Microsoft recently announced its first Android security tooling. But what is it for, and should you deploy it to your users?
Microsoft’s range of Defender Advanced Threat Protection endpoint security tools recently added a new family member, with the preview release of Microsoft Defender ATP for Android. Following on from the release of a Linux version, it brings Microsoft’s security tools to another platform, with a focus on protecting your work on mobile devices.
There are plenty of good reasons to add additional security to Android devices — and now more than ever, with many users working from home on work and personal devices. With email often quickly scanned on small mobile screens, it’s easier for well-crafted and targeted phishing messages to sneak past even trained eyes. Email isn’t the only vector for phishing, as compromised chat accounts can encourage downloads of unsafe applications. With users often using personal devices, it’s hard for IT admins to lock them down and ensure secure operations.
We’ve reached a point where mobile ecosystems and platforms are relatively secure at an OS and hardware level; the biggest risk comes from what we do with those devices and what we install on them, what email messages we read, and what links we click. That’s where Defender ATP and the Microsoft 365 Security platform come into play, looking for the signals of phishing, of malware attachments, and of malicious web links, without getting too much in the way of users’ work and play.
Previewing Android security in Microsoft Defender ATP
Defender ATP for Android is intended to keep relatively loose control over unmanaged devices. Users expect a certain level of freedom on personal hardware, so Defender needs to integrate carefully, providing protection directly for enterprise software while helping to reduce the risk from personal email and from social media and chat.
Microsoft recently released a preview version, which is only available if you have a Defender ATP subscription as part of the Microsoft 365 platform and have opted into preview features via the Defender Security Center portal. You won’t find the preview in the Google Play store, as it’s deployed through the Intune Company Portal to devices that are enrolled into Microsoft’s Mobile Device Management tools and have Defender ATP licences, working with devices that use either the older Device Administrator or the current Android Enterprise management profiles.
This approach allows you to refine your application testing pool, making sure that you control who gets the software. You can choose specific device types and software distributions, as well as users in certain groups — targeting Samsung users running Microsoft Office, for example. Android Enterprise can separate work and personal data, so it’s worth considering using it as your baseline deployment in order to keep any possible user disruption to a minimum during the preview.
Configuring and protecting Android security
Once the preview is over, users will be able to download Defender ATP from the Play Store, so using a controlled group of testers will help keep the risks associated with wider distribution to a minimum. Like most of Microsoft’s Defender ATP tools, when deployed users will need an appropriate licence to use it, currently a Windows 10 E5 or A5, or a Microsoft 365 E5 or A5, or Microsoft 365 E5 Security. You’ll also be able to buy Azure Security Center plans to cover additional users.
When the app is deployed to your test users, you can start to configure Defender ATP using Intune MDM policies. By putting an endpoint protection tool on user phones you can manage their device security features — enabling conditional access policies and device compliance rules, for example. Before using this feature, it’s important to have an appropriate set of policies in place, such as blocking non-compliant devices from accessing corporate resources.
Defender ATP is much more than an anti-malware tool. What it does do is detect the ways that malware behaves on devices, and changes device compliance status based on that behaviour. If a user opens a possibly infected Word document on their phone, and it installs a malware payload or attempts a privilege escalation, Defender ATP reports the action back to the Defender Security Center. At the same time, it changes the device’s compliance classification, so that your existing compliance rules trigger conditional access and block it from accessing email and other corporate resources.
You can then notify the user and help them clean up their device. What’s most important in this case is to protect the rest of your business: that malicious email could have had a ransomware payload. Blocking a phone from your network and applications may be inconvenient for the phone’s owner, but one person’s inconvenience can protect everyone else before the malware has a chance to spread.
Other features include the ability to scan and check all apps on a phone, as well as using web protection to prevent browser-based threats and reduce the risk of phishing. Closely related to Windows’ SmartScreen, web protection scans URLs as well as controlling VPN access to private and public networks. If a user clicks on a phishing URL in an email, Defender ATP shuts down access to your VPN, protecting networks from zero-click attacks and other spear-phishing techniques that target your internal systems.
Understanding risk with Defender ATP
Administrators get access to the Microsoft Endpoint Manager administration tools, which let you see what devices are enrolled and their current protection state. It’s a good way to get a quick overview of the security state of your connected devices, helping you get a feel for risk and providing an opportunity to tune your Defender ATP settings.
With the Android ecosystem vulnerable to maliciously shared files in Google Drive and the added risk of side-loaded untrusted and untested applications, tools like Defender ATP are an essential piece of any business Android deployment, whether it’s managed fleet devices or a BYOD scheme using Android Enterprise to separate work and personal content.
The biggest risk facing any business comes from its staff, as it’s easy for a malicious actor to send phishing mail or compromise users’ endpoint devices. We may only be trying to get our jobs done, but without tools like conditional access or web scanning, we might be leaving the doors open without realising it.
If businesses are to protect their intellectual property, their data, and their workflows wherever they take place, adding Android to Defender ATP’s remit is an important step forward. But Defender ATP still has places to go, beyond Windows, macOS and Linux: Microsoft is planning a version for Apple’s iOS and iPadOS, which will bring Defender ATP to all your users’ phones and tablets.