Blog Posts, Microsoft Defender January 22, 2024 4

Microsoft Defender (MDE) for personal Android & iOS with MAM

Organizations with access to Microsoft Intune will almost always choose to manage their corporately owned devices using Mobile Device Management. However, when dealing with mobile devices such as Android and iOS devices, especially if they are personal devices, they will most likely keep them unmanaged, and for good reason: we shouldn’t manage what isn’t ours.

But how can we protect our users and data from outside threats on unmanaged devices? Users can install and configure Office apps, such as Outlook or Teams, on these personal Android and iOS devices and then have easy access to corporate data from these devices.

We can address some of our security concerns by requiring users to register their personal devices with MAM (Mobile Application Management). We can then apply data protection controls and set access requirements for corporately managed apps by configuring app protection policies. Implementing these policies will protect our data and respect personal data on devices.

Aside from data, we should also protect the personal device itself from outside threats, which we can do with the Microsoft Defender app. Refusing to do this can lead to users falling prey to phishing, malware, or other cyber attacks.

In this blog post, I will guide you through the onboarding of personal (unmanaged) Android and iOS devices in Microsoft Defender for Endpoint by using app protection and configuration policies and showing you the user experience. The post will include the following sections;

Preparation

Before we start, I assume you are familiar with Mobile Application Management (MAM) and have created app protection policies beforehand. If not, please create them first, and I’ll show you how to edit them later. Read this post if you need in-depth guidance on configuring app protection policies.

Besides app protection policies, I will also assume you have a conditional access policy in place to require app protection policies for users working from Android and iOS devices.

Also, Microsoft Defender for Endpoint needs to be able to share device information with Microsoft Defender for Endpoint. You can enable this integration from the Microsoft Security admin center.

And lastly, we need to configure the app protection policy evaluation setting in the MDE connector from the Microsoft Intune admin center. Microsoft Intune cannot evaluate device risk levels sent from the connector if not turned on.

App protection policy

Let’s update our app protection policies to require users working from personal Android or iOS devices to install the Microsoft Defender app. After the installation of the app, the devices will be protected and onboarded onto the Microsoft Defender platform.

First, navigate to the “App protection policies” page from the Microsoft Intune admin center. Then, edit (or create) your app protection policies for Android and iOS separately.

Go to the “Conditional launch” section and add the “Max allowed device threat level” condition. Then, configure the maximum allowed threat level (low for me) and set a response action (block access for me).

The configured setting will block access to any corporate app if the device risk level is higher than low. Indirectly, this will require devices to be protected by Microsoft Defender for Endpoint. Otherwise, it cannot evaluate device risks.

App configuration policy

Besides onboarding the devices into Microsoft Defender for Endpoint, we should also create app configuration policies to pre-configure certain features and settings for the mobile app.

First, navigate to the “App configuration policies” page from the Microsoft Intune admin center. Then, create a “Managed apps” app configuration policy, but do this for Android and iOS separately.

Select the Microsoft Defender for Endpoint app for Android or iOS (don’t add both in one policy).

Lastly, we can configure features and settings for our Microsoft Defender app on the settings page. We can find the list of all supported features and settings with their respective names and values here.

Some features are enabled by default and should only be configured if you want to actively disable them. For example, the web protection (and therefore the VPN connection) could be disabled if users complain about the app draining battery life.

There are many configuration settings to consider, but I highly recommend configuring Network Protection at the minimum, as this is one of the core features. Disabling users from signing out of the app, making device permissions optional, controlling privacy, or tagging devices could also be worthwhile settings to configure.

Important: Always configure the “DefenderMAMConfigs” setting with the value “1” for any Android app configuration policy to apply the policy to MAM-registered devices. Configuring this setting is not required for iOS devices.

There are some limitations on what we can and cannot control with app configuration profiles. For example, I noticed that on iOS devices, users can actively disable web protection, while on Android, only an admin can disable the feature.

Onboarding experience

After configuring the app protection and app configuration policies, let’s now check out the onboarding experience.

Again, I’ll assume you know the MAM-registration experience, so we’ll skim over that part quickly. After accessing a MAM-managed app such as Microsoft Outlook, the user must install the broker app, either the Microsoft Authenticator app (iOS) or the company portal app (Android).

Next, the app protection policies will apply, requiring the user to install the Microsoft Defender app so it can comply with the device conditions (max allowed device threat level).

After installing the Microsoft Defender app, the user will need to sign in to the app and accept the device permissions. These permissions include setting up a local VPN in order to provide the web protection feature.

You should know that this is not a regular VPN; it is a local (self-looping) VPN that does not send traffic outside the device. If you want to disable the VPN, you can do so by disabling the web protection feature in the app configuration policy.

The above screenshots show the experience for Android devices, but for iOS, the steps are very similar. After onboarding, the devices will be visible from the device inventory page in the Microsoft Defender admin center.

Wrap up

Some users may complain that they don’t want to install an antivirus and optionally a VPN on their personal devices. But don’t forget that with MAM, we’re already asking them to install the company portal or authenticator app. If you can get away with this additional request, it is at least far less intrusive than fully managing their device.

Here is a small overview of what the organization can and can’t see after installing the app on personal devices.

Organization can’t seeOrganization can see
  • Call History
  • Web history (except for unsafe website blocked by defender)
  • Location
  • email content and text messages
  • Contacts
  • Passwords
  • Calendar
  • Any personal data such as photos, videos, and chats
  • Details of malicious apps detected on your device
  • Details of websites which are blocked by Microsoft Defender for containing harmful programs that may try to steal your personal or financial information
  • Device information such as OS version, model, device ID as registered with your organization
  • Your account information such as your name and logged-on username

If you cannot convince your users or management to implement this solution. Consider moving towards corporate mobile devices instead or accept the risk of unprotected personal devices accessing your environment.

Interested in other onboarding methods for Microsoft Defender for Endpoint? Check out my previous post where I discuss all available options.

If you found this blog informative or have any questions, please tell me in the comment section.

This post is part of the unmanaged devices blog series; find more posts here.
View previous part: Mobile Application Management for personal Android & iOS Devices
View next part: How to disable personal device enrollments in Microsoft Intune

Microsoft Defender (MDE) for personal Android & iOS with MAM

About the author

Myron Helgering:

4 Comments

  1. flo

    August 8, 2024
    Reply

    Hi,

    When adding account in Defender, I have this message : https://i.imgur.com/moT5wpX.png probably because Microsoft Defender for Endpoint is not in app protection policy applications, how can we resolve this ?

    • Myron Helgering

      August 12, 2024
      Reply

      Did you target all cloud apps within your Conditional Access policy?
      Perhaps this will work; https://learn.microsoft.com/en-us/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide#microsoft-defender-mobile-app-exclusion-from-conditional-accessca-policies
      Do report back if it works. I'm curious and I'll try to make some time to reproduce.

  2. Soul

    December 29, 2024
    Reply

    Hi,
    Thank you for the blog. I am currently testing it in a test environment for personal devices like iOS and Android. I have noticed that even if users have installed the Defender for Endpoint app and sign out from it, they can still access organizational data.

    I'm not sure if I'm missing something. Is there a way to enforce that users must be signed in to the Defender for Endpoint app to access corporate data?

    • Myron Helgering

      January 25, 2025
      Reply

      Did you configure the "maximum allowed threat level" setting in the device conditions?

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply