To continue to Microsoft Azure. Email, phone, or Skype. If Sophos (we've got InterceptX) isn't installed, it's like InTune is picking up Windows Defender and thus marking the device as compliant. However, the moment InterceptX is installed (and thus I think not registering itself Windows Security Centre) InTune marks the device as non-compliant. Trusted root certificate profiles for Microsoft Intune.; 6 minutes to read; B; D; In this article. When using Intune to provision devices with certificates to access your corporate resources and network, use a trusted certificate profile to deploy the trusted root certificate to those devices. Trusted root certificates establish a trust from the device to your root or intermediate. Note: The content of this article has been moved to Sophos Central Windows Endpoint: Deploying using Microsoft Intune Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.-->
During Mobile Threat Defense (MTD) setup, you've configured a policy for classifying threats in your Mobile Threat Defense partner console and you've created the device compliance policy in Intune. If you've already configured the Intune connector in the MTD partner console, you can now enable the MTD connection for MTD partner applications.
This topic applies to all Mobile Threat Defense partners.
Classic conditional access policies for MTD apps
When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Azure Active Directory. Each MTD app you integrate, including Microsoft Defender for Endpoint or any of our additional MTD partners, creates a new classic conditional access policy. These policies can be ignored, but shouldn't be edited, deleted, or disabled.
If the classic policy is deleted, you'll need to delete the connection to Intune that was responsible for its creation, and then set it up again. This process recreates the classic policy. It's not supported to migrate classic policies for MTD apps to the new policy type for conditional access.
Classic conditional access policies for MTD apps:
Are used by Intune MTD to require that devices are registered in Azure AD so that they have a device ID before communicating to MTD partners. The ID is required so that devices and can successfully report their status to Intune.
Have no effect on any other Cloud apps or Resources.
Are distinct from conditional access policies you might create to help manage MTD.
By default, don't interact with other conditional access policies you use for evaluation.
To view classic conditional access policies, in Azure, go to Azure Active Directory > Conditional Access > Classic policies.
To enable the Mobile Threat Defense connector
Sign in to the Microsoft Endpoint Manager admin center.
Select Tenant administration > Connectors and tokens > Mobile Threat Defense.
On the Mobile Threat Defense pane, select Add.
For Mobile Threat Defense connector to setup, select your MTD solution from the drop-down list.
Enable the toggle options according to your organization's requirements. Toggle options visible will vary depending on the MTD partner. For example, the following image shows the options that are available for Symantec Endpoint Protection:
Mobile Threat Defense toggle options
You can decide which MTD toggle options you need to enable according to your organization's requirements. Not all of the following options are supported by all Mobile Thread Defense partners:
Hayden transmission cooler. MDM Compliance Policy Settings
Connect Android devices of version <supported versions> to <MTD partner name>: When you enable this option, you can have Android 4.1+ devices reporting security risk back to Intune.
Connect iOS devices version <supported versions> to <MTD partner name>: When you enable this option, you can have iOS 8.0+ devices reporting security risk back to Intune.
Enable App Sync for iOS Devices: Allows this Mobile Threat Defense partner to request metadata of iOS applications from Intune to use for threat analysis purposes. This iOS device must be MDM-enrolled device and will provide updated app data during device check-in. You can find standard Intune policy check-in frequencies in the Refresh cycle times.
On devices marked as corporate, all apps are shared with the Mobile Threat Defense vendor, while on devices marked as personal, only Intune managed apps are shared.
Block unsupported OS versions: Block if the device is running an operating system less than the minimum supported version.
App Protection Policy Settings
Connect Android devices of version <supported versions> to <MTD partner name> for app protection policy evaluation: When you enable this option, app protection policies using the Device Threat Level rule will evaluate devices including data from this connector.
Connect iOS devices version <supported versions> to <MTD partner name> for app protection policy evaluation: When you enable this option, app protection policies using the Device Threat Level rule will evaluate devices including data from this connector.
To learn more about using Mobile Threat Defense connectors for Intune App Protection Policy evaluation, see Set up Mobile Threat Defense for unenrolled devices.
Common Shared Settings
- Number of days until partner is unresponsive: Number of days of inactivity before Intune considers the partner to be unresponsive because the connection is lost. Intune ignores compliance state for unresponsive MTD partners.
When possible, we recommend that you add and assign the MTD apps before creating the device compliance and the Conditional Access policy rules. This helps ensures that the MTD app is ready and available for end users to install before they can get access to email or other company resources.
You can see the Connection status and the Last synchronized time between Intune and the MTD partner from the Mobile Threat Defense pane.
- Create Mobile Threat Defense (MTD) app protection policy with Intune.
You can control mobile device access to corporate resources using Conditional Access based on risk assessment conducted by Sophos Mobile, a Mobile Threat Defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from devices running the Sophos Mobile app.You can configure Conditional Access policies based on Sophos Mobile risk assessment enabled through Intune device compliance policies, which you can use to allow or block noncompliant devices to access corporate resources based on detected threats.
This Mobile Threat Defense vendor is not supported for unenrolled devices.
- Android 6.0 and later
- iOS 11.0 and later
- Azure Active Directory Premium
- Microsoft Intune subscription
- Sophos Mobile Threat Defense subscription
For more information, see the Sophos website.
How do Intune and Sophos Mobile help protect your company resources?
Sophos Mobile app for Android and iOS/iPadOS captures file system, network stack, device, and application telemetry where available, and then sends the telemetry data to the Sophos Mobile cloud service to assess the device's risk for mobile threats.
The Intune device compliance policy includes a rule for Sophos Mobile Threat Defense, which is based on the Sophos Mobile risk assessment. When this rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources like Exchange Online and SharePoint Online. Users also receive guidance from the Sophos Mobile app installed in their devices to resolve the issue and regain access to corporate resources.
Here are some common scenarios.
Control access based on threats from malicious apps
When malicious apps such as malware are detected on devices, you can block devices from the following actions until the threat is resolved:
- Connecting to corporate e-mail
- Syncing corporate files with the OneDrive for Work app
- Accessing company apps
Block when malicious apps are detected:
Access granted on remediation:
Control access based on threat to network
Intune Threat Level
Detect threats to your network like Man-in-the-middle attacks, and protect access to Wi-Fi networks based on the device risk.
Block network access through Wi-Fi:
Access granted on remediation:
Control access to SharePoint Online based on threat to network
Detect threats to your network like Man-in-the-middle attacks, and prevent synchronization of corporate files based on the device risk.
Block SharePoint Online when network threats are detected:
Sophos Intune Install
Access granted on remediation: