Mobile devices have become a staple not only for personal usage but also in enterprise settings. While these devices help organizations carry out crucial tasks, they have also become targets of a growing number of cyberattacks. This is why Mobile Threat Defense (MTD) solutions are essential in combating cyber threats.
MTD (Mobile Threat Defense) solutions work alongside Mobile Device Management (MDM) platforms to provide stronger protection. While MDM helps control device settings and compliance, MTD adds real-time threat detection, such as blocking phishing links in text messages or detecting malware in suspicious apps.
The risks are multiplying, especially in BYOD (Bring Your Own Device) environments, which is why it’s essential to understand how to configure MTD integrations with your mobile-centric environments. In this guide, we will walk you through MTD integrations, what’s required to get started, and how to configure them effectively.
| Task | Audience | Purpose |
| Task 1: Enable MTD Integration via MEMAC | All Intune admins | Core setup for integrating the MTD provider with Intune |
| Task 2: Deploy the MTD app to devices via Intune | All MDM environments | Installs the MTD agent on mobile devices for threat telemetry |
| Task 3: Configure compliance policy via threat level | Security/Compliance teams | Flags risky devices using threat level data from MTD |
| Task 4: Enforce Conditional Access policy | Azure AD admins | Blocks or allows access to cloud apps based on compliance state |
| Task 5: Use PowerShell & Microsoft Graph | MSPs / Automation engineers | Enables scripting and policy auditing across tenants |
| Task 6: CMD and Registry checks | Defender-only users | Confirms Defender MTD state on Windows devices |
| Task 7: Enforce Defender for Endpoint via Group Policy | Hybrid / Windows admins | Hardens Defender settings for Windows MTD environments |
Prerequisites for MTD integration
Before configuring mobile threat defense integrations, make sure your environment meets the following requirements:
- Microsoft Intune (or another supported MDM platform)
- Azure AD Premium license for Conditional Access capabilities
- MTD vendor subscription that supports Intune integration (e.g., Microsoft Defender for Endpoint, Lookout, Zimperium)
- Devices must be enrolled in Intune.
- The MTD app must be installed on each device via the Company Portal or the app store
- (Optional) API permissions configured in Microsoft Graph or Azure Portal for deeper automation and reporting
Task 1: Enable MTD Integration via Microsoft Endpoint Manager (MEMAC)
📌 Use Case:
This is the core setup needed to connect an MTD provider with Microsoft Intune so Intune can receive threat telemetry from the MTD solution and apply it to compliance policies. This step should be performed by an Intune or MDM administrator with the right permission in MEMAC.
- Go to Tenant Administration > Connectors and Tokens > Mobile Threat Defense.
- Select your MTD provider (e.g., Lookout, Zimperium, or Microsoft Defender for Endpoint).
- Enable the integration and configure the following options:
- Sync frequency (e.g., how often threat data syncs with Intune)
- Compliance state mapping (which threat levels make a device non-compliant)
- App reporting settings
- Save and verify the connector status.
Once the connector is live, Intune begins receiving threat-level data from the MTD platform, allowing it to make compliance decisions automatically.
Task 2: Deploy the MTD app to devices via Intune
📌 Use Case:
This task ensures the MTD agent is installed and functional on each managed device. Usually performed by app deployment or device management admins, it enables mobile threat scanning, telemetry reporting, and user onboarding.
- Navigate to Apps > All Apps > Add in MEMAC.
- Select the app type (iOS Store app or Android Store app).
- Search for your MTD app.
- Configure and assign the app to the appropriate user or device groups.
- (Optional) Apply app protection or compliance policies.
- Users will be prompted to activate the MTD app during the first launch.
Task 3: Configure compliance policies using MTD risk levels
📌 Use Case:
This task uses threat data from the MTD app to determine whether a device is compliant with corporate policies. It is typically performed by compliance or security administrators and ensures that only secure devices retain access to organizational data.
- Go to Devices > Compliance Policies > Create Policy.
- Choose the appropriate platform (e.g., Android Enterprise or iOS/iPadOS).
- Under Device Health, configure Mobile Threat Defense threat level (e.g., Low or below).
- Assign the policy to your device groups.
If a device reports a threat level higher than the specified threshold, it will be flagged as non-compliant. This compliance status feeds directly into Conditional Access.
Task 4: Set Conditional Access policies using MTD data
📌 Use Case:
This task enforces access control based on risk-aware compliance. Typically done by Azure AD or security administrators, it prevents access to sensitive apps unless the device meets MTD-informed security requirements.
- Open Azure AD > Security > Conditional Access > New Policy.
- Name your policy and target desired cloud apps (e.g., Microsoft 365).
- Under Conditions, select Device State and require compliant devices.
- Add a grant control that enforces MTD-based compliance.
- Enable and apply the policy.
With this setup, devices flagged as high-risk by the MTD engine will be blocked from accessing corporate resources until remediated.
