ערוך

שתף באמצעות


Configure Microsoft Defender for Endpoint web protection on Android devices managed by Intune

When you integrate Microsoft Defender for Endpoint with Microsoft Intune, you can use device configuration profiles to modify some Defender for Endpoint settings on Android devices.

By default, Microsoft Defender for Endpoint for Android includes and enables the Microsoft Defender for Endpoint Web protection feature that can help to secure devices against web threats and protect users from phishing attacks.

While enabled by default, there are valid reasons to disable it on some Android devices. For example, you might decide to use only the Defender for Endpoint app scan feature or to prevent web protection from using your VPN while it scans for harmful URLs.

With Intune device configuration policy, you can turn off all or part of the web protection feature. The method you use and the capabilities you can disable depend on how the Android device is enrolled with Intune:

  • Android device administrator. Use a configuration profile to set custom OMA-URI settings on the device that disable the entire web protection feature or that disable only the use of VPNs. For general information about custom settings for Android devices, see Use custom settings for Android devices in Microsoft Intune.

  • Android Enterprise personally owned work profile. Use an app configuration profile and the configuration designer to disable web protection. This method and enrollment type support disabling all web protection capabilities but don't support disabling only the use of VPNs. For general information about app configuration policies, see Use the configuration designer.

  • Android Enterprise Fully Managed profile. Use an app configuration profile and the configuration designer to disable the entire web protection feature or to disable only the use of VPNs.

To configure web protection on devices, use the following procedures to create and deploy the applicable configuration.

Disable web protection for Android device administrator

Important

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration > On the Policies tab, select + Create.

  3. Enter these settings:

    • Platform: Select Android device administrator.
    • Profile: Select Custom.

    Select Create.

  4. In Basics, enter these details:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, Android custom profile for Defender for Endpoint web protection.
    • Description: Enter a description for the profile. This setting is optional but recommended.
  5. In Configuration settings, select Add.

    Specify settings for the configuration you want to deploy:

    • Disable web protection:

      • Name: Enter a unique name for this OMA-URI setting so you can find it easily. For example, Disable Defender for Endpoint web protection.
      • Description: (Optional) Enter a description that provides an overview of the setting and any other important details.
      • OMA-URI: Enter ./Vendor/MSFT/DefenderATP/AntiPhishing
      • Data type: Select Integer in the drop-down list.
      • Value: To disable web protection, set Value to 0. To enable web protection, enter 1, which is the default.
    • Disable only the use of VPN by web protection:

      • Name: Enter a unique name for this OMA-URI setting so you can find it easily. For example, Disable Microsoft Defender for Endpoint web protection VPN.
      • Description: (Optional) Enter a description that provides an overview of the setting and any other important details.
      • OMA-URI: Enter ./Vendor/MSFT/DefenderATP/Vpn
      • Data type: Select Integer in the drop-down list.
      • Value: To disable the VPN-based scan, set Value to 0. To enable the VPN-based scan, enter 1, which is the default.

    Select Add to save the OMA-URI settings configuration, and then select Next to continue.

  6. In Assignments, specify the groups that receive the profile. For more information on assigning profiles, see Assign user and device profiles.

  7. In Review + create, when you're done, select Create. The new profile is displayed in the list when you select the policy type for the profile you created.

Disable web protection for the Android Enterprise personally owned work profile

Note

You can't disable web protection for the Android Enterprise personally owned work profile if you've configured the Auto Setup of Always-on VPN device configuration policy on the enrolled devices.

  1. Sign in to the Microsoft Intune admin center.

  2. Select Apps > App configuration policies > Add, and then select Managed devices.

  3. In Basics, enter these details:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, Android app configuration for Microsoft Defender for Endpoint web protection.
    • Description: Enter a description for the profile. This setting is optional but recommended.
    • Platform: Select Android Enterprise.
    • Profile Type: Select Personally-Owned Work Profile Only.
    • Targeted app: Click Select app.
  4. In Associated app, find and select Defender for Endpoint, and then select OK > Next.

  5. In Settings, in Configuration settings format, select Use configuration designer, and then select Add. The JSON editor opens.

  6. Find and select configuration keys Anti-Phishing and VPN, and then select OK to return to the Settings page.

  7. For the Configuration values of both configuration keys (Anti-Phishing and VPN), enter 0 to disable web protection.

    Note

    The Web Protection configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys Anti-Phishing and VPN to enable or disable web protection.

    Note

    Enter 1 for both configuration values (Anti-Phishing and VPN) to enable web protection. This setting is the default.

    Select Next to continue.

  8. In Assignments, specify the groups that receive the profile. For more information on assigning profiles, see Assign user and device profiles.

  9. In Review + create, when you're done, select Create. The new profile is displayed in the list when you select the policy type for the profile you created.

Disable web protection for the Android Enterprise Fully Managed profile

  1. Complete the same configuration steps described previously, and add web protection configuration keys Anti-phishing and VPN. The only difference is the Profile Type value. For this value, select Fully Managed, Dedicated, and Corporate-Owned Work Profile Only.

    • To disable web protection, enter 0 for configuration values Anti-Phishing and VPN.
    • To disable only the use of VPN by web protection, enter these configuration values:
      • 0 for VPN
      • 1 for Anti-Phishing

    Note

    You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration policy on the enrolled devices.

    Note

    Enter 1 for both configuration values (Anti-Phishing and VPN) to enable web protection. This setting is the default.

    Select Next to continue.

  2. In Assignments, specify the groups that receive the profile. For more information on assigning profiles, see Assign user and device profiles.

  3. In Review + create, when you're done, select Create. The new profile is displayed in the list when you select the policy type for the profile you created.

Next steps