scloud by Florian Salzmann
ende

Defender for Business for Android - MAM

Defender for Business lets you protect Android devices just like Defender for Endpoint, via MDM as well as MAM. The Defender protects the device with a web filter and malware scanning. On Android devices, both features require that the device is managed with Intune. For the management itself, there’s a distinction between MDM (Mobile Device Management) and MAM (Mobile Application Management). MAM comes into play when devices don’t belong to the company and only part of the applications on the device should be protected and managed. Android calls this kind of management “Device Administrator”.

Do you want to protect iOS devices with Defender?
—> Then I have a guide for you here: Defender for Business for iOS Deployment (MAM and MDM)

Defender for Android - Intune - Device Administrator

In this post I focus on the MAM management of Defender for Business on Android devices. Defender for Endpoint offers the identical options. I’ll write about the configuration for MDM devices in a separate post.

Requirements

  • Licenses:
    • Defender for Business or Endpoint and an Intune license assigned
    • or Microsoft 365 Business Premium
  • Device is enrolled in MEM / Intune with Company Portal

Defender for Business - Intune Integration

You must make sure that the Intune connection is active. You find this in the Advanced features of Defender.
If you already completed the initial setup as described here (Defender for Business Onboarding / Setup), you can skip these steps.

Defender for Business Intune integration

You also have to enable the connection for Android devices in the Endpoint Manager.
You find the option under Endpoint Manager > Endpoint security > Microsoft Defender for Endpoint.

Defender for Business Android Connect

Installing Microsoft Defender App (MAM / Device Administrator)

To distribute the app to the MAM managed devices, select +Add under “Apps > Android apps” in the Endpoint Manager. Here the type is “Android store app”.

Android store app intune

You have to fill in the name, description, publisher and app URL yourself. Below you find the parameters for “Copy Paste”.

Android store app Microsoft Defender

NameMicrosoft Defender
DescriptionProtect. Control. Defend.
PublisherMicrosoft
Appstore URLhttps://play.google.com/store/apps/details?id=com.microsoft.scmx

In the assignment you just have to assign the app to a group. For me that’s a dynamic device group that contains all the personal Android devices.
The parameter for that is: (device.deviceOSType -eq “Android”) and (device.deviceOwnership -eq “Personal”)

Android Microsoft Defender MAM assigment

End User View - Defender for Business MAM

As soon as the app and policy are assigned, a popup will appear on the end user’s MAM device. This points to the required installation of Defender, and a click on it takes the user straight to the installation page in the Play Store.

Microsoft Defender required android

Microsoft Defender Android - installation

On the first start of Defender, the user gets guided through the setup. This requires a few confirmations from the user, and all of them have to be confirmed to complete the onboarding.

Microsoft Defender Android - Login

Microsoft Defender Android - setup up

Microsoft Defender Android - Allow data access

Microsoft Defender Android - VPN Connection

Microsoft Defender Android - VPN confirmaion

Microsoft Defender Android - downloaded services

Microsoft Defender Android - Accessibility Service

Microsoft Defender Android - Allow view, control and perform action

Microsoft Defender Android - allow running in background

After all the many “OK” and “Allow” taps, Defender is finally set up and takes the user directly to the overview of scanned apps and filtered websites. The apps then also get scanned automatically. Every app gets scanned, also the ones not managed by MAM.

Microsoft Defender Android - scanning

Microsoft Defender Android - device protected

App Security

When the user installs a new app, it gets scanned right away and classified as trustworthy or not. If an app is classified as malicious, it is not quarantined or blocked. A block only happens with payloads or dangerous websites.

Defender risk notification

Defender Android - App Security

Web Filter

The web filter in Defender for Android works quite well, and it even opens a clear status page in non-Microsoft browsers, which is recognizable as coming from Defender. In the app overview, the user can view the URLs scanned and blocked in the last 24 hours. The “Web Protection” menu item just shows that the protection is active and gives the user a few hints about phishing and similar threats.

Microsoft Defender site blocked

Status Page

Web protection page

Defender for Android - Manual Installation (not possible)

Unfortunately there’s currently no way, unlike with iOS devices, to use Defender without MAM or MDM, so there’s no way to test Defender for Android without MAM or MDM. If you still install the app and a user signs in, the Defender for Android app shows “App Disabled by Administrator”. In this case neither the malware nor the web filter protection is active.

Defender Android App Disabled

Defender for Business - Android Devices Overview (MAM)

After some time, the Android smartphone also shows up in the Microsoft 365 Defender Device inventory:

Device inventory

On the device page, just like with all other onboarded devices, you find the alerts, security recommendations and the software inventory listed.

Device page

Events on the endpoints are visible in the portal. A click on it takes you to the extended overview, which shows you more details about the incident and its timeline.

Defender for Business Device Alert

Defender for Business Alert Story

Summary

Defender on Android devices offers good protection and, unlike the iOS version, also scans the applications themselves. What still bothers me at the moment is the fairly involved onboarding process on the user side. I’d like this to become more intuitive and require as little user interaction as possible. A direct block of potentially malicious applications would also be desirable.