Add and assign Mobile Threat Defense (MTD) apps with Intune

You can use Intune to add and deploy Mobile Threat Defense (MTD) apps so that end users can receive notifications when a threat is identified in their mobile devices, and to receive guidance to remediate the threats.

Note

This article applies to all Mobile Threat Defense partners.

Before you begin

Complete the following steps in Intune. Make sure you're familiar with the process of:

Tip

The Intune Company Portal works as the broker on Android devices so users can have their identities checked by Microsoft Entra.

Configure Microsoft Authenticator for iOS

For iOS devices, you need the Microsoft Authenticator so users can have their identities checked by Microsoft Entra ID. Additionally, you need an iOS app configuration policy that sets the MTD iOS app you use with Intune.

See the instructions for adding iOS store apps to Microsoft Intune. Use this Microsoft Authenticator app store URL when you configure App information.

Configure your MTD apps with an app configuration policy

To simplify user onboarding, the Mobile Threat Defense apps on MDM-managed devices use app configuration. For unenrolled devices, MDM based app configuration isn't available. See Add Mobile Threat Defense apps to unenrolled devices.

BlackBerry Protect configuration policy

See the instructions for using Microsoft Intune app configuration policies for iOS to add the BlackBerry Protect iOS app configuration policy.

Better Mobile app configuration policy

See the instructions for using Microsoft Intune app configuration policies for iOS to add the Better Mobile iOS app configuration policy.

  • For Configuration settings format, select Enter XML data, copy the following content and paste it into the configuration policy body. Replace the https://client.bmobi.net URL with the appropriate console URL.

    <dict>
    <key>better_server_url</key>
    <string>https://client.bmobi.net</string>
    <key>better_udid</key>
    <string>{{aaddeviceid}}</string>
    <key>better_user</key>
    <string>{{userprincipalname}}</string>
    </dict>
    

Check Point Harmony Mobile Protect app configuration policy

See the instructions for using Microsoft Intune app configuration policies for iOS to add the Check Point Harmony Mobile iOS app configuration policy.

  • For Configuration settings format, select Enter XML data, copy the following content and paste it into the configuration policy body.

    <dict><key>MDM</key><string>INTUNE</string></dict>

CrowdStrike Falcon for Mobile app configuration policy

To configure Android Enterprise and iOS app configuration policies for CrowdStrike Falcon, see Integrating Falcon for Mobile with Microsoft Intune for remediation actions in the CrowdStrike documentation. You must sign in with your CrowdStrike credentials before you can access this content.

For general guidance about Intune app configuration policies, see the following articles in the Intune documentation:

Jamf Trust app configuration policy

Note

For initial testing, use a test group when assigning users and devices in the Assignments section of the configuration policy.

  • Android Enterprise:
    See the instructions for using Microsoft Intune app configuration policies for Android to add the Jamf Android app configuration policy using the following information when prompted.

    1. In the Jamf Portal, select the Add button under Configuration settings format.
    2. Select Activation Profile URL from the list of Configuration Keys. Select OK.
    3. For Activation Profile URL select string from the Value type menu then copy the Shareable Link URL from the desired Activation Profile in RADAR.
    4. In the Intune admin center app configuration UI, select Settings, define Configuration settings format > Use Configuration Designer and paste the Shareable Link URL.

    Note

    Unlike iOS, you will need to define a unique Android Enterprise app configuration policy for each Activation Profile. If you don’t require multiple Activation Profiles, you may use a single Android app configuration for all target devices. When creating Activation Profiles in Jamf, be sure to select Microsoft Entra ID under the Associated User configuration to ensure Jamf is able to synchronize the device with Intune via UEM Connect.

  • iOS:
    See the instructions for using Microsoft Intune app configuration policies for iOS to add the Jamf iOS app configuration policy using the information below when prompted.

    1. In Jamf Portal, navigate to Devices > Activations and select any activation profile. Select Deployment Strategies > Managed Devices > Microsoft Intune and locate the iOS App Configuration settings.
    2. Expand the box to reveal the iOS app configuration XML and copy it to your system clipboard.
    3. In Intune admin center app configuration UI Settings, define Configuration settings format > Enter XML data.
    4. Paste the XML in the app configuration text box.

    Note

    A single iOS configuration policy may be used across all devices that are to be provisioned with Jamf.

Lookout for Work app configuration policy

Create the iOS app configuration policy as described in the using iOS app configuration policy article.

Pradeo app configuration policy

Pradeo doesn't support application configuration policy on iOS/iPadOS. Instead, to get a configured app, work with Pradeo to implement custom IPA or APK files that are preconfigured with the settings you want.

SentinelOne app configuration policy

  • Android Enterprise:

    See the instructions for using Microsoft Intune app configuration policies for Android to add the SentinelOne Android app configuration policy.

    For Configuration settings format, select Use configuration designer, and add the following settings:

  • iOS:

    See the instructions for using Microsoft Intune app configuration policies for iOS to add the SentinelOne iOS app configuration policy.

