Edit

Add Mobile Threat Defense apps to unenrolled devices

  • Article

By default, when using Intune app protection policies with Mobile Threat Defense, Intune does the work to guide the end user on their device to install and sign in to all required apps to enable the connections with the relevant services.

End users need the Microsoft Authenticator (iOS) to register their device, and the Mobile Threat Defense (both Android and iOS) to receive notifications when a threat is identified in their mobile devices, and to receive guidance to remediate the threats.

Optionally, you can use Intune to add and deploy the Microsoft Authenticator, and Mobile Threat Defense (MTD) apps as well.

Note

This article applies to all Mobile Threat Defense partners that support app protection policies:

  • Microsoft Defender for Endpoint (Android, iOS/iPadOS)
  • Better Mobile (Android, iOS/iPadOS)
  • BlackBerry Mobile (CylancePROTECT for Android, iOS/iPadOS)
  • Check Point Harmony Mobile (Android, iOS/iPadOS)
  • Jamf (Android, iOS/iPadOS) (formerly Wandera)
  • Lookout for Work (Android, iOS/iPadOS)
  • SentinelOne (Android, iOS/iPadOS)
  • Symantec Endpoint Security (Android, iOS/iPadOS)
  • Trellix Mobile Security (Android, iOS/iPadOS)
  • Zimperium (Android, iOS/iPadOS)

For unenrolled devices, you do not need an iOS app configuration policy that sets up the Mobile Threat Defense for iOS app you use with Intune. This is a key difference compared to Intune enrolled devices.

Configure Microsoft Authenticator for iOS via Intune (optional)

When using Intune app protection policies with Mobile Threat Defense, Intune guides the end user to install, sign in to, and register their device with the Microsoft Authenticator (iOS).

However, should you wish to make the app available to end users via the Intune Company Portal, see the instructions for adding iOS store apps to Microsoft Intune. Use this Microsoft Authenticator - iOS App Store URL when completing the Configure app information section. Don't forget to assigning app to groups with Intune as the final step.

Note

For iOS devices, you need the Microsoft Authenticator so users can have their identities checked by Microsoft Entra. The Intune Company Portal works as the broker on Android devices so users can have their identities checked by Microsoft Entra.

Making Mobile Threat Defense apps available via Intune (optional)

When you use Intune app protection policies with Mobile Threat Defense, Intune guides the end user to install and sign in to the required Mobile Threat Defense client app.

However, should you wish to make the app available to end users via the Intune Company Portal, you can follow the steps provided in the following sections. Make sure you're familiar with the process of:

Making Better Mobile available to end users

Making CylancePROTECT available to end users

Making Check Point Harmony Mobile Protect available to end users

Making Jamf available to end users

Making Lookout for Work available to end users

Making SentinelOne available to end users

Making Symantec Endpoint Protection Mobile available to end users

Making Trellix Mobile Security available to end users

Making Zimperium available to end users

Next steps