With the 2102 release of Microsoft Endpoint Manager, you can now configure the ability to send threat signals from Microsoft Defender for Endpoint to be used in your App Protection Policies (APP, also known as MAM) on Android and iOS/iPadOS.
Setting up Microsoft Defender for Endpoint for unenrolled devices
Set up the connection from your Microsoft Endpoint Manager tenant to Microsoft Defender for Endpoint. This can be done either via Tenant Administration > Connectors and tokens > Microsoft Defender for Endpoint (under Cross platform) or Endpoint Security > Microsoft Defender for Endpoint (under Setup). Once your Connection status is set to Available, proceed. If you have been using Microsoft Defender for Endpoint for device compliance assessment up until now, your connector may already be set up. At present, Microsoft Endpoint Manager supports one Mobile Threat Defense or Microsoft Defender for Endpoint connector per platform.
Microsoft Defender for Endpoint connector status in the MEM admin center
To send threat signals from Microsoft Defender for Endpoint on targeted devices to APP, turn on the toggles under App Protection Policy Settings for the platforms you wish to configure. These capabilities are available for Android and iOS/iPadOS. Select Save. You should see Connection status is now set to Enabled.
Microsoft Defender for Endpoint connector status settings in the MEM admin center
Create your App Protection Policy
After your Microsoft Defender for Endpoint connector setup is complete, navigate to Apps > App protection policies (under Policy) to create a new policy or update an existing one.
Select which platform, Apps, Data protection, Access requirements settings that your organization requires for your policy.
Under Conditional launch > Device conditions, you will find the setting Max allowed device threat level. This will need to be configured to either Low, Medium, High, or Secured. The actions available to you will be Block access or Wipe data. You may see an informational dialog to make sure you have your connector set up prior to this setting take effect. If your connector is already set up, you may ignore this dialog.
Intune APP - Mobile Threat Connector policy settings
Finish with Assignments and save your policy.
How to deploy the Defender app with this functionality
At present, the Microsoft Defender for Endpoint build on iOS and Android that enables the App Protection Policy scenario are found in TestFlight (for iOS/iPadOS) and beta Google Play store (for Android) as it is in preview.
Device Admin & Customers who are not enrolled to Intune MEM: Admins will need to create a Google Group (format: <Customername>_DefenderMAM) for users who are participating in the preview.
Enterprise Admin Customers: Admin will need to send the Organization ID of the Google Play account, which is linked to Managed Google Play store in Intune. Followed by syncing Google Play Account in Intune.
Once this policy is targeted to a specific user, the end user will be required to:
Register their device with Azure Active Directory (Azure AD). This is not a device enrollment into Intune. This simply allows this device to have an Azure AD device ID which is required for this feature. If your organization has already configured Conditional Access for Android/iOS, your end users may already have Azure AD registered mobile devices.
Install the Microsoft Defender for Endpoint app on their device.
Activate the Microsoft Defender for Endpoint app in order to pass the condition required to access the app with their corporate account. This will involve signing into the app with corporate credentials, and accepting any required permissions.
Once activation is complete, Microsoft Defender for Endpoint will do a scan of the device to come up with a risk score. If the risk score meets the requirements set by the admin of Low, Medium, High, Secured, then the end user passes the conditions and gets access to their protected apps.
The check for if this device passes the configured conditions happens during App Protection Policy service check-in, or when the end user hits ‘Recheck’ after remediating their device.