Blog Post

Intune Customer Success
3 MIN READ

Upcoming permissions changes for Microsoft Defender for Endpoint running Android 11 or later

Intune_Support_Team's avatar
Nov 10, 2021

We posted MC291890 in the Message Center a month ago (message below). Implementation of this change will start rolling out on November 11, 2021. To help you be more aware of this change, we’re sharing the Message Center post and included screen shots so you can see the experience.

 

MC291890-Plan for Change: Upcoming permission changes for Microsoft Defender for Endpoint running Android 11 or later
In November, Microsoft Defender for Endpoint will be required by Google to move to Android API 30, which will prompt for a new storage permission for devices running Android 11 or later. Users will need to accept this new storage permission once they update to the November version of Microsoft Defender for Endpoint. This will continue Defender’s ‘App security’ functionality on their devices, see below for more details.

 

How this will affect your organization:
This will only impact you if you are using Microsoft Defender for Endpoint on devices running Android 11 or later and update to the November app. This setting is not configurable through Microsoft Endpoint Manager; users will need to take action due to the aforementioned Google API changes.

 

User experience: Users will receive a notification indicating a missing permission for app security. If the user denies this permission, ‘App security’ functionality will be disabled on the device. If your user neither approves nor denies permission, they will continue to receive the prompt when unlocking their device or opening the app until it has been approved.

 

Note: If your organization is previewing ‘Tamper protection’ feature and if the new storage permissions are not granted by the user within 7 days of updating to the latest version, user might lose access to corporate resources.

 

What you need to do to prepare:
Notify your users and helpdesk (as applicable) that users will need to accept the new permissions when prompted after they have updated to the November version of the Microsoft Defender for Endpoint app. To accept the permissions users should:

  1. Tap on the Defender in-app notification or open the Microsoft Defender for Endpoint app where users will see a screen that lists the permissions needed. A green check mark will be missing next to the Storage permission.
  2. Tap Begin.
  3. Tap the toggle for Allow access to manage all files.
    Note: This permission allows Microsoft Defender for Endpoint to access storage on user’s device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint only accesses / scans Android app package file (.apk), and on devices with a Work Profile, only scans work-related files.
  4. The device is now protected.


While the message above is instructional, here’s what the flow will look like:

 

Screenshots of the upcoming permission changes for Microsoft Defender for Endpoint running Android 11 or later

 

Backup option: If user misses the in-app notification, when they unlock the device or launch the Microsoft Defender for Endpoint app, they will be prompted with a message overlay screen which navigates them to the permission onboarding screen:

 

Screenshots of the flow if the user misses the in-app notification at first

 

To see if our telemetry indicated you could be impacted by this change, check if you’ve got MC291890 in the Message Center. For more information on service change communications, see - Staying up to date on Intune new features, service changes, and service health - Microsoft Tech Community.

Updated Dec 19, 2023
Version 7.0
  • KyleS_85226's avatar
    KyleS_85226
    Copper Contributor

    A bit after the fact - but what to do, if the "Manage all files" permission is not listed?  In the app permissions, only the Location and Notifications permissions are listed.  We are using Defender only for the VPN functionality via MS Tunnel.

  • nicolas2400's avatar
    nicolas2400
    Copper Contributor

    Hi,

     

    It will be much appreciate that these new permissions can be auto approve trough Intune.

     

    Is it in the roadmap please ?

     

    Thanks !

  • vpawars's avatar
    vpawars
    Copper Contributor

    Hi Team,

     

    Could you please update with the latest screenshots over here. This will help customers to follow the steps.

     

    Regards,

    Vinayak