iOS. On iOS I don’t have a constant enrollment experience. Sometimes it takes some time before the App Protection Policy is applied and therefore I’m not directly asked for a PIN and to install Defender. And besides that, after installing and activating Defender, sometimes I’ve direct access to my mailbox, and the other time I need to manually recheck the status.

If you’re testing the enrollment multiple times on an iOS device, I suggest resetting the device between every enrollment. When you only remove the apps (Outlook. Authenticator and Defender etc.), restart the device and perform another enrollment, you’re most of the time not asked to install the Authenticator app.

That’s it for this post.
Thank you for reading!