UPDATE: As of 6/27/22, MDE's support on BYOD personal profile is now generally available.
Over the last few years, organizations have transformed the way we do business with remote and hybrid work policies, forever changing the dynamic and definition of the term work as we once knew it. Along with this shift in flexibility for where we work, organizations have also taken steps to improve how we work by supporting employee mobility with various Bring Your Own Device (BYOD) strategies.
Microsoft has made significant progress in its ongoing commitment to empower and secure employee mobility with the recent delivery of support for work profiles in Android Enterprise with the Microsoft Defender app. But the work does not stop there... After gathering insights from our customers and the broader community, we have found there is a growing desire not only to protect the user’s work profile from phishing and malware attacks, but the user’s personal profile of BYODs, too.
We are happy to announce that users who wish to enroll their own devices in their workplace’s BYOD program can now benefit from the protection provided by Microsoft Defender for Endpoint in their personal profile as well. This additional support will provide users with
Malware scanning that is extended to user-installed applications housed within their personal profiles
Protection from malicious URLs clicked by users within their personal profiles
The Microsoft Defender app must be installed and activated in the work profile
The user needs to install the Company portal application in their personal profile (no sign-in required)
How Admins can configure personal profile support for their organizations
Admin must enable support for personal profiles from Intune MEM, by setting App Configuration key: Microsoft Defender for Endpoint Personal to 1 (true); default value is 0 (false). Admin provides explicit consent for Microsoft Privacy Statement, to configure the above configuration key. For more information, please read this documentation.
Admin sets up privacy controls. By default, they are set to True for the Malware report, Phishing report, and Threat and Vulnerability Management (TVM).
Advise users they are now able to protect their personal profiles with Microsoft Defender on their enrolled BYOD devices.
How users can setup the Microsoft Defender app for their personal profiles
User installs the Microsoft Defender application from their personal Play Store account, on their personal profile
User enables the Company portal application in their personal profile
At the sign-in screen, User must login by only using their corporate account credentials
Upon successful login, two screens will be presented requesting user consent:
EULA Screen: Presented only if the user has NOT consented already in the Work profile.
Notification screen: User is required to provide consent on this screen to move forward with onboarding of the app.
Keep in mind
Personal profile is only supported in Android Enterprise BYOD mode at this time. We look forward to supporting COPE (corporate owned, personally enabled) mode in the future.
Conditional Access policy cannot be applied on Microsoft Defender for Endpoint for the personal profile.
VPN settings cannot be auto enabled by the admin in the onboarding process for personal profile.
Is Microsoft Defender for Endpoint protecting the personal profile for your BYOD enrolled in Android Enterprise? If so, let us know what you think! If not, try it today and share your feedback.