Microsoft Defender ATP for Mobile

Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for mobile devices in public preview. By this release, Microsoft made Defender ATP available for Android (and iOS will follow later this year), where it was already available on Windows, macOS and Linux.

The first version of Defender ATP for Android devices provides malware scan, web protection and MDM support;

  • Alert when a malicious app (APK) is downloaded/installed
  • Notify users on install of clean apps
  • Block loading of unsafe pages
  • Block unsafe network connections that apps might make behind the scenes
  • ATP integration
  • Conditional Access based on device risk level
  • Mobile Device Management support

As is already the case for Windows, we are now also able to connect ATP to Microsoft Intune for mobile devices. This allows us to use the Device Risk Level of the mobile devices in a Compliance policy. In combination with a Conditional Access policy, we can block mobile devices from accessing corporate data as soon as ATP detects a threat on the mobile device.

In this post, I will show you how to get started with Defender ATP on mobile devices by connecting ATP with Microsoft Intune. By making this connection we are able to use the device state (machine risk score) from ATP in our Compliance policies.
We also have a look at how to deploy the mobile app with Intune to our mobile devices and push an App configuration policy to configure Defender ATP. And as of last we test what happens when a threat is detected by ATP on the mobile device.


There are some pre-requisites before we can start using Microsoft Defender ATP (preview) on our mobile devices;

  • Active Microsoft 365 E5, Windows E5 or Microsoft 365 Security add-on license
  • Defender ATP already deployed in the tenant
  • Devices are managed/ enrolled in Microsoft Intune (MAM is not yet supported)
  • Android 6.0 and above

Integrate ATP with Microsoft Intune

To use the Device Risk Level in an Intune Compliance policy, we need to connect ATP with Intune.
When you are already using the status of ATP for your Windows devices, skip this first step in Security Center and move to the second step.

  • Sign-in to the Endpoint Manager admin center
  • Browse to Tenant AdministrationConnectors and tokens
  • On the Microsoft Defender ATP tab turn on Connect Android devices of version 6.0.0 and above to Microsoft Defender ATP

That`s all for the integration between ATP and Intune for mobile devices.

Deploy Microsoft Defender ATP mobile

We can deploy the Defender ATP app with Microsoft Intune.

  • Still in the Endpoint Manager Admin center browse to AppsAndroid Apps
  • Click +Add
  • Choose Managed Google Play app
  • Click Select
  • In the search box enter Microsoft Defender ATP and click the search icon
  • Click Microsoft Defender ATP
  • Click Approve (twice)
  • Click Done
  • Back in the previous screen click Sync (on the top left)

As soon as the sync is completed the new app shows up in the list of applications. Assign the app (as required) to a (pilot) group.

Create Device risk-based Compliance policy

To use the Device Risk Level from ATP, we need to add the Machine Risk Score to our Compliance Policy.

  • In the Endpoint Manager admin center browse to DevicesAndroid
  • On the Compliance policies tab click +Create Policy
  • Choose Android Enterprise (or Device admin) as Platform
  • Choose Device Owner or Work profile
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click Next
  • Open Microsoft Defender ATP
  • Choose the (maximum allowed) Machine risk score
  • Choose all other required Compliance settings of choice
  • Click Next

Finish the profile creation wizard and assign the profile to a (test) group.

Create App configuration policy

Defender ATP on Android Enterprise supports App Configuration policies. At the moment of the preview, we can automatically grant read/ write permissions for External storage to Defender ATP with this policy.
We also have the option to turn the Web protection on or off.

  • In the Endpoint Manager admin center browse to Apps – App configuration policies
  • Click +Add
  • Choose Managed devices
  • Give the profile a Name
  • Enter a Description (Optional)
  • Choose Android Enterprise as Platform
  • Choose your Platform (I choose Work profile and Device Owner Profile)
  • Choose Select app
  • Search for Defender
  • Select Microsoft Defender
  • Click OK
  • Back at the previous screen click Next
  • Click +Add under Permissions
  • Select External Storage (read) and select External storage (write)
  • Click OK
  • Select Auto grant from the drop down list under Permission state (twice)
  • Select Use configuration designer for the Configuration settings format
  • Click +Add
  • Select Web protection – Click OK
  • Set the Configuration value of your choice to enable or disable Web protection
  • Click Next

Finish the App configuration policy wizard by assigning the correct scope and assign into your (pilot) group.

Everything is in-place, time for testing!

Test Microsoft Defender ATP for Mobile

Let`s have a look at how Microsoft Defender ATP behaves on a threat on an Android device. First, we have a look at the mobile device and after that in the Security Center (Defender ATP) and Intune portal.

For this example, I only allow access to corporate data when a device is compliant, by using a Conditional Access policy. If the device is marked as not compliant, access is blocked.

I won`t go through the complete sign-in and activation process of Defender ATP on a mobile device. To activate it, you need to sign-in with your Azure AD account (and have a required license assigned).

As you can see the storage permissions are already granted (via the App configuration policy), at this moment the other permissions need to be granted manually.

When all permissions are granted, Microsoft Defender ATP is running.

To test web protection, we can use this example site from Microsoft and open this in a web browser.
I tested Microsoft Edge, Google Chrome and Mozilla Firefox on an Android device. As you can see, the phishing site is blocked on all browsers.

To test the installation of a malicious app, we can install a test virus app from the Google Play store. Just search for test virus and you will find several different apps.

As soon as the malicious app (test virus) is installed, it is detected by ATP and a pop-up is shown;
Threats found on your device

If we open the Company Portal app, we see the device is marked as Not Compliant.

Access to apps with corporate data is blocked.
It varies per application how fast access is blocked, Teams, for example, is blocked in seconds after the device is marked as not compliant, Outlook took some longer during my tests.

The threat needs to be removed manually from the device, ATP cannot automatically clean-up the app;
Swipe to the left on the threat info to remove it.

This is not a limitation of ATP, I have seen this in the past with other vendors.

After swiping to the left, a pop-up is shown.
Click OK and the app/ threat is removed.

If we switch to the Defender ATP portal we see the active alert Microsoft Defender ATP detected ‘EICAR-Test-File’ malware triggered by this test virus app.

And if we search for our Android device, we see the device is marked with Risk level Medium.


If we open the device Alerts, we see the malware detection is marked as Medium Severity and the phishing sites are marked are Informational.

On de device Timeline we see the alerts of the malware EICAR-TEST-File and the failed connections of the phishing sites.

If we open the malware alert, we get some more information about the threat which is found. From here you can open the VirusTotal site with information about the threat, classify the alert, etc.

If you clicked on Expand for more details in the previous screen and Open file page, you can dig further in this threat and see if this threat is seen on more devices.

If we take a look at the Endpoint Manager Admin center (Intune portal) the device is marked as Not compliant.

And that`s because the machine risk score is above the risk level we set in the Compliance policy.

Pretty soon after removing the threat from the mobile device, the device is marked as Compliant and access to corporate data is allowed.

For Android the current Defender ATP version is a good starting point, the basic features we expect for such a solution are in-place and the ATP app seems stable on Android.
As this is just released in public preview, I expect the options to control ATP will be expanded in the coming months. And I`m looking forward to the ATP version for iOS.

1 Comment

  1. Excellent information. Thank you very much for your contributions.

    I have a question. If I need to automatically approve the other permissions that the application needs, how can I do it? I want to avoid that the user has to approve them, for example the accessibility permission

Leave a Reply

Your email address will not be published.