Microsoft Defender for Android Company Owned Work Profile

Iron Contributor

Hi,

 

I'm testing Android Enterprise with company owned with work profile. Install instructions have this statement "Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready."

 

Does this mean we can deploy MDE to Android Enterprise Devices which are corporate owned but have work profile? Do they have to be fully managed?

 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoin...

 

8 Replies
Thanks for submitting this question. Let me look into this issue for you. Will reply soon.
Clarifications available for the terms and scenarios? Like that the modes are supported but for example Antiphishing is available only on Dedicated?

@Aragorn According to MS article it's enabled in preview just for BYOD enrolled not also COPE, not ETA yet for COPE. I did test it today and got the below error, even if the Defender was properly setup in Work profile already

Defender.JPG

@PaulAnton  did you get any further with this as we have a similar issue. 

@PaulAnton 

 

That's a shame. We tested DEFENDER with no issues internally and are now rolling out to a client and we are getting the same error despite the fact the devices should be the same as our testing ones. Go figure.

 

@Daniel Simpson  - Any update from your end at all?

Just a quick update on this:
I've tested this today with "corporate owned - work profile" mode (COPE).
Result: NOT Working, what a pitty. 😞
(In my scenario i've configured the always on VPN, too, but i wasn't able to connect. Therefore there were no connectivity in the work profile at all, so no internet. (Which means: I was unable to remove the AlwaysOn VPN Config via Intune, because the lack of internet connectivity)...

Last chance: factory reset 😄

Because this COPE Mode is the most used one it would be so important to have DFE!

@Daniel Simpson. Any Updates on this?

Today I've tested a COPE Android device with Defender for Endpoint. It is working! 🙂
What i did (long story short)

1. Security.microsoft.com \ Settings \ Endpoints \ Advanced features: Intune Connection > ON
2. Intune \ Tenant Administration \ Connectos and Tokens \ Microsoft Defender for Endpoint: Android enabled
3. installed Defender App via "managed google play"
4. App Configuration Profile for Defender App
5. Device Configuration Profile for Always-on VPN BUT without "lockdown mode" enabled.(This breaks the whole internet in corporate profile and makes it necescary to wipe and re-enroll the device. :--D
6. Optional: Compliance and AppProtection

The only thing which isn't that nice is that the user needs to click through a few steps after first start of the Defender App. There seem to be a few preview settings in the app config. (e.g. "low touch onboarding", but they're not working yet. (as mentioned in this thread: https://www.reddit.com/r/DefenderATP/comments/17v5kh2/defender_on_android_work_profile_low_touch/)