Configure Defender for Endpoint on Android features

Applies to:

Conditional Access with Defender for Endpoint on Android

Microsoft Defender for Endpoint on Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability through Intune.

For more information about how to set up Defender for Endpoint on Android and Conditional Access, see Defender for Endpoint and Intune.

Configure custom indicators

Note

Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.

Defender for Endpoint on Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see Manage indicators.

Configure web protection

Defender for Endpoint on Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.

Web protection helps to secure devices against web threats and protect users from phishing attacks. Note that anti-phishing and custom indicators (URL and IP addresses) are supported as part of web protection. Web content filtering is currently not supported on mobile platforms.

Note

Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. For more information, see Configure web protection on devices that run Android.

Network Protection

Note

Network Protection on Microsoft Defender for Endpoint is now in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

This feature provides protection against rogue Wi-Fi related threats and rogue certificates which are the primary attack vector for Wi-Fi networks. Admins can list the root Certificate Authority (CA) and private root CA certificates in Microsoft Endpoint Manager Admin center and establish trust with endpoints. It provides the user a guided experience to connect to secure networks and also notifies them if a related threat is detected.

It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Endpoint Manager Admin center as well as add trusted certificates. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from Android devices.

Network protection in Microsoft Defender for endpoint is enabled by default. Admins can use the following steps to configure Network protection in Android devices.

  1. In Microsoft Endpoint Manager Admin, navigate to Apps > App configuration policies. Create a new App configuration policy.

    Image of how to create a policy.

  2. Provide a name and description to uniquely identify the policy. Select 'Android Enterprise' as the platform and 'Personally-owned work profile only' as the profile type and 'Microsoft Defender' as the Targeted app.

    Image of policy details.

  3. In Settings page, select 'Use configuration designer' and add 'Enable Network Protection in Microsoft Defender' as the key and value as '0' to disable Network Protection. (Network protection is enabled by default)

    Image of how to select enable network protection policy

    Image of add configuration policy.

  4. If your organization uses root CA's which could be private in nature, explicit trust needs to be established between Intune (MDM solution) and user's devices so that defender doesn't detect flag them as rogue certificates.

    To establish trust for the root CAs use 'Trusted CA certificate list for Network Protection (Preview)' as the key and in value add the 'comma separated list of certificate thumbprints'.

    Image of trusted CA certificate.

  5. For other configurations related to Network protection, add the following keys and appropriate corresponding value.

    Configuration Key Description
    Enable Network Protection Privacy 1 - Enable , 0 - Disable ; This setting is managed by IT admins to enable or disable privacy in network protection.
    Enable Users to Trust Networks and Certificates 1 - Enable , 0 - Disable ; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks and malicious certificates.
    Automatic Remediation of Network Protection Alerts 1 - Enable , 0 - Disable ; This setting is used by IT admins to enable or disable the remediation alerts that is sent when a user performs remediation activities, such as switching to a safer Wi-Fi access points or deleting suspicious certificates detected by Defender
  6. Add the required groups on which the policy will have to be applied. Review and create the policy.

Privacy Controls

Following privacy controls are available for configuring the data that is sent by Defender for Endpoint from Android devices:

Threat Report Details
Malware report Admins can set up privacy control for malware report - If privacy is enabled, then Defender for Endpoint will not send the malware app name and other app details as part of the malware alert report
Phish report Admins can set up privacy control for phish report - If privacy is enabled, then Defender for Endpoint will not send the domain name and details of the unsafe website as part of the phish alert report
Vulnerability assessment of apps (Android-only) By default only information about apps installed in the work profile is sent for vulnerability assessment. Admins can disable privacy to include personal apps
Network Protection (preview) Admins can enable or disable privacy in network protection - If enabled, then Defender will not send network details.

Configure privacy alert report

Admins can now enable privacy control for the phish report, malware report and network report sent by Microsoft Defender for Endpoint on android. This will ensure that the domain name, app details and network details respectively are not sent as part of the alert whenever a corresponding threat is detected.

Admin Privacy Controls (MDM) Use the following steps to enable privacy.

  1. In Microsoft Endpoint Manager admin center, go to Apps > App configuration policies > Add > Managed devices.

  2. Give the policy a name, Platform > Android enterprise, select the profile type.

  3. Select Microsoft Defender for Endpoint as the target app.

  4. In Settings page, select Use configuration designer and add click on Add.

  5. Select the required privacy setting -

    • Hide URLs in report
    • Hide URLs in report for personal profile
    • Hide app details in report
    • Hide app details in report for personal profile
    • Enable Network Protection Privacy
  6. To enable privacy, enter integer value as 1 and assign this policy to users. By default, this value is set to 0 for MDE in work profile and 1 for MDE on personal profile.

  7. Review and assign this profile to targeted devices/users.

End user privacy controls

These controls help the end user to configure the information shared to their organization.

  1. For Android Enterprise work profile, end user controls will not be visible. Admins control these settings.
  2. For Android Enterprise personal profile, the control is displayed under Settings> Privacy.
  3. Users will see a toggle for Unsafe Site Info, malicious application, and network protection.

These toggles will only be visible if enabled by the admin. Users can decide if they want to send the information to their organization or not.

Enabling/disabling the above privacy controls will not impact the device compliance check or conditional access.

Configure vulnerability assessment of apps for BYOD devices

From version 1.0.3425.0303 of Microsoft Defender for Endpoint on Android, you'll be able to run vulnerability assessments of OS and apps installed on the onboarded mobile devices.

Note

Vulnerability assessment is part of Microsoft Defender Vulnerability Management in Microsoft Defender for Endpoint.

