Microsoft Defender for Endpoint - Mobile Threat Defense
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Microsoft Defender for Endpoint on Android and iOS is our mobile threat defense solution (MTD). Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and unprotected. Where mobile platforms have built-in protection such as app isolation and vetted consumer app stores, these platforms remain vulnerable to web-based or other sophisticated attacks. As more employees use devices for work and to access sensitive information, it's imperative that companies deploy an MTD solution to protect devices and your resources from increasingly sophisticated attacks on mobiles.
Key capabilities
Microsoft Defender for Endpoint on Android and iOS provides the below key capabilities, For information about the latest features and benefits, read our announcements.
| Capability | Description |
|---|---|
| Web Protection | Anti-phishing, blocking unsafe network connections, and support for custom indicators for URLs and domains. (File and IP indicators are not currently supported.) |
| Malware Protection (Android-only) | Scanning for malicious apps. |
| Jailbreak Detection (iOS-only) | Detection of jailbroken devices. |
| Microsoft Defender Vulnerability Management (MDVM) | Vulnerability assessment of onboarded mobile devices. Includes OS and Apps vulnerabilities assessment for both Android and iOS. Visit this page to learn more about Microsoft Defender Vulnerability Management in Microsoft Defender for Endpoint. |
| Network Protection | Protection against rogue Wi-Fi related threats and rogue certificates; ability to allow list the root CA and private root CA certificates in Intune; establish trust with endpoints. |
| Unified alerting | Alerts from all platforms in the unified M365 security console. |
| Conditional Access, Conditional launch | Blocking risky devices from accessing corporate resources. Defender for Endpoint risk signals can also be added to app protection policies (MAM). |
| Privacy Controls | Configure privacy in the threat reports by controlling the data sent by Microsoft Defender for Endpoint. Privacy controls are available for admin and end users. It's there for enrolled and unenrolled devices as well. |
| Integration with Microsoft Tunnel | Integration with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. Available on both Android and iOS. |
All these capabilities are available for Microsoft Defender for Endpoint license holders. For more information, see Licensing requirements.
Overview and Deploy
Deployment of Microsoft Defender for Endpoint on mobile can be done via Microsoft Intune. Watch this video for a quick overview of MTD capabilities and deployment:
Deploy
The following table summarizes how to deploy Microsoft Defender for Endpoint on Android and iOS. For detailed documentation, see
- Overview of Microsoft Defender for Endpoint on Android, and
- Overview of Microsoft Defender for Endpoint on iOS
Supported Android enrollment Scenarios
| Scenarios | Company portal app required on the device? | Protection Profile/Prerequisites | How to deploy |
|---|---|---|---|
| Android Enterprise personally owned devices using a work profile | Yes | Protects only the work profile section. Learn more about the work profile | Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune |
| Android Enterprise personally owned devices using a personal profile | Yes | Protects the personal profile. When a customer has a scenario with work profile as well then it protects the entire device. Note the following: The company portal app must be enabled on personal profile and the Microsoft Defender must be already installed and active in work profile to enable Microsoft Defender in personal profile. | Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune |
| Android Enterprise corporate owned work profile (COPE) | Yes | Protects only the work profile section. The Company Portal app and Microsoft Intune app both are automatically installed. | Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune |
| Android Enterprise corporate owned fully managed - no work profile (COBO) | Yes | Protects the entire device. The Company Portal app and Microsoft Intune app both are automatically installed. | Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune |
| MAM | Yes, (need to just install, setup is not required) | Protects only enrolled apps. MAM supports with/without Device enrollment or enrolled with third party Enterprise Mobility Management. | Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM) |
| Device Administrator | Yes | Intune is ending support for android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. | Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune |
Unsupported Android enrollment scenarios
These scenarios are not currently supported:
- Android Enterprise corporate-owned Personal profile
- Android Enterprise corporate owned dedicated devices (COSU) (Kiosk/Shared)
- Android Open-Source Project (AOSP)
Supported iOS enrollment Scenarios
| Scenarios | Company portal app required on the device? | Protection Profile/Prerequisites | How to deploy |
|---|---|---|---|
| Supervised Devices (ADE and Apple Configurator Enrollment | Yes | Protects the entire device. For ADE, if users who use Just in Time (JIT) registration, the Company portal app is not required because app will enroll the device automatically by connecting to Intune server | Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune |
| Unsupervised Devices (Device Enrollment) | Yes | Protects the entire device. For web-based device enrollment, the company portal app is not required because after the managed app signs in, the app downloads configuration policies directly and not the company portal app) | Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune |
| Unsupervised Devices (User Enrollment) | Yes | Protects work data only. The VPN has access to entire device, and the VPN can scan all app traffic | Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune |
| MAM | No | Protects only enrolled apps. The VPN has access to entire device and can scan all app traffic) | Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management |
Unsupported iOS enrollment scenarios
iOS Dedicated/shared/kiosk device enrollment is not supported.
Android low touch onboarding supported scenarios
- Android Enterprise personally owned devices using a work profile
- Android Enterprise corporate owned work profile (COPE)
- Android Enterprise corporate owned fully managed - No work profile (COBO)
iOS zero touch onboarding supported scenarios
- Supervised Devices (ADE and Apple Configurator Enrollment)
- Unsupervised Devices (Device Enrollment)
End-user onboarding
Configure Zero-touch onboard for iOS enrolled devices: Admins can configure zero-touch install to silently onboard Microsoft Defender for Endpoint on enrolled iOS devices without requiring the user to open the app.
Configure Conditional Access to enforce user onboarding: This can be applied to ensure end-users onboard to the Microsoft Defender for Endpoint app after deploying. Watch this video for a quick demo on configuring conditional access with Defender for Endpoint risk signals.
Simplify Onboarding
Pilot evaluation
While evaluating mobile threat defense with Microsoft Defender for Endpoint, you can verify that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria and ensure that they're satisfied before deploying widely.
This helps reduce potential issues that could arise while rolling out the service. Here are some tests and exit criteria that might help:
- Devices show up in the device inventory list: After successful onboarding of Defender for Endpoint on the mobile device, verify that the device is listed in the Device Inventory in the security console.
Run a phishing test: Browse to
https://smartscreentestratings2.netand verify that it gets blocked by Microsoft Defender for Endpoint. Note that on Android Enterprise with a work profile, only the work profile is supported.Alerts appear in dashboard: Verify that alerts for above detection tests appear on the security console.
Need help in deploying or configuring Defender for Endpoint on Android & iOS? If you have at least 150 licenses for the product, use your FastTrack benefits. Learn more about FastTrack at Microsoft FastTrack.
Configure
- Configure Android features
- Configure iOS features
- Configure Web Protection without VPN for supervised iOS devices
Resources
- Microsoft Defender for Endpoint on Android
- Microsoft Defender for Endpoint on iOS
- Stay informed about upcoming releases by reading our announcements.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.