Forum Discussion
Mobile Threat Defense for Entra Shared Device Mode
Hi All
What are you guys using for Mobile Threat Defense on Entra Shared Device Mode?
Info appreciated.
SK
8 Replies
Hi StuartK73,
if by Entra Shared Device Mode you mean the frontline “shared device” experience (Authenticator + SDM), one important gotcha: Microsoft Defender for Endpoint on mobile isn’t supported on user-less or shared devices (both iOS and Android). So if you were hoping to use MDE as your MTD in SDM, it’s usually a dead end.
What most orgs do in SDM instead is pick a third-party Mobile Threat Defense vendor that integrates with Intune and feed its risk signal into Intune compliance + Entra Conditional Access. Microsoft lists the supported MTD partners (for example: Zimperium, Lookout, Check Point Harmony Mobile, CrowdStrike Falcon for Mobile, Jamf MTD, Pradeo, BlackBerry Protect Mobile, Better Mobile, iVerify, etc.).Practical recommendation:
- Choose one MTD vendor per platform (Microsoft explicitly recommends this to avoid devices being marked noncompliant because multiple agents are required).
https://learn.microsoft.com/en-us/intune/intune-service/protect/mobile-threat-defense - Wire it into device compliance (MTD threat level rule) and then enforce with Conditional Access (https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance.)
Quick question so people can answer you accurately: are your SDM devices Android, iOS/iPadOS, or both? (Android SDM tends to be the common case.)
Hi buddy
This is great info.
The devices are Android Entra Shared Device Mode.
Do you happen to know which MTD would be the easiest to configure on SDM's especially regarding to setting Android permissions?
Stuart
Hi StuartK73, for Android Entra Shared Device Mode the “easiest” MTD is usually the one that needs the fewest interactive permission prompts, because SDM doesn’t lend itself well to “open the app, tap Allow, sign in…” flows.
A useful rule of thumb is: pick an MTD that works cleanly as a Managed Google Play app and lets you pre-grant standard runtime permissions from Intune. Intune supports doing that via an App configuration policy (Managed devices) where you can set each permission to Prompt/Auto grant/Auto deny. And because it’s Android Enterprise, you (as admin) approve app permissions in Managed Google Play up front, so users don’t get bombarded with permission dialogs during install.If you want a vendor name that tends to be “low friction” on permissions, Check Point Harmony Mobile is one I’ve seen work smoothly on managed Android because they explicitly call out that required permissions (like location/notifications depending on features) can be granted automatically by the UEM.
That said, every MTD app is different and Microsoft’s own guidance notes the Android activation flow often involves opening the MTD app and granting whatever it asks for, and permissions vary by vendor. So I’d shortlist 1–2 vendors from the supported Intune connector list, then pilot on one SDM device and count “how many taps” are needed.
Quick question (this really affects “permissions pain”): are these SDM devices AOSP/standard Android, or rugged devices like Zebra/Samsung (where OEMConfig can sometimes help with special permissions)?
- Choose one MTD vendor per platform (Microsoft explicitly recommends this to avoid devices being marked noncompliant because multiple agents are required).
Hi, in my experience, Microsoft Defender for Endpoint works well for mobile threat defense in Entra Shared Device Mode, especially if you're already embedded in the Microsoft ecosystem. Some teams do consider third-party solutions, but Defender tends to offer solid integration and protection out-of-the-box. I'd be curious to hear what others are using too!
Hi Buddy
Can you tell me how you got DfE working on Entra Shared Mode devices?
The MS docs state this:
Ref: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-android
SK
Hi Buddy
Many thanks for your quick and informative reply. As the Entra Shared devices are "userless" and logged into by multiple users, I assume that each logged on user must have a Defender for Endpoint license?
Stuart
Hi StuartK73 ,
good question, but in Entra Shared Device Mode (userless/shared) licensing the users won’t solve it because Microsoft Defender for Endpoint on mobile isn’t supported on userless or shared devices (Android and iOS). So even if every user had an MDE license, that specific shared/userless scenario still won’t be supported/functional.
For supported scenarios (non-shared/user-based devices), the licensing model is typically:
- Defender for Endpoint Plan 2 is per user, and each licensed user can have up to five concurrently onboarded devices.
For Shared Device Mode, most orgs go with a third-party MTD partner integrated with Intune compliance + Conditional Access, or they redesign the scenario to a user-based enrollment model if MDE is a hard requirement.