Task 5: Use PowerShell and Microsoft Graph for advanced control
📌 Use Case:
This task is useful for MSPs, automation engineers, or advanced IT admins who manage multiple tenants or want to automate compliance enforcement. It provides visibility and control across large, distributed environments.
- Open PowerShell as an administrator. Press the Windows key, type PowerShell, then right-click Windows PowerShell and select Run as administrator.
- Run the following command:
- To connect to Microsoft Graph and access Intune compliance data:
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All", "Policy.Read.All"
- To view all compliance policies currently set in Intune:
Get-MgDeviceManagementCompliancePolicy
- To check devices flagged by MTD and see threat assessment results:
Get-MgDeviceManagementThreatAssessmentRequest
Task 6: Validate Defender MTD using CMD and registry (Windows only)
📌 Use Case:
For environments using Microsoft Defender as their MTD platform, this task helps endpoint admins verify that Defender is active and transmitting telemetry. This is specific to Windows devices.
Using Command Prompt
- Open Command Prompt by pressing the Windows key + X and select Windows Terminal.
- Run the following command: sc query WinDefend
- Look for a line in the output that says “STATE: RUNNING”. This confirms that the Defender’s service status is active.
Using Registry Editor
- Open the Registry Editor by pressing the Windows key + R. Type regedit and press Enter.
- Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\MicrosofDefender’s\Windows Defender\Features
- Look for keys like the following:
- SenseEnabled: confirms the MTD component is active
- TamperProtection: ensures Defender settings can’t be changed by users or malware
Task 7: Apply Group Policy settings for Defender MTD (if applicable)
📌 Use Case:
In hybrid or AD-joined Windows environments, GPO can enforce Defender for Endpoint configurations to improve threat visibility and reporting. Typically used by Windows system admins.
- Open the Group Policy Editor.
- Navigate to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS
- Configure:
- Join Microsoft MAPS
- Send file samples for analysis
- Enable Block at First Sight
⚠️ Troubleshooting/Things to look out for
| Risks | Potential Consequences | Reversals |
| Devices not reporting risk | Device remains in an unknown security state, potentially allowing access despite threats. | Verify that the MTD app is properly installed and signed in and that background activity permissions are enabled. If necessary, restart the app or reinstall it. |
| Intune is not showing the threat level. | Compliance policies may not trigger, weakening the enforcement of security policies. | Check the connector sync interval in MEMAC. Ensure that API permissions for Microsoft Graph or Azure Portal are configured correctly. |
| Compliance policies are not being applied | Non-compliant devices may still access corporate resources. | Confirm group assignments and platform targeting, and ensure all user/device licenses are properly assigned. Re-evaluate policy scope and deployment. |
| Conditional Access is not triggering | Risky devices may gain access to sensitive data or cloud services. | Inspect Azure AD sign-in logs to determine if the MTD risk level is being passed to the Conditional Access engine. Confirm that policies require compliant devices. |
Additional considerations for mobile MTD deployment
- User consent: MTD apps may request access to sensitive systems like network analysis and VPN monitoring, requiring user permissions.
- Battery and performance: MTD apps may also impact devices’ battery and performance. This can vary per vendor, so testing may help ensure a balance between security and usability.
- Privacy policies: It’s important to document and go over data privacy policies, especially for BYOD scenarios.
- Enrollment order: Device enrollment must precede MTD policy enforcement. This means that MTD apps must be installed before Conditional Access applies.
NinjaOne services for MTD workflow enhancement
NinjaOne adds an essential layer of automation and visibility on top of native MTD integrations. This aids Managed Service Providers (MSPs) in monitoring diverse mobile fleets through the following tools and features:
| NinjaOne service | What it is | How it helps MTD workflow |
| Automated deployment | Automates the installation and configuration of Microsoft Defender for Endpoint on supported devices. | Reduces setup time and ensures all enrolled devices have the MTD agent installed and reporting correctly. |
| Device monitoring | Provides real-time monitoring and health status for mobile endpoints across client environments. | Alerts IT when devices lose MTD connectivity, fall out of compliance, or show signs of elevated risk. |
| Telemetry aggregation | Collects and normalizes threat telemetry from multiple MTD vendors into a centralized dashboard. | Simplifies visibility for MSPs managing environments with more than one MTD provider. |
| Remediation scripting | Enables scripted responses to threat detections, such as network isolation or user alerts. | Automates response when a device is flagged as high-risk, speeding up remediation and minimizing manual effort. |
Securing the MDM environment with Mobile Threat Defense
Cyber attacks are evolving and becoming more sophisticated. While MDM solutions in place are helpful, integrating a Mobile Threat Defense (MTD) adds an extra layer of protection for organizations implementing mobile environments. That’s why understanding MTD configurations is essential, ensuring real-time visibility, automated compliance enforcement, and smarter Conditional Access controls for your mobile device environments.
Related topics:
