Announcing Microsoft Defender ATP for Android
source link: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-microsoft-defender-atp-for-android/ba-p/1480787
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
06-23-2020 09:00 AM
Update: Microsoft Defender for Endpoint on Android is now generally available.
We are excited to announce the public preview of our mobile threat defense capabilities with Microsoft Defender ATP for Android. As Rob Lefferts, Corporate Vice President, Microsoft 365 Security and Compliance, mentioned in his blog, the threats in the mobile space are unique, and as more and more people use mobile devices for work, the need for organizations to protect data that is accessed through their users’ devices is increasingly imperative.
After offering a preview of these capabilities at RSA Conference 2020, we were thrilled by the response from our customers and the industry. Over the last several months, we’ve been working closely with customers who are our design partners, listening to their feedback, and enhancing the product.
Key Capabilities
The public preview of Microsoft Defender ATP for Android will offer protection against phishing and unsafe network connections from apps, websites, and malicious apps. In addition, the ability to restrict access to corporate data from devices that are deemed “risky” will enable enterprises to secure users and data on their Android devices. All events and alerts will be available through a single pane of glass in the Microsoft Defender Security Center, giving security teams a centralized view of threats on Android devices along with other platforms. These capabilities empower enterprises to enable strong security while ensuring their employees remain productive working on their Android devices. Let’s dive into each of these capabilities in more detail.
Web protection
Phishing is one of the biggest threat vectors on mobile, with the majority of attacks happening outside of email such as via phishing sites, messaging apps, games, and other applications. Other potential threats come from apps which may make connections to unsafe domains, unknowingly to the user and security teams. Web protection capabilities in Microsoft Defender ATP for Android help to address these challenges with:
- Anti-phishing: Access to unsafe websites from SMS/text, WhatsApp, email, browsers, and other apps is instantly blocked. To do this, we leverage the Microsoft Defender SmartScreen service to help determine whether a URL is potentially malicious. This works in conjunction with Android to enable the app to inspect the URL to provide anti-phishing protection. If access to a malicious site is blocked, the device user will get a notification about this with the options to allow the connection, report it safe, or dismiss the notification. Security teams are notified about attempts to access malicious sites via an alert in the Microsoft Defender Security Center.
- Blocking unsafe connections: The same Microsoft Defender SmartScreen technology is used to also block unsafe network connections that apps automatically might make on the user’s behalf without them knowing. Just as in the phishing example, the user is immediately informed that this activity is blocked and is given the same choices to allow it, report it as unsafe, or dismiss the notification as the product screenshot shows. Alerts for this scenario also show up in the Microsoft Defender Security Center. When these connections are attempted on a user’s device, security teams are notified of this via an alert in the Microsoft Defender Security Center.
- Custom indicators: Security teams can create custom indicators, giving them more fine-grained control over allowing and blocking URLs and domains users connect to from their Android devices. This can be done in the Microsoft Defender Security Center and is an extension of our custom indicators capability already available for Windows.
Malware scanning
Enterprises deploying Android can leverage built-in protections in the Android platform to limit installation of apps to trusted sources as well as tools like Google Play Protect to significantly reduce the threat surface of potentially harmful apps being installed on devices. Microsoft Defender ATP fortifies this by introducing additional visibility and controls to deliver further assurances on keeping devices free of threats to device security.
Microsoft Defender ATP for Android uses cloud protection powered by deep learning and heuristics to provide coverage for low-fidelity signals which are inconclusively handled by signatures, in addition to offering signature based malware detection. This protection extends to both malicious apps and files on the device.
Scans are instantly performed detect malware and potentially unwanted applications (PUA). If a safe app is downloaded, the end user will see a lightweight notification letting them know the app is clean.
Blocking access to sensitive data
Additional layers of protection against malicious access to sensitive corporate information is offered by integrating with Microsoft Endpoint Manager, which includes both Microsoft Intune and Configuration Manager. For example, a compromised device would be blocked from accessing Outlook email. When Microsoft Defender ATP for Android finds that a device has malicious apps installed, it will classify the device as “high risk” and will flag it in the Microsoft Defender Security Center. Microsoft Intune uses the device’s risk level in conjunction with pre-defined compliance polices to activate Conditional Access rules that block access to corporate assets from the high risk device. The screenshot shows an example of how the end-user would get a notification that their device doesn’t comply with their organization’s policies, and how to remediate. Once the malicious app is uninstalled, access to corporate assets is restored automatically for the mobile device. You can learn about how to set up this integration in our documentation.
Unified SecOps experience
The Microsoft Defender Security Center acts as the single pane of glass experience for security teams to get a centralized view of threats and activities. All the alerts for phishing and malware on Android devices are surfaced here. As part of the alert, analysts see the name of the threat, its severity, the alert process tree for the incident, and other additional context including file details and associated SHA information. Android device related alerts also roll up into the incident where analysts can get a more holistic view of attacks associated with a device.
