Deploy Microsoft Defender ATP for Android with Microsoft Intune

Applies to:

This topic describes deploying Microsoft Defender ATP for Android on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see Enroll your device.

Note

During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.

Deploy on Device Administrator enrolled devices

Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices

This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported.

Download the onboarding package

Download the onboarding package from Microsoft Defender Security Center.

  1. In Microsoft Defender Security Center, go to Settings > Machine Management > Onboarding.

  2. In the first drop-down, select Android as the Operating system.

  3. Select Download Onboarding package and save the downloaded .APK file.

    Image of onboarding package page

Add as Line of Business (LOB) App

The downloaded Microsoft Defender ATP for Android onboarding package. It is a .APK file can be deployed to user groups as a Line of Business app during the preview from Microsoft Endpoint Manager Admin Center.

  1. In Microsoft Endpoint Manager admin center , go to Apps > Android Apps > Add > Line-of-business app and click Select.

    Image of Microsoft Endpoint Manager Admin Center

  2. On the Add app page and in the App Information section, click Select add package file and then click the Icon icon and select the MDATP Universal APK file that was downloaded from the Download Onboarding package step.

    Image of Microsoft Endpoint Manager Admin Center

  3. Select OK.

  4. In the App Information section that comes up, enter the Publisher as Microsoft. Other fields are optional and then select Next.

    Image of Microsoft Endpoint Manager Admin Center

  5. In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click Select and then Next.

    Note

    The selected user group should consist of Intune enrolled users.

    Image of Microsoft Endpoint Manager Admin Center

  6. In the Review+Create section, verify that all the information entered is correct and then select Create.

    In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.

    Image of Microsoft Endpoint Manager Admin Center

  7. In the app information page that is displayed, in the Monitor section, select Device install status to verify that the device installation has completed successfully.

    Image of Microsoft Endpoint Manager Admin Center

During Public Preview, to update Microsoft Defender ATP for Android deployed as a Line of Business app, download the latest APK. Following the steps in Download the onboarding package section and follow instructions on how to update a Line of Business App.

Complete onboarding and check status

  1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.

    Icon on mobile device

  2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android.

  3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.

    Image of device in Microsoft Defender ATP portal

Deploy on Android Enterprise enrolled devices

Microsoft Defender ATP for Android supports Android Enterprise enrolled devices.

For more information on the enrollment options supported by Intune, see Enrollment Options .

As Microsoft Defender ATP for Android is deployed via managed Google Play, updates to the app are automatic via Google Play.

Currently only Personal devices with Work Profile enrolled are supported for deployment.

Note

During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact atpm@microsoft.com with the organization ID of your managed Google Play for next steps. This can be found under the Admin Settings of managed Google Play.
At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported.

Add Microsoft Defender ATP for Android as a managed Google Play app

After receiving a confirmation e-mail from Microsoft that your managed Google Play organization ID has been approved, follow the steps below to add Microsoft Defender ATP app into your managed Google Play.

  1. In Microsoft Endpoint Manager admin center , go to Apps > Android Apps > Add and select managed Google Play app.

    Image of Microsoft Endpoint Manager admin center

  2. On your managed Google Play page that loads subsequently, go to the search box and lookup Microsoft Defender. Your search should display the Microsoft Defender ATP app in your Managed Google Play. Click on the Microsoft Defender ATP app from the Apps search result.

    Image of Microsoft Endpoint Manager admin center

  3. In the App description page that comes up next, you should be able to see app details on Microsoft Defender ATP. Review the information on the page and then select Approve.

    A screenshot of a Managed Google Play

  4. You should now be presented with the permissions that Microsoft Defender ATP obtains for it to work. Review them and then select Approve.

    A screenshot of Microsoft Defender ATP preview app approval

  5. You'll be presented with the Approval settings page. The page confirms your preference to handle new app permissions that Microsoft Defender ATP for Android might ask. Review the choices and select your preferred option. Select Done.

    By default, managed Google Play selects Keep approved when app requests new permissions

    Image of notifications tab

  6. After the permissions handling selection is made, select Sync to sync Microsoft Defender ATP to your apps list.

    Image of sync page

  7. The sync will complete in a few minutes.

    Image of Android app

  8. Select the Refresh button in the Android apps screen and Microsoft Defender ATP should be visible in the apps list.

    Image of list of Android apps

  9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).

    a. In the Apps page, go to Policy > App configuration policies > Add > Managed devices.

    Image of Microsoft Endpoint Manager admin center

    b. In the Create app configuration policy page, enter the following details: - Name: Microsoft Defender ATP. - Choose Android Enterprise as platform. - Choose Work Profile only as Profile Type. - Click Select App, choose Microsoft Defender ATP, select OK and then Next.

    Image of create app configuration policy page

    c. In the Settings page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions

    • External storage (read)
    • External storage (write)

    Then select OK.

    Image of create app configuration policy

    d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the Permission state drop-down and then select Next.

    Image of create app configuration policy

    e. In the Assignments page, select the user group to which this app config policy would be assigned to. Click Select groups to include and selecting the applicable group and then selecting Next. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.

    Image of create app configuration policy

    f. In the Review + Create page that comes up next, review all the information and then select Create.

    The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.

    Image of create app configuration policy

  10. Select Microsoft Defender ATP app in the list > Properties > Assignments > Edit.

    Image of list of apps

  11. Assign the app as a Required app to a user group. It is automatically installed in the work profile during the next sync of the device via Company Portal app. This assignment can be done by navigating to the Required section > Add group, selecting the user group and click Select.

    Image of edit application page

  12. In the Edit Application page, review all the information that was entered above. Then select Review + Save and then Save again to commence assignment.

Complete onboarding and check status

  1. Confirm the installation status of Microsoft Defender ATP for Android by clicking on the Device Install Status. Verify that the device is displayed here.

    Image of device installation status

  2. On the device, you can confirm the same by going to the work profile and confirm that Microsoft Defender ATP is available.

    Image of app in mobile device

  3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful.

    Image of mobile device with Microsoft Defender ATP app

  4. At this stage the device is successfully onboarded onto Microsoft Defender ATP for Android. You can verify this on the Microsoft Defender Security Center by navigating to the Devices page.

    Image of Microsoft Defender ATP portal