Microsoft Defender for Endpoint on Android - Intune Deployment.

AmazingPhone6248 15 Reputation points
2023-03-07T12:23:25.6+00:00

Hello,

I am currently investigating the deployment of Microsoft Defender for Endpoint on fully-managed corporate Android devices, deploying with Microsoft Intune. This is just a proof of concept for the business at this stage.

I am discovering various issues which would make this deployment a rubbish end-user experience, and also finding security flaws with the app itself. I 'm struggling to find any solutions to these issues and flaws, this is where I need some help here please.

Here are my rough notes on what steps need manual input on the Android devices when launching the Microsoft Defender app for the first time, obviously we would want this deployment to be completely zero-touch/silent...

  1. Log in with domain account.
  2. Accept Defender's terms.
  3. Begin Android permissions bits...
  4. Turn on All Files Access permission.
  5. Accept VPN connection set up request [this is the only step I've found a possible zero-touch solution for online].
  6. Turn on Appear On Top permission.
  7. Agree to Accessibility services.
  8. Accessibility > Installed Apps > Microsoft Defender > Turn this on > Then tap Allow.
  9. Allow 'Stop optimising battery usage' for Defender.
  10. Phone is then protected.

I can't imagine any users bothering with all these steps if we were to roll out the app to the business.

If there is no way of getting this app deployment fully zero-touch/silent, then my other idea was an Intune compliance policy that doesn't let you access any company resources at all unless the Defender app is fully running. But I can only find policies that just detect that the app is installed or not.

The security flaws with the app are the following...

  1. The app can be Force Stopped from the Android > Apps page. This then leaves the phone completely unprotected unless the app is manually opened again. When reopening the app, you have to re-accept all the accessibility settings again.
  2. Similarly, the app can have it's data cleared from the Android > Apps page. This stops the app running as well, and leaves the phone unprotected. Obviously once the data is cleared, you then have to accept the apps terms and a few other things when re-launching for first time.

Any ideas or opinions please? As it stands Microsoft Defender for Endpoint is no good for us on Android.

Thanks!

Microsoft Intune Android
Microsoft Intune Android
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Android: An open-source mobile platform based on the Linux kernel, developed by Google, and maintained by the Open Handset Alliance.
306 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,251 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 49,861 Reputation points Microsoft Vendor
    2023-03-08T06:14:54.91+00:00

    @AmazingPhone6248, Thanks for posting in Q&A.

    Based as I know, we can deploy the app via Intune for Android devices. For Android Enterprise enrolled devices, we can configure app configuration policy and device configuration policy. You can configure them and see if we can get a better sign in experience. Here is a link with the detailed steps you can try:

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide

    Meanwhile, for compliance policy setting of Android, I find a setting "Require the device to be at or under the machine risk score". it will check the score evaluated by Microsoft Defender for Endpoint. when exceed the score, it will get marked noncompliant. Maybe you can try this setting to see if the setting can work for these devices which are not running Defender.

    https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-android-for-work#microsoft-defender-for-endpoint

    Hope it can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Mo Alom 6 Reputation points
    2023-05-13T11:19:59.1833333+00:00

    Hi, I'm having the same issue as reported above. Even when configuring the app configuration policy the app will still prompt the end user to approve and apply the permissions on the phone for the app to function properly.

    Please see below the permissions and config applied from Intune.

    User's image

    @AmazingPhone6248 did you manage to find a solution?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.