    For Configuration settings format, select Use configuration designer, and add the following settings:

    Configuration key Value type Configuration value
    MDMDeviceID string {{AzureADDeviceId}}
    tenantid string Copy value from admin console “Manage” page in the SentinelOne console
    defaultchannel string Copy value from admin console “Manage” page in the SentinelOne console

SEP Mobile app configuration policy

Use the same Microsoft Entra account previously configured in the Symantec Endpoint Protection Management console, which should be the same account used to sign in to the Intune.

  • Download the iOS app configuration policy file:

    • Go to Symantec Endpoint Protection Management console and sign in with your admin credentials.

    • Go to Settings, and under Integrations, choose Intune. Choose EMM Integration Selection. Choose Microsoft, and then save your selection.

    • Select the Integration setup files link and save the generated *.zip file. The .zip file contains the *.plist file that is used to create the iOS app configuration policy in Intune.

    • See the instructions for using Microsoft Intune app configuration policies for iOS to add the SEP Mobile iOS app configuration policy.

      • For Configuration settings format, select Enter XML data, copy the content from the *.plist file, and paste its content into the configuration policy body.

    Note

    If you are unable to retrieve the files, contact Symantec Endpoint Protection Mobile Enterprise Support.

Sophos Mobile app configuration policy

Create the iOS app configuration policy as described in the using iOS app configuration policy article. For more information, see Sophos Intercept X for Mobile iOS - Available managed settings in the Sophos knowledge base.

Trellix Mobile Security app configuration policy

  • Android Enterprise:
    See the instructions for using Microsoft Intune app configuration policies for Android to add the Trellix Mobile Security Android app configuration policy.

    For Configuration settings format, select Use configuration designer, and add the following settings:

    Configuration key Value type Configuration value
    MDMDeviceID string {{AzureADDeviceId}}
    tenantid string Copy value from admin console “Manage” page in the Trellix console
    defaultchannel string Copy value from admin console “Manage” page in the Trellix console
  • iOS:
    See the instructions for using Microsoft Intune app configuration policies for iOS to add the Trellix Mobile Security iOS app configuration policy.

    For Configuration settings format, select Use configuration designer, and add the following settings:

    Configuration key Value type Configuration value
    MDMDeviceID string {{AzureADDeviceId}}
    tenantid string Copy value from admin console “Manage” page in the Trellix console
    defaultchannel string Copy value from admin console “Manage” page in the Trellix console

Trend Micro Mobile Security as a Service app configuration policy

See the instructions for using Microsoft Intune app configuration policies for iOS to add the Trend Micro Mobile Security as a Service app configuration policy.

Zimperium app configuration policy

  • Android Enterprise:
    See the instructions for using Microsoft Intune app configuration policies for Android to add the Zimperium Android app configuration policy.

    For Configuration settings format, select Use configuration designer, and add the following settings:

    Configuration key Value type Configuration value
    MDMDeviceID string {{AzureADDeviceId}}
    tenantid string Copy value from admin console “Manage” page in the Zimperium console
    defaultchannel string Copy value from admin console “Manage” page in the Zimperium console
  • iOS:
    See the instructions for using Microsoft Intune app configuration policies for iOS to add the Zimperium iOS app configuration policy.

    For Configuration settings format, select Use configuration designer, and add the following settings:

    Configuration key Value type Configuration value
    MDMDeviceID string {{AzureADDeviceId}}
    tenantid string Copy value from admin console “Manage” page in the Zimperium console
    defaultchannel string Copy value from admin console “Manage” page in the Zimperium console

Assigning Mobile Threat Defense apps to end users via Intune

To install the Mobile Threat Defense app on the end user device, you can follow the steps that are detailed in the following sections. Make sure you're familiar with the process of:

Choose the section that corresponds to your MTD provider:

Assigning Better Mobile

Assigning Check Point Harmony Mobile Protect

Assigning CrowdStrike Falcon for Mobile

Assigning Jamf

Assigning Lookout for Work

  • Android:

  • iOS:

  • Lookout for Work app outside the Apple store:

    • You must re-sign the Lookout for Work iOS app. Lookout distributes its Lookout for Work iOS app outside of the iOS App Store. Before distributing the app, you must re-sign the app with your iOS Enterprise Developer Certificate. Contact Lookout for Work for detailed instructions on this process.

    • Enable Microsoft Entra authentication for Lookout for Work iOS app users.

      1. Go to the Azure portal, sign in with your credentials, then navigate to the application page.

      2. Add the Lookout for Work iOS app as a native client application.

      3. Replace the com.lookout.enterprise.yourcompanyname with the customer bundle ID you selected when you signed the IPA.

      4. Add another redirect URI: <companyportal://code/> followed by a URL encoded version of your original redirect URI.

      5. Add Delegated Permissions to your app.

    • Add the Lookout for Work ipa file.

      • Upload the re-signed .ipa file as described in the Add iOS LOB apps with Intune article. You also need to set the minimum OS version to iOS 8.0 or later.

Assigning Pradeo

Assigning SentinelOne

Assigning Sophos

Assigning Symantec Endpoint Protection Mobile

Assigning Trellix Mobile Security

Assigning Zimperium

Next steps