mtd-apps-ios-app-configuration-policy-add-assign.md

title	titleSuffix	description	keywords	author	ms.author	manager	ms.date	ms.topic	ms.service	ms.localizationpriority	ms.technology	ms.assetid	ms.reviewer	ms.suite	search.appverid	ms.custom	ms.collection
Add and assign MTD apps to Microsoft Intune	Microsoft Intune	Use Intune to add Mobile Threat Defense (MTD) apps, Microsoft Authenticator app, and iOS configuration policy in the Azure portal.		brenduns	brenduns	dougeby	06/21/2019	conceptual	microsoft-intune	high		00356258-76a8-4a84-9cf5-64ceedb58e72	davera	ems	MET150	intune-azure	M365-identity-device-management

Add and assign Mobile Threat Defense (MTD) apps with Intune

Note

This article applies to all Mobile Threat Defense partners.

You can use Intune to add and deploy Mobile Threat Defense (MTD) apps so that end users can receive notifications when a threat is identified in their mobile devices, and to receive guidance to remediate the threats.

Before you begin

The below steps need to be completed in the Azure portal. Make sure you’re familiar with the process of:

• Adding an app into Intune.
• Adding an iOS app configuration policy into Intune.
• Assigning an app with Intune.

Tip

The Intune Company Portal works as the broker on Android devices so users can have their identities checked by Azure AD.

Configure Microsoft Authenticator for iOS

For iOS devices, you need the Microsoft Authenticator so users can have their identities checked by Azure AD. Additionally, you need an iOS app configuration policy that sets the MTD iOS app you use with Intune.

See the instructions for adding iOS store apps to Microsoft Intune. Use this Microsoft Authenticator app store URL on step 12 under the Configure app information section.

Configure MTD applications

Choose the section that corresponds to your MTD provider:

• Lookout for Work
• Symantec Endpoint Protection Mobile (SEP Mobile)
• Check Point SandBlast Mobile
• Zimperium
• Pradeo
• Better Mobile
• Sophos Mobile
• Wandera

Configure Lookout for Work apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Lookout for work Google app store URL on step 7.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this Lookout for Work iOS app store URL on step 11 for the Appstore URL.

• Lookout for Work app outside the Apple store

  • You need to re-sign the Lookout for Work iOS app. Lookout distributes its Lookout for Work iOS app outside of the iOS App Store. Before distributing the app, you must re-sign the app with your iOS Enterprise Developer Certificate.

  • For detailed instructions to re-sign the Lookout for Work iOS apps, see Lookout for Work iOS app re-signing process on the Lookout website.

  • Enable Azure AD authentication for Lookout for Work iOS app users.

    1. Go to the Azure portal, sign in with your credentials, then navigate to the application page.

    2. Add the Lookout for Work iOS app as a native client application.

    3. Replace the com.lookout.enterprise.yourcompanyname with the customer bundle ID you selected when you signed the IPA.

    4. Add additional redirect URI: <companyportal://code/> followed by a URL encoded version of your original redirect URI.

    5. Add Delegated Permissions to your app.

    [!NOTE] See configure a native client application with Azure AD for more details.

  • Add the Lookout for Work ipa file.

    • Upload the re-signed .ipa file as described in the Add iOS LOB apps with Intune article. You also need to set the minimum OS version to iOS 8.0 or later.

Configure Symantec Endpoint Protection Mobile apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. In step 7, use this SEP Mobile app store URL. For Minimum operating system, select Android 4.0 (Ice Cream Sandwich).

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this SEP Mobile app store URL on step 11 for the Appstore URL.

Configure Check Point SandBlast Mobile apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Check Point SandBlast Mobile app store URL on step 7.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this Check Point SandBlast Mobile app store URL on step 11 for the Appstore URL.

Configure Zimperium apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Zimperium app store URL on step 7.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this Zimperium app store URL on step 11 for the Appstore URL.

Configure Pradeo apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Pradeo app store URL on step 7.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this Pradeo app store URL on step 11 for the Appstore URL.

Configure Better Mobile apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Active Shield app store URL on step 7.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this ActiveShield app store URL on step 11 for the Appstore URL.

Configure Sophos apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Sophos app store URL on step 7.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this ActiveShield app store URL on step 11 for the Appstore URL.

Configure Wandera apps

• Android

  • See the instructions for adding Android store apps to Microsoft Intune. Use this Wandera Mobile app store URL on step 7. For Minimum operating system, select Android 5.0.

• iOS

  • See the instructions for adding iOS store apps to Microsoft Intune. Use this Wandera Mobile app store URL on step 11 for the Appstore URL.

Configure your MTD apps with an iOS app configuration policy

Lookout for Work app configuration policy

• Create the iOS app configuration policy as described in the using iOS app configuration policy article.

SEP Mobile app configuration policy

• Use the same Azure AD account previously configured in the Symantec Endpoint Protection Management console, which should be the same account used to sign in to the Intune classic portal.

• Download the iOS app configuration policy file:

  • Go to Symantec Endpoint Protection Management console and sign in with your admin credentials.

  • Go to Settings, and under Integrations, choose Intune. Choose EMM Integration Selection. Choose Microsoft, and then save your selection.

  • Click the Integration setup files link and save the generated *.zip file. The .zip file contains the *.plist file that will be used to create the iOS app configuration policy in Intune.

  • See the instructions for using Microsoft Intune app configuration policies for iOS to add the SEP Mobile iOS app configuration policy.

  • On step 8, use the option Enter XML data, copy the content from the *.plist file, and paste its content into the configuration policy body.

Note

If you are unable to retrieve the files, contact Symantec Endpoint Protection Mobile Enterprise Support.

Check Point SandBlast Mobile app configuration policy

• See the instructions for using Microsoft Intune app configuration policies for iOS to add the Check Point SandBlast Mobile iOS app configuration policy.

  • On step 8, use the option Enter XML data, copy the content below and paste it into the configuration policy body.

    <dict><key>MDM</key><string>INTUNE</string></dict>
    

Zimperium app configuration policy

• See the instructions for using Microsoft Intune app configuration policies for iOS to add the Zimperium iOS app configuration policy.

  • On step 8, use the option Enter XML data, copy the content below and paste it into the configuration policy body.

    <dict>
    <key>provider</key><string>Intune</string>
    <key>userprincipalname</key><string>{{userprincipalname}}</string>
    <key>deviceid</key>
    <string>{{deviceid}}</string>
    <key>serialnumber</key>
    <string>{{serialnumber}}</string>
    <key>udidlast4digits</key>
    <string>{{udidlast4digits}}</string>
    </dict>
    

Pradeo app configuration policy

Pradeo doesn't support application configuration policy on iOS. Instead, to get a configured app, work with Pradeo to implement custom IPA or APK files that are preconfigured with the settings you want.

Better Mobile app configuration policy

• See the instructions for using Microsoft Intune app configuration policies for iOS to add the Better Mobile iOS app configuration policy.

  • On step 8, use the option Enter XML data, copy the content below and paste it into the configuration policy body. Replace the https://client.bmobi.net URL with the appropriate console URL.

    <dict>
    <key>better_server_url</key>
    <string>https://client.bmobi.net</string>
    <key>better_udid</key>
    <string>{{aaddeviceid}}</string>
    <key>better_user</key>
    <string>{{userprincipalname}}</string>
    </dict>
    

Sophos Mobile app configuration policy

Create the iOS app configuration policy as described in the using iOS app configuration policy article.

Wandera app configuration policy

See the instructions for using Microsoft Intune app configuration policies for iOS to add the Wandera iOS app configuration policy.

• On step 8, use the option Enter XML data. Sign in to your RADAR Wandera portal and browse to Settings > EMM Integration > App Push. Select Intune, and then copy the content below and paste it into the configuration policy body.

  <dict><key>secretKey</key>
   <string>SeeRADAR</string>
   <key>apiKey</key>
   <string> SeeRADAR </string>
   <key>customerId</key>
   <string> SeeRADAR </string>
   <key>email</key>
   <string>{{mail}}</string>
   <key>firstName</key>
   <string>{{username}}</string>
   <key>lastName</key>
   <string></string>
   <key>activationType</key>
   <string>PROVISION_THEN_AWP</string></dict>  
  

Assign apps to groups

• This step applies to all MTD partners. See instructions for assigning apps to groups with Intune.

Next steps

• Configure the device compliance policy for MTD