Integrating Microsoft Intune with Endpoint Protection Mobile

This guide describes the steps that are required to integrate Microsoft Intune with Endpoint Protection Mobile.
Integrating
Endpoint Protection Mobile
with your organization's MDM/EMM/UEM is highly recommended as it allows:
  • A seamless and easy deployment of the
    Endpoint Protection Mobile
    across the devices and groups.
  • Advanced security features and security enforcement.
Prerequisites
For the integration configuration to take effect, make sure to perform the configurations in Intune using a Global Administrator role.
Step 1: Selecting your MDM/EMM/UEM and downloading the relevant integration files
  1. Go to
    Endpoint Protection Mobile
    management console
    Settings
    Integrations
    EMM & Containers.
  2. Select
    Microsoft Intune
    and click
    Apply Changes
    .
  3. Look under
    Resources
    and download the
    Integration setup files
    . The
    mdm_configuration
    zip file contains a
    sep_mobile_configuration.plist
    file. You will refer to this file in Step 5.
Step 2: Retrieving the Directory ID
  1. Go to
    Microsoft Azure Portal
    and click
    Azure Active Directory
    on the left navigation pane.
  2. Click
    Properties
    from the extended menu (under
    Managed
    category).
  3. Click the copy icon next to the
    Directory ID
    to copy the Directory ID value.
  4. Paste the ID into a safe location (a Word file or any other text editor you manage locally). You will refer to the Directory ID later on.
Step 3: Optional: Creating a dedicated Security Group for devices that need to run the
SEP Mobile
app
  1. Click
    Groups
    from the extended menu
    All groups
    .
  2. Click
    + New group
    .
  3. Complete the required details:
    • Group type
      : Security
    • Group name
      : <Enter a relevant name, for example, "Symantec Security".>
    • Group description
      : A dedicated Symantec security group for devices that need to run the
      SEP Mobile
      app.
    • Membership type
      : Assigned
  4. Click
    Members
    and select the relevant group members (you can select specific users or entire groups).
  5. Click
    Select
    then click
    Create
    to finish.
    Example:
Step 4: Adding the
SEP Mobile
app for Android and iOS
Make sure to add the
SEP Mobile
twice, once for iOS and once for Android.
  1. Adding the
    SEP Mobile
    app for iOS
  2. Go to Microsoft Azure home page > Enter
    Intune
    in the search box > Select
    Intune
    from the returned results.
  3. Click
    Client apps
    from the extended menu
    Apps
    Add
    .
  4. Select the
    App type
    : iOS.
  5. Click the Search the App Store > Enter "
    SEP Mobile
    " in the search box.
  6. Select the
    SEP Mobile
    app from the returned results.
  7. Click
    Select
    Add
    .
  8. Adding the
    SEP Mobile
    app for Android:
  9. Go to
    Client apps
    (Microsoft Azure home page > Enter
    Intune
    in the search box > Select
    Intune
    from the returned result
    Client apps
    ).
  10. Click
    Apps
    Add
    .
  11. Select the
    App type
    : Android
  12. Click
    Configure
    .
  13. Enter the details:
    • Name:
      SEP Mobile
    • Description: Symantec Endpoint Protection Mobile to enhance enterprise mobile security.
    • Publisher: Symantec
    • App store URL: https://play.google.com/store/apps/details?id=com.skycure.skycure
    • Minimum Operating system: Android 4.0 (Ice Cream Sandwich)
  14. Click
    OK
    Add
    .
Step 5: Configuring the
SEP Mobile
iOS app policy
  1. Go to
    Client apps
    (Microsoft Azure home page > Enter
    Intune
    in the search box > Select
    Intune
    from the returned result
    Client apps
    ).
  2. Click
    App configuration policies
    .
  3. Click
    Add
    .
  4. Enter the mandatory details:
    • Name:
      SEP Mobile
      iOS App Configuration
    • Device enrollment type
      : Managed devices
    • Platform
      : iOS
  5. Select
    Associated app
    .
  6. Enter "
    SEP Mobile
    " in the search box > Select
    SEP Mobile
    from the returned results.
  7. Click
    OK
    .
  8. Click
    Configuration settings
    .
  9. Select
    Enter XML data
    for the
    Configuration settings format.
  10. In the XML box, paste the content of the
    sep_mobile_configuration.plist
    file you downloaded in Step 1.
  11. Click
    OK
    Add
    .
    Example:
  12. Click
    Assignments
    in the
    SEP Mobile iOS App configuration Policy
    .
  13. Under Assign to: Select
    Selected groups
    .
  14. Click
    Select groups to include
    .
  15. Select the groups of users that you want to deploy the
    SEP Mobile
    app to.
  16. Click
    Select
    Save
    .
Step 6: Assigning the relevant apps to the group of users that the
SEP Mobile
app will be deployed to
Perform the procedure twice, once for iOS and once for Android.