Notes about privacy related to apps from personal devices (BYOD):

  • For Android Enterprise with a work profile, only apps installed on the work profile will be supported.
  • For other BYOD modes, by default, vulnerability assessment of apps will not be enabled. However, when the device is on administrator mode, admins can explicitly enable this feature through Microsoft Endpoint Manager to get the list of apps installed on the device. For more information, see details below.

Configure privacy for device administrator mode

Use the following steps to enable vulnerability assessment of apps from devices in device administrator mode for targeted users.

Note

By default, this is turned off for devices enrolled with device admin mode.

  1. In Microsoft Endpoint Manager admin center , go to Devices > Configuration profiles > Create profile and enter the following settings:

    • Platform: Select Android device administrator
    • Profile: Select "Custom" and click Create
  2. In the Basics section, specify a name and description of the profile.

  3. In the Configuration settings, select Add OMA-URI setting:

    • Name: Enter a unique name and description for this OMA-URI setting so you can find it easily later.
    • OMA-URI: ./Vendor/MSFT/DefenderATP/DefenderTVMPrivacyMode
    • Data type: Select Integer in the drop-down list.
    • Value: Enter 0 to disable privacy setting (By default, the value is 1)
  4. Click Next and assign this profile to targeted devices/users.

Configure privacy for Android Enterprise work profile

Defender for Endpoint supports vulnerability assessment of apps in the work profile. However, in case you want to turn this feature off for targeted users, you can use the following steps:

  1. In Microsoft Endpoint Manager admin center and go to Apps > App configuration policies > Add > Managed devices.
  2. Give the policy a name; Platform > Android Enterprise; select the profile type.
  3. Select Microsoft Defender for Endpoint as the target app.
  4. In Settings page, select Use configuration designer and add DefenderTVMPrivacyMode as the key and value type as Integer
    • To disable vulnerability of apps in the work profile, enter value as 1 and assign this policy to users. By default, this value is set to 0.
    • For users with key set as 0, Defender for Endpoint will send the list of apps from the work profile to the backend service for vulnerability assessment.
  5. Click Next and assign this profile to targeted devices/users.

Turning the above privacy controls on or off will not impact the device compliance check or conditional access.

Configure privacy for phishing alert report

Privacy control for phish report can be used to disable the collection of domain name or website information in the phish threat report. This gives organizations the flexibility to choose whether they want to collect the domain name when a malicious or phish website is detected and blocked by Defender for Endpoint.

Configure privacy for phishing alert report on Android Device Administrator enrolled devices:

Use the following steps to turn it on for targeted users:

  1. In Microsoft Endpoint Manager admin center , go to Devices > Configuration profiles > Create profile and enter the following settings:

    • Platform: Select Android device administrator.
    • Profile: Select "Custom" and click Create.
  2. In the Basics section, specify a name and description of the profile.

  3. In the Configuration settings, select Add OMA-URI setting:

    • Name: Enter a unique name and description for this OMA-URI setting so you can find it easily later.
    • OMA-URI: ./Vendor/MSFT/DefenderATP/DefenderExcludeURLInReport
    • Data type: Select Integer in the drop-down list.
    • Value: Enter 1 to enable privacy setting. The default value is 0.
  4. Click Next and assign this profile to targeted devices/users.

Using this privacy control will not impact the device compliance check or conditional access.

Configure privacy for phishing alert report on Android Enterprise work profile

Use the following steps to turn on privacy for targeted users in the work profile:

  1. In Microsoft Endpoint Manager admin center and go to Apps > App configuration policies > Add > Managed devices.
  2. Give the policy a name, Platform > Android Enterprise, select the profile type.
  3. Select Microsoft Defender for Endpoint as the target app.
  4. In Settings page, select Use configuration designer and add DefenderExcludeURLInReport as the key and value type as Integer.
    • Enter 1 to enable privacy. The default value is 0.
  5. Click Next and assign this profile to targeted devices/users.

Turning the above privacy controls on or off will not impact the device compliance check or conditional access.

Configure privacy for malware threat report

Privacy control for malware threat report can be used to disable the collection of app details (name and package information) from the malware threat report. This gives organizations the flexibility to choose whether they want to collect the app name when a malicious app is detected.

Configure privacy for malware alert report on Android Device Administrator enrolled devices:

Use the following steps to turn it on for targeted users:

  1. In Microsoft Endpoint Manager admin center , go to Devices > Configuration profiles > Create profile and enter the following settings:

    • Platform: Select Android device administrator.
    • Profile: Select "Custom" and click Create.
  2. In the Basics section, specify a name and description of the profile.

  3. In the Configuration settings, select Add OMA-URI setting:

    • Name: Enter a unique name and description for this OMA-URI setting so you can find it easily later.
    • OMA-URI: ./Vendor/MSFT/DefenderATP/DefenderExcludeAppInReport
    • Data type: Select Integer in the drop-down list.
    • Value: Enter 1 to enable privacy setting. The default value is 0.
  4. Click Next and assign this profile to targeted devices/users.

Using this privacy control will not impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".

Configure privacy for malware alert report on Android Enterprise work profile

Use the following steps to turn on privacy for targeted users in the work profile:

  1. In Microsoft Endpoint Manager admin center and go to Apps > App configuration policies > Add > Managed devices.
  2. Give the policy a name, Platform > Android Enterprise, select the profile type.
  3. Select Microsoft Defender for Endpoint as the target app.
  4. In Settings page, select Use configuration designer and add DefenderExcludeAppInReport as the key and value type as Integer
    • Enter 1 to enable privacy. The default value is 0.
  5. Click Next and assign this profile to targeted devices/users.

Using this privacy control will not impact the device compliance check or conditional access. For example, devices with a malicious app will always have a risk level of "Medium".