Mobile Threat Defense integration with Intune

Intune can integrate data from a Mobile Threat Defense (MTD) vendor as an information source for device compliance policies and device Conditional Access rules. You can use this information to help protect corporate resources like Exchange and SharePoint, by blocking access from compromised mobile devices.

Intune can use this same data as a source for unenrolled devices using Intune app protection policies. As such, admins can use this information to help protect corporate data within a Microsoft Intune protected app, and issue a block or selective wipe.

Protect corporate resources

Integrating information from MTD vendors can help you protect your corporate resources from threats that affect mobile platforms.

Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and unprotected. Where mobile platforms have built-in protection such as app isolation and vetted consumer app stores, these platforms remain vulnerable to sophisticated attacks. As more employees use devices for work and to access sensitive information, the information from MTD vendors can help you protect devices and your resources from increasingly sophisticated attacks.

Intune Mobile Threat Defense connectors

Intune uses a Mobile Threat Defense connector to create a channel of communication between Intune and your chosen MTD vendor. Intune MTD partners offer intuitive, easy to deploy applications for mobile devices. These applications actively scan and analyze threat information to share with Intune. Intune can use the data for either reporting or enforcement purposes.

For example: A connected MTD app reports to the MTD vendor that a phone on your network is currently connected to a network that is vulnerable to Man-in-the-Middle attacks. This information is categorized to an appropriate risk level of low, medium, or high. This risk level is then compared with the risk level allowances you set in Intune. Based on this comparison, access to certain resources of your choice can be revoked while the device is compromised.

Data that Intune collects for Mobile Threat Defense

If enabled, Intune collects app inventory information from both personal and corporate-owned devices and makes it available for MTD providers to fetch, such as Lookout for Work. You can collect an app inventory from the users of iOS devices.

This service is opt-in; no app inventory information is shared by default. An Intune administrator must enable App Sync for iOS devices in the Mobile Threat Defense connector settings before any app inventory information is shared.

App inventory
If you enable App Sync for iOS devices, inventories from both corporate and personally owned iOS devices are sent to your MTD service provider. Data in the app inventory includes:

  • App ID
  • App Version
  • App Short Version
  • App Name
  • App Bundle Size
  • App Dynamic Size
  • Whether the app is validated or not
  • Whether the app is managed or not

Sample scenarios for enrolled devices using device compliance policies

When a device is considered infected by the Mobile Threat Defense solution:

Image showing a Mobile Threat Defense infected device

Access is granted when the device is remediated:

Image showing a Mobile Threat Defense Access granted

Sample scenarios for unenrolled devices using Intune app protection policies

When a device is considered infected by the Mobile Threat Defense solution:
Image showing a Mobile Threat Defense infected device

Access is granted when the device is remediated:
Image showing a Mobile Threat Defense access granted

Note

You can use multiple Mobile Defense vendors with a single Intune tenant. However, when two or more vendors are configured for use for the same platform, all devices that run that platform must install each MTD app and scan for threats. Failure to submit a scan from any configured app results in the device being marked as non-compliant.

Mobile Threat Defense partners

Learn how to protect access to company resource based on device, network, and application risk with: