Forum Discussion
Mobile Threat Defense for Entra Shared Device Mode
Hi StuartK73,
if by Entra Shared Device Mode you mean the frontline “shared device” experience (Authenticator + SDM), one important gotcha: Microsoft Defender for Endpoint on mobile isn’t supported on user-less or shared devices (both iOS and Android). So if you were hoping to use MDE as your MTD in SDM, it’s usually a dead end.
What most orgs do in SDM instead is pick a third-party Mobile Threat Defense vendor that integrates with Intune and feed its risk signal into Intune compliance + Entra Conditional Access. Microsoft lists the supported MTD partners (for example: Zimperium, Lookout, Check Point Harmony Mobile, CrowdStrike Falcon for Mobile, Jamf MTD, Pradeo, BlackBerry Protect Mobile, Better Mobile, iVerify, etc.).
Practical recommendation:
- Choose one MTD vendor per platform (Microsoft explicitly recommends this to avoid devices being marked noncompliant because multiple agents are required).
https://learn.microsoft.com/en-us/intune/intune-service/protect/mobile-threat-defense - Wire it into device compliance (MTD threat level rule) and then enforce with Conditional Access (https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance.)
Quick question so people can answer you accurately: are your SDM devices Android, iOS/iPadOS, or both? (Android SDM tends to be the common case.)
Hi buddy
This is great info.
The devices are Android Entra Shared Device Mode.
Do you happen to know which MTD would be the easiest to configure on SDM's especially regarding to setting Android permissions?
Stuart
Hi StuartK73, for Android Entra Shared Device Mode the “easiest” MTD is usually the one that needs the fewest interactive permission prompts, because SDM doesn’t lend itself well to “open the app, tap Allow, sign in…” flows.
A useful rule of thumb is: pick an MTD that works cleanly as a Managed Google Play app and lets you pre-grant standard runtime permissions from Intune. Intune supports doing that via an App configuration policy (Managed devices) where you can set each permission to Prompt/Auto grant/Auto deny. And because it’s Android Enterprise, you (as admin) approve app permissions in Managed Google Play up front, so users don’t get bombarded with permission dialogs during install.If you want a vendor name that tends to be “low friction” on permissions, Check Point Harmony Mobile is one I’ve seen work smoothly on managed Android because they explicitly call out that required permissions (like location/notifications depending on features) can be granted automatically by the UEM.
That said, every MTD app is different and Microsoft’s own guidance notes the Android activation flow often involves opening the MTD app and granting whatever it asks for, and permissions vary by vendor. So I’d shortlist 1–2 vendors from the supported Intune connector list, then pilot on one SDM device and count “how many taps” are needed.
Quick question (this really affects “permissions pain”): are these SDM devices AOSP/standard Android, or rugged devices like Zebra/Samsung (where OEMConfig can sometimes help with special permissions)?
