Add and assign Mobile Threat Defense (MTD) apps with Intune


This topic applies to all Mobile Threat Defense partners.

You can use Intune to add and deploy MTD apps so end-users can receive notifications when a threat is identified in their mobile devices, and to receive guidance to remediate the threats.

For iOS devices, you need the Microsoft Authenticator so users can have their identities checked by Azure AD. Additionally, you need the iOS app configuration policy which signals the MTD iOS app to use with Intune.


The Intune company portal works as the broker on Android devices so users can have their identities checked by Azure AD.

Before you begin

To add apps

All MTD partners

Microsoft Authenticator app for iOS




Lookout for Work app outside the Apple store

You need to re-sign the Lookout for Work iOS app. Lookout distributes its Lookout for Work iOS app outside of the iOS App Store. Before distributing the app, you must re-sign the app with your iOS Enterprise Developer Certificate.

For detailed instructions to re-sign the Lookout for Work iOS apps, see Lookout for Work iOS app re-signing process on the Lookout website.

Enable Azure AD authentication for Lookout for Work iOS app

Enable Azure Active Directory authentication for the iOS users by doing the following:

  1. Go to the Azure portal, sign in with your credentials, then navigate to the application page.

  2. Add the Lookout for Work iOS app as a native client application.

  3. Replace the com.lookout.enterprise.yourcompanyname with the customer bundle ID you selected when you signed the IPA.

  4. Add additional redirect URI: <companyportal://code/> followed by a URL encoded version of your original redirect URI.

  5. Add Delegated Permissions to your app.

Add the Lookout for Work ipa file
  • Upload the re-signed .ipa file as described in the Add iOS LOB apps with Intune topic. You also need to set the minimum OS version to iOS 8.0 or later.

Symantec Endpoint Protection Mobile (SEP Mobile)



Check Point SandBlast Mobile






To associate the MTD app with an iOS app configuration policy

For Lookout

For SEP Mobile

  • Use the same Azure AD account previously configured in the Symantec Endpoint Protection Management console, which should be the same account used to log in to the Intune classic portal.

  • You need to download the iOS app configuration policy file:

    • Go to Symantec Endpoint Protection Management console and sign in with your admin credentials.

    • Go to Settings, and under Integrations, choose Intune. Choose EMM Integration Selection. Choose Microsoft, and then save your selection.

    • Click the Integration setup files link and save the generated *.zip file. The .zip file contains the *.plist file that will be used to create the iOS app configuration policy in Intune.

    • See the instructions for using Microsoft Intune app configuration policies for iOS to add the SEP Mobile iOS app configuration policy.

    • On step 8, use the option Enter XML data, copy the content from the *.plist file, and paste its content into the configuration policy body.


If you are unable to retrieve the files, contact Symantec Endpoint Protection Mobile Enterprise Support.

For Check Point SandBlast Mobile


For Zimperium


To assign apps (All MTD partners)

Next steps