We posted MC291890 in the Message Center a month ago (message below). Implementation of this change will start rolling out on November 11, 2021. To help you be more aware of this change, we’re sharing the Message Center post and included screen shots so you can see the experience.
MC291890-Plan for Change: Upcoming permission changes for Microsoft Defender for Endpoint running Android 11 or later
In November, Microsoft Defender for Endpoint will be required by Google to move to Android API 30, which will prompt for a new storage permission for devices running Android 11 or later. Users will need to accept this new storage permission once they update to the November version of Microsoft Defender for Endpoint. This will continue Defender’s ‘App security’ functionality on their devices, see below for more details.
How this will affect your organization:
This will only impact you if you are using Microsoft Defender for Endpoint on devices running Android 11 or later and update to the November app. This setting is not configurable through Microsoft Endpoint Manager; users will need to take action due to the aforementioned Google API changes.
User experience: Users will receive a notification indicating a missing permission for app security. If the user denies this permission, ‘App security’ functionality will be disabled on the device. If your user neither approves nor denies permission, they will continue to receive the prompt when unlocking their device or opening the app until it has been approved.
Note: If your organization is previewing ‘Tamper protection’ feature and if the new storage permissions are not granted by the user within 7 days of updating to the latest version, user might lose access to corporate resources.
What you need to do to prepare:
Notify your users and helpdesk (as applicable) that users will need to accept the new permissions when prompted after they have updated to the November version of the Microsoft Defender for Endpoint app. To accept the permissions users should:
- Tap on the Defender in-app notification or open the Microsoft Defender for Endpoint app where users will see a screen that lists the permissions needed. A green check mark will be missing next to the Storage permission.
- Tap Begin.
- Tap the toggle for Allow access to manage all files.
Note: This permission allows Microsoft Defender for Endpoint to access storage on user’s device, which helps detect and remove malicious and unwanted apps. Microsoft Defender for Endpoint only accesses / scans Android app package file (.apk), and on devices with a Work Profile, only scans work-related files. - The device is now protected.
While the message above is instructional, here’s what the flow will look like:
Backup option: If user misses the in-app notification, when they unlock the device or launch the Microsoft Defender for Endpoint app, they will be prompted with a message overlay screen which navigates them to the permission onboarding screen:
To see if our telemetry indicated you could be impacted by this change, check if you’ve got MC291890 in the Message Center. For more information on service change communications, see - Staying up to date on Intune new features, service changes, and service health - Microsoft Tech Comm....