Announcing the public preview of Defender for Endpoint personal profile for Android Enterprise
Published May 13 2022 07:48 AM 11.3K Views
Microsoft

UPDATE: As of 6/27/22, MDE's support on BYOD personal profile is now generally available.

 

Over the last few years, organizations have transformed the way we do business with remote and hybrid work policies, forever changing the dynamic and definition of the term work as we once knew it. Along with this shift in flexibility for where we work, organizations have also taken steps to improve how we work by supporting employee mobility with various Bring Your Own Device (BYOD) strategies. 

Microsoft has made significant progress in its ongoing commitment to empower and secure employee mobility with the recent delivery of support for work profiles in Android Enterprise with the Microsoft Defender app. But the work does not stop there... After gathering insights from our customers and the broader community, we have found there is a growing desire not only to protect the user’s work profile from phishing and malware attacks, but the user’s personal profile of BYODs, too. 

We are happy to announce that users who wish to enroll their own devices in their workplace’s BYOD program can now benefit from the protection provided by Microsoft Defender for Endpoint in their personal profile as well. This additional support will provide users with 
 

  • Malware scanning that is extended to user-installed applications housed within their personal profiles  
  • Protection from malicious URLs clicked by users within their personal profiles  
  • Network protection and privacy controls 

Before you start

  1. The Microsoft Defender app must be installed and activated in the work profile  
  2. The user needs to install the Company portal application in their personal profile (no sign-in required) 
     

How Admins can configure personal profile support for their organizations
 

  1. Admin must enable support for personal profiles from Intune MEM, by setting App Configuration key: Microsoft Defender for Endpoint Personal to 1 (true); default value is 0 (false). Admin provides explicit consent for Microsoft Privacy Statement, to configure the above configuration key. For more information, please read this documentation.  
  2. Admin sets up privacy controls. By default, they are set to True for the Malware report, Phishing report, and Threat and Vulnerability Management (TVM).  
  3. Advise users they are now able to protect their personal profiles with Microsoft Defender on their enrolled BYOD devices.

How users can setup the Microsoft Defender app for their personal profiles

 

  1. User installs the Microsoft Defender application from their personal Play Store account, on their personal profile   
  2. User enables the Company portal application in their personal profile 
  3. At the sign-in screen, User must login by only using their corporate account credentials  
  4. Upon successful login, two screens will be presented requesting user consent:   
    • EULA Screen: Presented only if the user has NOT consented already in the Work profile.  
    • Notification screen: User is required to provide consent on this screen to move forward with onboarding of the app. 

Keep in mind

  • Personal profile is only supported in Android Enterprise BYOD mode at this time. We look forward to supporting COPE (corporate owned, personally enabled) mode in the future.  
  • Conditional Access policy cannot be applied on Microsoft Defender for Endpoint for the personal profile.  
  • VPN settings cannot be auto enabled by the admin in the onboarding process for personal profile.  
     

Is Microsoft Defender for Endpoint protecting the personal profile for your BYOD enrolled in Android Enterprise? If so, let us know what you think! If not, try it today and share your feedback.   

 

3 Comments
Copper Contributor

Thank you, that's a very interesting feature, we have been applying the configuration key while still in preview.

It would be useful to have a clear documentation on MDE configuration keys: some of them appear in the documentation as deprecated but are not present in the configuration designer (e.g. Web Protection), the VPN configuration key probably partially replaces Auto Setup of Always-on VPN device configuration policy, and some of them are just not documented (Enable Network Protection, Microsoft Defender, Anti-phishing keys).

Only some of the privacy-related configuration keys are described. It would be really useful to have a clear description of the functionalities to better configure MDE.

The documentation also misses to describe that store permissions should be auto granted.

It would also be useful to auto grant more permission, to provide a better experience for the end-users.

 

Copper Contributor

Any update on the availability for COPE enrolled devices?
I am getting the below error when testing this on the personal profile of a COPE enrolled device (Galaxy A42, Android 12, latest security patch):

Defender.JPG

Copper Contributor

Any word on support for COPE devices? It looks like this still isn't working for them.

Co-Authors
Version history
Last update:
‎Jun 27 2022 07:48 AM
Updated by: