Deploy Defender for business on mobile devices without enrollment and company portal

Mountain Pond 1,431 Reputation points
2023-05-09T21:12:37.1266667+00:00

Hello,

I would like users to be able to use Defender for Business on their mobile devices. But these devices are personal.

In order for the user to be able to install the IP successfully log into the Defender, he is prompted to install the Company Portal. Company Portal then creates a work profile, which I would like to avoid.

Can I add a device to Defender Endpoint Protection without MDM Intune Enrollment and without installing Company Portal. The maximum allowed device registration as MAM.

chrome_ANNV8aKQTp

chrome_Tg0Jp5DpLM

Telegram_VBi1Fok9QQ

Thank you.

Microsoft Intune iOS
Microsoft Intune iOS
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.iOS: An Apple mobile operating system.
202 questions
Microsoft Intune Android
Microsoft Intune Android
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Android: An open-source mobile platform based on the Linux kernel, developed by Google, and maintained by the Open Handset Alliance.
266 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,730 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 46,171 Reputation points Microsoft Vendor
    2023-05-10T02:24:27.9833333+00:00

    @Denis Pasternak, Thanks for posting in Q&A.

    For your phenomenon, I wonder if you have configured conditional access policy requires device to be marked as compliant. If yes, then the device will be asked to install company portal to enroll when access the cloud resource.

    Also, you can use the Microsoft Defender for Endpoint app with the approved client app policy in Intune to set the device compliance policy to Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while you're setting up Conditional Access. Although Microsoft Defender for Endpoint on Android and iOS (app ID dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-device-to-be-marked-as-compliant

    But from your description, I know we use Microsoft Defender for Business instead of Microsoft Defender for Endpoint. Please contact Microsoft Defender for Business support to confirm if it supports to set the device compliance policy to conditional Access policies. If not, I think we need to change the grant in conditional access policy to bypass the installation of company portal.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-get-help?view=o365-worldwide

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Konstantinos Passadis 17,456 Reputation points MVP
    2023-05-09T21:25:17.8933333+00:00

    Hello @Mountain Pond !

    This is very challenging due to to different enrollment options for Apple and Android

    Based on this

    https://download.microsoft.com/download/e/6/2/e6233fdd-a956-4f77-93a5-1aa254ee2917/msft-intune-enrollment-options.pdf

    It is Recommended to use Work Profile

    But for Android here is the link

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide

    You have to allow Device Administrator option in Intune

    For Apple

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/ios-install?view=o365-worldwide

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.