In the devices list, Android devices are also visible with their associated risk levels. In the device information page, security analysts can see the number of incidents, active alerts, and logged on users associated with the device.
This is the same familiar experience that we deliver to security teams for Windows, Mac, and Linux.
We’re excited to be sharing these new features with you. In the coming months, we’ll be rolling out more capabilities for Android and we’ll be releasing Microsoft Defender ATP for iOS later this year – stay tuned!
Getting started with Microsoft Defender ATP for Android
Those customers that have preview features turned on can start trying out Microsoft Defender ATP for Android today. If you haven’t yet opted in, we encourage you to turn on preview features in the Microsoft Defender Security Center today.
Join us as we advance in our journey across platforms. For more information, including detailed system requirements, prerequisites, deployment and configuration steps, and a list of improvements and new features, check out the documentation.
To share feedback, you can use the “send feedback” option in the Microsoft Defender ATP for Android app.
If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender ATP today.
06-24-2020 12:55 PM
This is so awesome! Can't wait to try it out.
I know IOS is "later this year" but is there any more information if it is in Q3 or Q4?
Have a great you all!
06-24-2020 05:44 PM
great work! this is amazing!
06-25-2020 01:26 AM
Should we assume an E5 license is required?
06-25-2020 05:55 AM
Great to see the move into protection of Mobile as its needed, big concern is privacy of these users as it looks like the detection is in the cloud, could you confirm?
06-30-2020 10:16 PM
How long does it take for the preview to be activated?
I've send out a mail to [email protected] with our Google Play org ID, but one week later we haven't got a reply nor are we able to import the Defender app in Google Play for Android Enterprise.
06-30-2020 10:28 PM
@bthomas - Sorry about the inconvenience caused. Your second e-mail for preview just came thru and has been approved. Sorry, your first e-mail doesn't seem to have made it thru and thanks for following up. Look forward to your feedback on the preview. Preview instructions are available in the e-mail sent to you.
Thanks
Ashwin
06-30-2020 10:34 PM
@Ashwin_msft Thanks for the follow up and response!
07-01-2020 10:28 AM
I would also be interested about the licensing prerequisites.
07-02-2020 08:30 AM
@Simes27622762, @Friedrich Grosseibel Licensing details around Android and iOS will become available as we get closer to GA
07-02-2020 10:10 AM
@Kanishka_Srivastava No hints then?
07-02-2020 10:14 AM
@Simes27622762 - we don't have any details or hints on the licensing to share at this time.
07-03-2020 05:47 AM
What Android versions are supported? All the way back to Marshmallow, or something different?
07-03-2020 05:56 AM
@VesaP1695 - Android 6.0 (Marshmallow) & above.
07-07-2020 08:12 AM
First impressions: I onboarded my android phone the day this was announced. We're encouraged by this as an alternative to options such as Lookout. Onboarding was easy enough, but it opens a persistent connection to Microsoft, and takes up far more power than any other applications on my phone (20%). It actually "overloaded" my s10 and was forced to shut down. I haven't had that happen before. Feedback has been submitted. I understand this is in preview and it will be improved before general availability. I will say that it will require a good deal of attention to power usage if it's going to be something our organization can use. Curious if anyone else has had this issue.
*UPDATE 8.6.20* - According to Microsoft: We have resolved battery consumption issues in latest build 1.0.1928.0203. We will be sharing this build soon. Please look forward for the communications on the same. If you see any issue please submit feedback thru In-app feedback with diagnostics turned on.
As expected, It doesn't include any timeline info in the security center or allow use of any of the more advanced actions that can be performed on Win 10 devices. I haven't run across anything it blocks me from accessing as of yet.
RE: Licensing. I'm also curious how that will be handled, especially for frontline workers. A standalone license would need to be made available.
07-07-2020 09:37 AM
My test device is a Blackberry Key2 and I do not see a big decrease with the battery. On the other hand I only use the device for testing so I can’t tell.
That the app needs to be constantly running however is understandable in my opinion. I guess however this can be tuned in future releases.
I am looking forward to the iOS variant of the ATP protection where this for sure is more tricky in regards of background activity etc.
07-08-2020 10:18 AM
"It doesn't include any timeline info in the security center"
and IMHO it should stay this way to avoid battery drain or hitting mobile data limit on metered data plan.
07-08-2020 10:26 AM
"and IMHO it should stay this way to avoid battery drain or hitting mobile data limit on metered data plan."
Agreed - was just pointing it out in case anyone was wondering.
07-09-2020 07:14 AM
Running this on my OnePlus 6T without any concerning battery issues so far.