  1. Go to
    Client apps
    (Microsoft Azure home page > Enter
    Intune
    in the search box Select
    Intune
    from the returned result
    Client apps
    ).
  2. Select the
    SEP Mobile
    iOS app.
  3. Click
    Assignments
    Add group
    .
  4. Under
    Assignment type
    , select
    Required
    .
  5. Click
    Included Groups
    .
  6. Under
    All users and devices
    , set:
    • Make this app required for all users
      : Yes
    • Make this app required on all devices
      : Yes
  7. Click
    Select groups to include
    and select the groups of users that you want to deploy the
    SEP Mobile
    app to.
  8. Click
    Select
    OK
    Save
    .
    Repeat the procedure for Android.
Step 7: Adding the
Endpoint Protection Mobile
Threat Defense Connector
  1. Go to Intune (Microsoft Azure home page > Enter
    Intune
    in the search box > Select
    Intune
    from the returned result).
  2. Click
    Device compliance
    , and then click
    Mobile Threat Defense
    .
  3. Click Add.
  4. Select
    Symantec Endpoint Protection
    .
  5. Click
    Create
    .
Step 8: Setting up the integration
  1. Go to
    Endpoint Protection Mobile
    management console
    Settings
    Integrations
    Intune
    EMM Integration Selection
    tab.
  2. Paste the Directory ID that you copied in Step 2.
  3. Click
    Apply Changes
    .
  4. Go to
    Basic Setup
    tab.
  5. Click
    Add to Active Directory
    next to the iOS label.
  6. In the opened window, log in using the Azure Active Directory credentials of the Office 365 account.
  7. Click
    Accept
    to add the
    SEP Mobile
    iOS app to the Azure Active Directory.
  8. Repeat the same procedure for the
    SEP Mobile
    Android App
    and the
    Management App
    .
  9. For the
    Symantec Security Groups
    , select the user groups that need to have the
    SEP Mobile
    app. For example, the Security Group you created in Step 3 (if created).
  10. Click
    Apply Changes
    for the configurations to take effect.
    Once you apply the changes,
    Endpoint Protection Mobile
    will sync the devices in the selected groups, and start reporting information to Intune.
    If the sync was successful, the
    Intune Integration Status
    will be in green.
    You can review the reported data under the
    Full Integration
    tab.
    In the large Intune deployments with more than 25000 devices, you may need to provide a new permission for the Management App to successfully check and report the app install status.
    Adding Azure Active Directory permission for the Management app
Step 9: Enabling the
Symantec Endpoint Protection Mobile
Threat Defense Connector
  1. Go to Intune (Microsoft Azure home page > Enter
    Intune
    in the search box > Select
    Intune
    from the returned result).
  2. Go to
    Device Compliance
    from the extended menu
    Mobile threat Defense
    .
  3. Select the defense connector you created in Step 7 ("Symantec Endpoint Protection").
  4. Make sure the
    Connection status
    is:
    Available / Enabled
    .
  5. Set the options:
    • Connect Android devices of version 2.3.3 and above to Symantec Endpoint Protection
      : On
    • Connect iOS devices version 8.0 and above to Symantec Endpoint Protection
      : On
    • Enable App Sync for iOS Devices
      : On
    • Block unsupported OS versions
      : Off
  6. Click
    Save
    .
Step 10: Configuring a compliance policy based on information from
Symantec Endpoint Protection Mobile
To leverage Intune’s conditional access for mobile security enforcement, a compliance policy in Intune is required. To define a compliance policy in Intune, follow the below steps.
  1. Go to Intune (Microsoft Azure home page) > Enter
    Intune
    in the search box > Select
    Intune
    from the returned result).
  2. Go to
    Device Compliance
    from the extended menu >
    Policies
    .
  3. Click
    Create Policy
    .
  4. Enter the details:
    • Name: iOS Compliance Policy
    • Platform: iOS
  5. Click
    Configure
    Device Health
    .
  6. Select the desired threat level for the
    Require the device to be at or under the Device Threat Level
    .
    The recommended level is: High
  7. Click
    OK
    OK
    Create
    .
  8. Click
    Assignments
    in the
    iOS Compliance Policy
    menu.
  9. Click
    Select groups to include
     Select the group of users that you want to deploy the
    SEP Mobile
    to.
  10. Click
    Select
    Save
    .
  11. Repeat the procedure with the relevant adaptations to create a compliance policy for Android devices.
Conditional access can then be configured in Intune based on these policies.
A device is marked as non-compliant when it fails to meet different policy criteria. The policy criteria for Symantec is one of them and it can be accessed under
Device Health
settings >
Require the device to be at or under the Device Threat Level
. You can find this information on the device compliance details page.
Intune also has some of its own policy criteria that can mark a device as non-compliant. More information about these Intune policies can be found here: