If you want to provide secure access to your corporate data on personal smart phones without enrolling that device under full IT management, stay tuned because in this article, I am going to show you the exact policies you need to configure to protect your organization.
I also think we naturally DONT want to extend our management to these devices given the support burden that causes. It would have to be baked into our IT service contract.
When we think about a compromise to this problem leveraging Microsoft 365 solutions, we get into the concept of MDM and MAM. MDM stands for Mobile Device Management and it involves fully enrolling and managing devices leveraging Intune. MAM stands for mobile application management and you can think of it as a lightweight form of management where a user does not need to enroll their smartphone but we can manage the applications and data on those devices. This is truly the best of both worlds and I recommend setting up these policies in every environment by default.
The first policy I am going to show you is in the Intune Admin center called an App Protection policy. This policy allows us to target iOS and Android devices and specify the applications we want to protect and the controls we want to implement. Common controls you will see here as we walk through this is the ability to:
Follow the steps here to create the policies: Create and deploy app protection policies – Microsoft Intune | Microsoft Learn
End-User Experience:
From here, we can implement “layer 2” protections that can restrict things further. Specifically, we can create a conditional access policy that forces users to leverage these applications vs the native mail client on the smartphone. It ensures they are using a compliant app (outlook) so we have control over the data and can apply the additional protections coming from the app protection policy. Follow these steps to implement: Conditional Access – Require approved app or app protection policy – Microsoft Entra ID | Microsoft Learn
End User Experience:
As you can see in the video above, not exactly the best end-user experience given it takes them to a pretty ambiguous support article they will not understand. For this reason, its important to send proper notice and communication before turning on this policy.
When I’ve implemented this in customer environment, usually the biggest pushback i get is from some unique snowflake executives of the company really hating not being able to use the native mail and calendar apps on the device. I mean they really hate it. They want all of their data to be blended together with their personal gmail. So its important to communicate the security importance and if you have to make concessions, I would recommend the following:
You can follow these steps to send selective wipe request to end-users smartphones which would wipe the data on that device at the application layer: How to wipe only corporate data from apps – Microsoft Intune | Microsoft Learn
This is typically something you want to incorporate into a user offboarding SOP.