Are there plans to have software inventory and discovered vulnerabilities for the mobile devices? I'm also wondering is this would then show the apps that are not running in the Android Enterprise Work Profile or also apps running in the personal profile. Having COPE in mind for future deployments, this will be important for some customers.
07-21-2020 10:53 PM
Microsoft Rocks !
07-22-2020 12:28 AM
We have malicious URLs blocked at ATP/ MS 365 Security, on the windows Client the Defender is blocking it successfully but on the Android this URL still available, the MSATP do nothing.
The Android Device is also available/register at Microsoft Defender Security Center with Health State "active" but Exposure level "No data available" and Risk Level "No know risk" :(. Last seen from today, so I assume that the connection between ATP and the Android Device is "alive".
I have send a Mail to "[email protected]" and also as Feedback trough the App but still no receive any "help",
@Kanishka_Srivastava , could you please tell me who I need to contact for this issue/ problem?
Best regards
07-23-2020 08:20 AM
@Mela1984 thanks for reaching out. We'll work with you over mail to troubleshoot the issue.
07-23-2020 01:32 PM
Excited to try this out. Glad to see experiences so far have been good.
07-28-2020 06:22 AM
Any visibility as to when this will be available in GCC High/Azure Gov?
08-14-2020 02:49 AM
Just starting to enroll and test this on my Android Enterprise environment. Waiting for certain help from Microsoft Defender team. I will share my experience with Android Enterprise integration. thanks for the above feedback ,really helpful for me.
08-23-2020 05:46 PM
Today Successfully activated and integrated with Intune + Microsoft Defender ATP .! @Kanishka_Srivastava above you mentioned possibilities we can test with Android Enterprise Work Profile mode too or mainly for Device Owner mode ? request you to clarify.
08-31-2020 01:37 AM
Even the web protection is enabled ! still the Microsoft defender App in Android Work Profile didn't block or alert when i visit a phishing test page : https://smartscreentestratings2.net/ . how i can troubleshoot this ? also my device details are only shown and visible in MEM portal, but not in Endpoint SecurityCenter portal.
08-31-2020 01:43 AM
Hi @govindannarayanan , we have also the same "problem". you can read my post a few post up.
I still waiting for @Kanishka_Srivastava for Help.
Please let me know if you get any help. :(
08-31-2020 02:43 AM
thanks @Mela1984 for your update. @Kanishka_Srivastava let us know your view and possible help from your side.
09-01-2020 04:54 AM
@Mela1984 , @govindannarayanan - Currently we do not support device owner / fully managed devices. We'll update the documentation when this is ready.
On the phish test URL not being blocked - can you confirm that on the work profile device, you were accessing the URL from within the work profile and not from the personal profile which Defender ATP does not monitor
09-01-2020 05:11 AM
@Ashwin_msft , yes I can confirm That.
We are using also MS Edge on the Work Profile.
09-01-2020 05:16 AM
@Melany - can you please submit a feedback along with logs via the 'Send Feedback' option within the app so we can take a look ? Thanks
If you can also include your e-mail address as part of the feedback, we can contact you for further information, if needed
09-01-2020 05:16 AM
@Ashwin_msft yes, i tried opening the Link in Work browser only.
09-01-2020 05:34 AM
@Ashwin_msft , Done. With Email and Log Info files.
I have test two Bad URL's and both were allowed without blocking.
Let me please know if you need other test.
Thanks for your HELP
09-02-2020 04:43 AM
Good news is web protection started working for me. Only the Bad App blocking is missing.
09-03-2020 02:35 AM
@govindannarayanan really? I still can open the "Malicious" URL's :(
09-07-2020 06:19 PM
@Mela1984 try this and FYI, i tested this workprofile in AE environment and web-protection is working fine. But still malicious App is not blocked in my device.
There is also a step-by-step guide for Android Enterprise enrolled devices:
Would you be so kind and double-check the configuration settings?!
09-07-2020 10:55 PM
@govindannarayanan , thanks for the info.
I have double check my configuration, I have all as describe in the Guide. APP deployment and Configuration.
In the main Time we have installed also the new release version of ATP (Microsoft Defender ATP Preview (Enterprise)), but still the same problem. Old App deinstalled and new one with also a new Configuration, but same :(.
Interesting is that sometime works, before yesterday some URLS was blocked but yesterday and today no any more :(.
I have also contacted MS trough the Feedback on the APP and they write yesterday an Emil asking me for more details, I have send it all right now. I hope now we can resolve this.
09-16-2020 02:18 AM
@Ashwin_msft : I haven't hear anything since my Report but, Today works, the "Malicious" URL's are blocked, Thanks.
09-16-2020 02:21 AM
@Mela1984 - Thanks for the update and your contribution to the preview.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK