Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Learn how to deploy Defender for Endpoint on Android on Microsoft Intune Company Portal enrolled devices. For more information about Microsoft Intune device enrollment, see Enroll your device.

Note

Defender for Endpoint on Android is now available on Google Play

You can connect to Google Play from Microsoft Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise enrollment modes.

Updates to the app are automatic via Google Play.

Deploy on Device Administrator enrolled devices

Learn how to deploy Defender for Endpoint on Android with Microsoft Intune Company Portal - Device Administrator enrolled devices.

Add as Android store app

  1. In Microsoft Intune admin center , go to Apps > Android Apps > Add > Android store app and choose Select.

    The Add Android store application pane in the Microsoft Intune admin center portal

  2. On the Add app page and in the App Information section enter:

    Other fields are optional. Select Next.

     The Add App page displaying the application's publisher and URL information in the Microsoft Intune admin center portal

  3. In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) that you would like to target Defender for Endpoint on Android app. Choose Select and then Next.

    Note

    The selected user group should consist of Intune enrolled users.

    The Add group pane in the Add App page in the Microsoft Intune admin center portal

  4. In the Review+Create section, verify that all the information entered is correct and then select Create.

    In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.

    The application status pane in the Microsoft Intune admin center portal

  5. In the app information page that is displayed, in the Monitor section, select Device install status to verify that the device installation has completed successfully.

    The Device install status page in the Microsoft Defender 365 portal

Complete onboarding and check status

  1. Once Defender for Endpoint on Android has been installed on the device, you'll see the app icon.

    The Microsoft Defender ATP icon listed in the Search pane

  2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android.

  3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft Defender portal.

    A device in the Microsoft Defender for Endpoint portal

Deploy on Android Enterprise enrolled devices

Defender for Endpoint on Android supports Android Enterprise enrolled devices.

For more information on the enrollment options supported by Microsoft Intune, see Enrollment Options.

Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.

Add Microsoft Defender for Endpoint on Android as a Managed Google Play app

Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play.

  1. In Microsoft Intune admin center , go to Apps > Android Apps > Add and select Managed Google Play app.

    The application-adding pane in the Microsoft Intune admin center portal

  2. On your managed Google Play page that loads subsequently, go to the search box and enter Microsoft Defender. Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.

    The Managed Google Play page in the Microsoft Intune admin center portal

  3. In the App description page that comes up next, you should be able to see app details on Defender for Endpoint. Review the information on the page and then select Approve.

  4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select Approve.

    The permissions approval page in the Microsoft Defender 365 portal

  5. You'll be presented with the Approval settings page. The page confirms your preference to handle new app permissions that Defender for Endpoint on Android might ask. Review the choices and select your preferred option. Select Done.

    By default, managed Google Play selects Keep approved when app requests new permissions.

  6. After the permissions handling selection is made, select Sync to sync Microsoft Defender for Endpoint to your apps list.

  7. The sync will complete in a few minutes.

    The application sync status pane in the Android apps page in the Microsoft Defender 365 portal

  8. Select the Refresh button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list.

    The page displaying the synced application

  9. Defender for Endpoint supports App configuration policies for managed devices via Microsoft Intune. This capability can be leveraged to select different configurations for Defender.

    1. In the Apps page, go to Policy > App configuration policies > Add > Managed devices.

      The App configuration policies pane in the Microsoft Intune admin center portal

    2. In the Create app configuration policy page, enter the following details:

      • Name: Microsoft Defender for Endpoint.
      • Choose Android Enterprise as platform.
      • Choose Personally-owned Work Profile only or Fully Managed, Dedicated, and Corporate-owned work profile only as Profile Type.
      • Click Select App, choose Microsoft Defender, select OK and then Next.

       Screenshot of the Associated app details pane.

    3. Select Permissions > Add. From the list, select the available app permissions > OK.

    4. Select an option for each permission to grant with this policy:

      • Prompt - Prompts the user to accept or deny.
      • Auto grant - Automatically approves without notifying the user.
      • Auto deny - Automatically denies without notifying the user.
    5. Go to the Configuration settings section and choose 'Use configuration designer' in Configuration settings format.

      Image of android create app configuration policy.

    6. Click on Add to view a list of supported configurations. Select the required configuration and click on Ok.

      Image of selecting configuration policies for android.

    7. You should see all the selected configurations listed. You can change the configuration value as required and then select Next.

      Image of selected configuration policies.

    8. In the Assignments page, select the user group to which this app config policy would be assigned. Click Select groups to include and selecting the applicable group and then selecting Next. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.

      The Selected groups pane

    9. In the Review + Create page that comes up next, review all the information and then select Create.

      The app configuration policy for Defender for Endpoint is now assigned to the selected user group.

  10. Select Microsoft Defender app in the list > Properties > Assignments > Edit.

    The Edit option on the Properties page

  11. Assign the app as a Required app to a user group. It is automatically installed in the work profile during the next sync of the device via Company Portal app. This assignment can be done by navigating to the Required section > Add group, selecting the user group and click Select.

  12. In the Edit Application page, review all the information that was entered above. Then select Review + Save and then Save again to commence assignment.

Auto Setup of Always-on VPN

Defender for Endpoint supports Device configuration policies for managed devices via Microsoft Intune. This capability can be leveraged to Auto setup of Always-on VPN on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.

  1. On Devices, select Configuration Profiles > Create Profile > Platform > Android Enterprise

    Select Device restrictions under one of the following, based on your device enrollment type:

    • Fully Managed, Dedicated, and Corporate-Owned Work Profile
    • Personally owned Work Profile

    Select Create.

    The Configuration profiles menu item in the Policy pane

  2. Configuration Settings Provide a Name and a Description to uniquely identify the configuration profile.

    The devices configuration profile Name and Description fields in the Basics pane

  3. Select Connectivity and configure VPN:

    • Enable Always-on VPN

      Set up a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device.

    • Select Custom in VPN client dropdown list

      Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature.

      Note

      Microsoft Defender for Endpoint app must be installed on user's device, in order to functioning of auto setup of this VPN.

    • Enter Package ID of the Microsoft Defender for Endpoint app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is com.microsoft.scmx

    • Lockdown mode Not configured (Default)

      The Connectivity pane under the Configuration settings tab

  4. Assignment

    In the Assignments page, select the user group to which this app config policy would be assigned. Choose Select groups to include and selecting the applicable group and then select Next. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.

    Screenshot of the devices configuration profile Assignment pane in the Device restrictions.

  5. In the Review + Create page that comes up next, review all the information and then select Create. The device configuration profile is now assigned to the selected user group.

    A devices configuration profile 's provision for Review + create

Check status and complete onboarding

  1. Confirm the installation status of Microsoft Defender for Endpoint on Android by clicking on the Device Install Status. Verify that the device is displayed here.

  2. On the device, you can validate the onboarding status by going to the work profile. Confirm that Defender for Endpoint is available and that you are enrolled to the Personally owned devices with work profile. If you are enrolled to a Corporate-owned, fully managed user device, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.

    The application display pane

  3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful.

    Th display of a Microsoft Defender for Endpoint application on a mobile device

  4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the Microsoft Defender portal by navigating to the Device Inventory page.

    The Microsoft Defender for Endpoint portal

Set up Microsoft Defender in Personal Profile on Android Enterprise in BYOD mode

Set up Microsoft Defender in Personal Profile

Admins can go to the Microsoft Endpoint Management admin center to set up and configure Microsoft Defender support in personal profiles by following these steps:

  1. Go to Apps> App configuration policies and click on Add. Select Managed Devices.

    Image of adding app configuration policy.

  2. Enter Name and Description to uniquely identify the configuration policy. Select platform as 'Android Enterprise', Profile type as 'Personally-owned work profile only' and Targeted app as 'Microsoft Defender'.

    Image of naming configuration policy.

  3. On the settings page, in 'Configuration settings format', select 'Use configuration designer' and click on Add. From the list of configurations that are displayed, select 'Microsoft Defender in Personal profile'.

    Image of configuring personal profile.

  4. The selected configuration will be listed. Change the configuration value to 1 to enable Microsoft Defender support personal profiles. A notification will appear informing the admin about the same. Click on Next.

    Image of changing config value.

  5. Assign the configuration policy to a group of users. Review and create the policy.

    Image of reviewing and creating policy.

Admins also can set up privacy controls from the Microsoft Intune admin center to control what data can be sent by the Defender mobile client to the security portal. For more information, see configuring privacy controls.

Organizations can communicate to their users to protect Personal profile with Microsoft Defender on their enrolled BYOD devices.

  • Pre-requisite: Microsoft Defender must be already installed and active in work profile to enabled Microsoft Defender in personal profiles.

To complete onboarding a device

  1. Install the Microsoft Defender application in a personal profile with a personal Google Play store account.
  2. Install the Company portal application on personal profile. No sign-in is required.
  3. When a user launches the application, they'll see the sign-in screen. Login using corporate account only.
  4. On a successful login, users will see the following screens:
    1. EULA screen: Presented only if the user has not consented already in the Work profile.
    2. Notice screen: Users need to provide consent on this screen to move forward with onboarding the application. This is required only during the first run of the app.
  5. Provide the required permissions to complete onboarding.

Note

Pre-requisite:

  1. The Company portal needs to be enabled on personal profile.
  2. Microsoft Defender needs to be already installed and active in work profile.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.