For some time now Microsoft Defender for Endpoint has been available for our mobile devices which run iOS or Android. Defender is supported on the several management modes we have for Android Enterprise, like the corporate and personally owned devices with a Work profile.
If we look at the solution for personally owned devices with a work profile, the Defender app is pushed to the work profile. It does its job inside the work profile by protecting you for example against malicious apps or suspicious websites. But to be honest, if I’m installing an app on my personal Android device, and that would be an app that is installed as an APK file (which probably has a high chance of being malicious), it’s done in the personal profile. I’m not even allowed to install unknown applications inside the work profile, certainly not from unknown sources.
Or when I’m browsing, that’s most of the time also done using the browser in my personal profile and not using the browser in the work profile. So it would be nice and probably is of more value to (also) have Defender running in the personal profile.
And Defender for Endpoint is now also supported to run in the personal profile of an Android Enterprise device, using the license of the company. So the user doesn’t have to purchase an additional license for Defender or run a similar app from another vendor to keep the personal profile safe.
By default, the option to run Defender in the personal profile and use the license of the company is not turned on. We need to push an (additional) setting to the device with Microsoft Intune.
We can’t force the installation of Defender in the personal profile as we do in the work profile, because it’s the personal profile and we don’t manage that part of the device. The user should install the application manually, together with the Company portal app. The Company portal works as a broker app, to apply the required setting from Intune. No sign-in to the Company Portal is needed (inside the personal profile).
Let’s have a look at the implementation on the Intune side and after that how the user experience is.
Requirements
There are some requirements to run Defender for Endpoint in the personal profile:
- Defender for Endpoint license (to run the Defender app itself)
- Microsoft Intune license (to manage the device and push the configuration)
- Microsoft Defender for Endpoint needs already to be installed and activated inside the work profile
- The Company Portal app needs to be enabled inside the personal profile
The licenses described above could also be purchased in a bundle like Intune is part of the EMS suite.
I assume you already were able to deploy and configure Defender for Endpoint using Intune in the work profile. Therefore I’m not showing all the steps to add Defender in the Intune portal and configure the settings the get Defender up and running in the work profile.
Enable Defender for the personal profile in the Intune portal
A requirement is that Defender already needs to be installed and active inside the work profile, make sure to get the Defender for Endpoint app from the Google Playstore. Assign the app as a required application to your Android Enterprise devices.
To enable Defender in the personal profile, there is just one setting that we need to deploy to our devices, besides the settings already deployed to manage the app inside the work profile. That setting is Microsoft Defender in Personal Profile and needs to be deployed with an App Configuration policy.
Besides this setting, we have a few additional settings that we can configure for the personal profile. These settings are related to the privacy of the information Defender can report from the personal profile, for example, to hide URLs or app details.
If you already have an App configuration policy deployed to your personally-owned Android devices with a work profile add the below setting to your existing policy. Otherwise, follow the below steps to create a new policy.
- Sign in to the Microsoft Intune portal
- Browse to Apps, App Configuration policies
- Click Add and choose Managed devices
- Enter a Name and Description (optional)
- Select Android Enterprise as Platform
- Select Personally-owned Work Profile Only as Profile type
- Click Select app and search for Defender
- Select Defender, click OK, and click Next
We can add permission-related settings in this part of the policy, but these are for the work profile, not for the personal profile.
- Select Use configuration designer as Configuration settings format.
- Click Add (below the Configuration settings format text)
If we search on Personal, we see a list with all personal profile-related settings we can configure.
- Select at least Microsoft Defender in Personal Profile
- Select additional settings (optional)
- Click OK
To enable a setting, add a 1 in the Configuration value field.
Make sure to set the value for Microsoft Defender in Personal Profile to 1.
The App Configuration policy is ready to be deployed.
End-user experience
Let’s have a look at an Android personally-owned device with a Work profile.
On this device, Defender for Endpoint is already up and running in the work profile.
To get Defender up and running in our personal profile, we first need to install Defender manually from the Google Play store.
During enrollment of the Android device in Intune, we already installed the Company Portal app, but during enrollment it is disabled. Therefore the Company Portal only needs to be enabled again in the personal profile.
There is no need to sign in to the Company Portal app!
Now we need to sign in to the Defender app, using our corporate credentials.
We are asked to register our device.
We need to accept the Notice.
And we finish the setup of Defender by allowing several permissions.
And Defender for Endpoint is running in our personal profile!
To test Defender, we could for example install a test anti-virus app from the store.
The app is detected as a threat by Defender.
Microsoft 365 Defender security portal
If we now have a look at the Android devices in the Microsoft 365 Defender portal, we now see devices with the name ending onAEPersonal. These are de Defender instances running in the personal profile on Android. We have some insight into the threats and alerts triggered on the personal profile.
But as I have configured the privacy-related settings to hide personal information, we see information replaced by <hidden for privacy> in the alerts.
Also on the timeline privacy sensitive information is hidden.
Our Android users are more secure, but privacy is guaranteed!
Thanks for reading and leave a comment if you have any questions.s
1 Comment
Was pulling my hair out on this one… Very weird setup with the auto-disabled Portal. Appreciate it!