In this post we will setup a Personally-owned devices with work profile with Defender for Endpoint. I have included all the basic policies you need so you don’t have to manually configure them.
You will need to have setup Managed Google Play account setup
- Setting up Enrollment restrictions
- Enrollment Profile
- Configure Defender Connector in Intune
- Setting up Defender For Endpoint App Configuration
- Device Restriction Policy
- Compliance policy with Defender for Endpoint
- Conditional Access (Block non-compliant device)
- End-user experience
- References & Links
Setting up Enrollment restrictions
Often you might not want to allow enrollment of personal owned devices, so we will start by setting up and limiting enrollment to a certain group of users.
- Go to Intune – Device platform restrictions
- For the default profile we want to allow “Block Personal owned devices” and allow Corporate owned devices to enroll.
- Under Android Restrictions, lets create a new Restrictions profile.
Allow: Android Enterprise (work profile) and Personally owned.
If you want to limit what android version you are allowing to enroll you can set a Min version, in this example I have set Min: 13.0, devices below that will not be allowed to enroll.
You can Block certain manufactures from enrolling by adding the manufactures name to the blocked list. - Assign the profile to a group of users that you would allow to enroll their personal device, only the users in this group will be able to enroll.
Enrollment Profile
If we go to the Intune Portal and look under Devices – Enrollment – Android and select Personally-owned devices with work profile, we will see that we don’t need to configure anything here.
Configuring Defender Connector in Intune
First we need to make sure Defender for Endpoint and Intune are talking to each other.
- Go to the Defender Portal
- From the left side menu select: Settings – Endpoints – Advanced features
- Turn On: Microsoft Intune connection
- Next we head back to the Intune Portal – Tenant administration – Connectors and tokens
- Select Microsoft Defender for Endpoint under Connectors and tokens
- Make sure you have turned on the following two.
That’s it for the Defender Connector configuration. Now lets configure the App configuration policy for the Android Defender for Endpoint application.
Setup Defender for Endpoint app configuration policy
To make sure our user gets the best onboarding experience and our security team gets the alerts they need from the android endpoints we should configure how the Defender for Endpoint application settings are configured.
- Go to Intune Portal – Apps – App configuration policies
- Create a new policy for Managed devices.
You can target different profiles if required but in this case the same profile will be used for Corporate owned devices and Personal enrolled devices. (It works for both)
App Permissions
We will only Auto grant: Post notifications here.
Configuration settings
This is where we are going to configure what we are allowing the application to do and the end-user to do. I will mention some that are required to turn on Low touch onboarding and privacy measures on personal devices. The full configurations list is posted as a image and you can also download the pre-configured JSON file and import it.
Download Pre-Configured JSON for Microsoft Defender for Endpoint Android App Config
We will be using the Low touch onboarding for a better end-user experience.
- User UPN: String: {{userprincipalname}}
- Low touch onboarding: Integer: 1
- Microsoft Defender in Personal Profile: Integer: 1
- Hide app details in report of personal profile: Integer: 1
- Hide URLs in report for personal profile: Integer: 1
- Enable Network Protection Privacy: Integer: 1
- Device Tag (Optional): Tagging the devices makes it easier for your security team and you can target remediation for specific device groups etc. If you for example only configure this profile to BYOD the tag could be BYOD.
You can assign this policy to all devices or a specific group if you have other Android Defender for Endpoint configurations.
Device restrictions policy (Work profile settings)
- Go to Intune Portal – Devices – Android – Configurations
- Create a new profile:
Platform: Android Enterprise
Profile type: Personally-Owned Work Profile
Device restrictions - You can configure these settings to fit your organizations requirements, however you need to make sure you configure Connectivity for the Defender for Endpoint – Always-on VPN
Download Pre-Configured Device Restriction Policy for Android
Compliance policy with Defender for Endpoint
Now that are personal enrolled android device are being onboarded to Defender for Endpoint we can use this in our compliancy policy to make sure that the devices are below a certain machine risk score.
The machine risk score is calculated based on multiple security signals, for example how many vulnerabilities does the device have, unusual behavior, past alerts and more.
You need to configure the compliancy policy based on your organizations requirement but make sure you use the Microsoft Defender for Endpoint: Machine risk score.
Download Pre-Configured Compliance Policy for Android
Example compliancy policy below
Conditional Access (Block non compliant devices)
With Defender for Endpoint now configured for personally enrolled devices, we are successfully receiving security signals from onboarded Android devices. Additionally, our compliance policy effectively monitors and reports on device adherence to organizational requirements. Moving forward, we want to ensure that only compliant Android devices are granted access to company resources. This is where our Conditional Access policy comes into play.
- Lets head over to Entra Portal – Protection – Conditional Access
- Select Policies.
We will create a new conditional access policy and target only android personal devices.
(In many cases you would require all device types to be compliant and not only target specific devices)
- Create a new policy
- Assign it to the users you want to require compliant device from.
- Target resources, we will select All cloud apps.
- Conditions:
Device platforms: Android
Filter for devices: Include, DeviceOwnership equals Personal - Grant: Require device to be marked as compliant
Make sure you test the policy out before turning it on for everyone, you can use the Report-only and later on review this from Insight and reporting if you have this setup or you use the What If function to see if the policy works like you intend it to before turning it on for everyone.
End-User Experience
The end-user download Company Portal app from google play on their personal android device and signs-in with the work or school account. Company portal will now start the enrollment.
The conditional access policy will prompt the user to sign-in to Defender for Endpoint, after that is done it might take between 5-15min before the device becomes compliant and onboarded to Defender.
References & Links
https://learn.microsoft.com/en-us/defender-endpoint/android-intune
https://learn.microsoft.com/en-us/defender-endpoint/android-configure
https://learn.microsoft.com/en-us/mem/intune/apps/apps-add-android-for-work
