Mobile Threat Defense for Entra Shared Device Mode

Hi StuartK73​, for Android Entra Shared Device Mode the “easiest” MTD is usually the one that needs the fewest interactive permission prompts, because SDM doesn’t lend itself well to “open the app, tap Allow, sign in…” flows.

A useful rule of thumb is: pick an MTD that works cleanly as a Managed Google Play app and lets you pre-grant standard runtime permissions from Intune. Intune supports doing that via an App configuration policy (Managed devices) where you can set each permission to Prompt/Auto grant/Auto deny. And because it’s Android Enterprise, you (as admin) approve app permissions in Managed Google Play up front, so users don’t get bombarded with permission dialogs during install.

If you want a vendor name that tends to be “low friction” on permissions, Check Point Harmony Mobile is one I’ve seen work smoothly on managed Android because they explicitly call out that required permissions (like location/notifications depending on features) can be granted automatically by the UEM.

That said, every MTD app is different and Microsoft’s own guidance notes the Android activation flow often involves opening the MTD app and granting whatever it asks for, and permissions vary by vendor. So I’d shortlist 1–2 vendors from the supported Intune connector list, then pilot on one SDM device and count “how many taps” are needed.

Quick question (this really affects “permissions pain”): are these SDM devices AOSP/standard Android, or rugged devices like Zebra/Samsung (where OEMConfig can sometimes help with special permissions)?