Considerations when deploying MTD with Android Enterprise

Comment thread for the following:

Considerations when deploying MTD with Android Enterprise | Jason Bayton

Hi Jason,

thanks for the great overview of the ‘problem’ we run into when using MTD on a AE device. In the end I think that the ultimate solution would be if MTD providers would make it possible to activate their MTD client twice on a device, once in the work profile and onetime outside of the work profile. Currently when registering a device in MTD through an MDM connector there is no way to do this.


MTD vendor depending that’s not unheard of, so likely something you need to bring up with the vendor you work with directly; if you’re doing it through EMM connector it naturally can’t automatically do so outside of EMM control, however manual invitations or global activation codes would offer alternative means to manually activate.

Should an EMM build the capability to push to both work and parent profile via managed Google Play accounts then you’ll be set, but BYOD will always struggle by comparison.

Hello Jason,

great overview on MTD in the Android space - as always.

One question, I’m asking myself: your article focuses on the detection of threats. I wonder what capabilities a 3rd party MTD solution app can have on an Android device to actually protect (instead of only detecting).

In the end it is just another app, isn’t it. Would it be able to trigger any consequences? E.g. prevent the installation of a PHA or prevent the connection to potentially rogue access point. Does it have the power to do so in Android Enterprise? Not being an EMM client… Especially when I think about the COPE changes coming with Android 11. What’s your view on that?

Best regards,

Typically MTD hooks into your EMM platform, and so yes although you’re 100% that they predominantly detect rather that protect, the protect comes from that communication with the server(s) that manage the device on the app side of things.

If the MTD detects a known bad app, it can ping the EMM to put the device out of compliance, mark it as high risk and have it moved groups/folders, plenty more. It can do this in almost real-time given it’s on the device and monitoring app installation & changes. What happens to that device then is entirely down to the EMM admin and range from an email notification to an enterprise wipe.

On active protection, that tends to be more on the network side of things. It can and will block a bad known URL, prevent phishing, and generally get in the way. It does this via traffic proxy or VPN, depending on the solution.

With the COPE changes it makes things more difficult, but actually the network stack and device posture can still be monitored, it’s the visibility of parent profile apps - which could only happen in any case when the MTD is installed on the parent profile - that suffers, as now you’re entirely reliant on expecting users to install it themselves, like work profile deployments (BYOD).