BYOD policies: How to secure personal phones with Intune MAM
All dispatches
Intune and Device Management4 Aug 202514 min read

BYOD policies: How to secure personal phones with Intune MAM

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

For UK SMEs looking to stay ahead in the modern workplace, understanding Intune and robust device management is fundamentally important. The widespread adoption of Bring Your Own Device (BYOD) policies offers significant flexibility and cost savings, but it also introduces complex security and compliance challenges. This comprehensive guide walks you through the core concepts of securing personal phones with Microsoft Intune Mobile Application Management (MAM), delves into common pitfalls, and provides practical, actionable steps you can implement today to ensure your IT infrastructure remains secure and compliant with UK regulations like GDPR.

The BYOD Revolution and Its Security Implications for UK SMEs

The "Bring Your Own Device" (BYOD) trend has become a cornerstone of modern work environments, particularly within UK SMEs. Employees increasingly prefer using their own smartphones, tablets, and laptops for work tasks due to familiarity, convenience, and often superior performance compared to company-issued equipment. This shift offers numerous benefits:

  • Increased Employee Satisfaction: Users are more comfortable and productive on devices they know and love.
  • Cost Savings: Businesses can reduce capital expenditure on hardware and ongoing maintenance.
  • Enhanced Flexibility: Employees can work from anywhere, anytime, fostering a more agile and responsive workforce.

However, the convenience of BYOD comes with significant security and compliance risks that UK SMEs cannot afford to ignore. When sensitive business data, client information, or intellectual property resides on personal devices, the potential for a data breach skyrockets. Consider these scenarios:

  • A personal phone is lost or stolen, potentially exposing company emails, documents, or customer data.
  • An employee installs a malicious app on their personal device, inadvertently creating a backdoor into your company network or data.
  • An employee leaves the company, and their personal device still contains sensitive business information, posing a data retention and compliance headache.
  • Lack of control over personal device security settings (e.g., no strong PIN, outdated OS) can create vulnerabilities.

For UK businesses, these risks are amplified by stringent regulations such as the General Data Protection Regulation (GDPR). The Information Commissioner's Office (ICO) actively investigates data breaches, and non-compliance can lead to substantial fines, reputational damage, and a loss of customer trust. A proactive IT strategy doesn't just reduce risk—it increases operational efficiency, protects your business's reputation, and helps maintain compliance.

Understanding Intune MAM: Beyond Basic Device Management

To effectively manage the risks associated with BYOD, UK SMEs need a sophisticated yet accessible solution. This is where Microsoft Intune Mobile Application Management (MAM) comes into its own.

What is Intune?

Microsoft Intune is a cloud-based service that provides mobile device management (MDM) and mobile application management (MAM) capabilities. As a key component of Microsoft 365, it helps organisations manage and secure endpoints, including smartphones, tablets, and laptops, from a single, unified platform. Intune allows businesses to:

  • Deploy and manage applications.
  • Enforce security policies.
  • Protect company data.
  • Manage access to corporate resources.

What is MAM (Mobile Application Management)?

While Intune offers MDM capabilities (managing the entire device), MAM focuses specifically on securing and managing applications and the data within them, rather than controlling the entire personal device. This distinction is crucial for BYOD scenarios:

  • MDM (Mobile Device Management): Designed for company-owned devices, MDM gives IT full control over the device. It can enforce strong passwords, encrypt the entire device, wipe all data, and restrict hardware features. This level of control is often unacceptable for employees using their personal devices for work.
  • MAM (Mobile Application Management): Ideal for BYOD, MAM applies policies only to specific work-related applications (e.g., Outlook, Teams, OneDrive) and the corporate data they access. It allows IT to secure corporate data without infringing on an employee's personal privacy or control over their device's non-work-related functions.

How Intune MAM Secures Personal Devices

Intune MAM works by creating a secure container around corporate applications and their data on a personal device. It applies policies that protect the data within these managed applications, leaving personal apps and data untouched. Key ways Intune MAM secures personal devices include:

  • Data Protection Policies:
    • Restricting Copy/Paste: Prevent users from copying sensitive corporate data from a managed app (e.g., Outlook) and pasting it into an unmanaged personal app (e.g., a personal messaging app).
    • "Save As" Restrictions: Control where users can save corporate documents, preventing them from saving to unapproved cloud storage or local device folders.
    • Enforcing Encryption: Ensure that corporate data within managed applications is encrypted on the device.
  • Access Control:
    • PIN/Biometric Authentication: Require a specific PIN or biometric authentication (fingerprint, face ID) to access managed applications, separate from the device's overall lock screen.
    • Conditional Access: Integrate with Azure Active Directory (now Microsoft Entra ID) to ensure that users can only access corporate apps from devices that meet specific compliance standards (e.g., not jailbroken/rooted, running a minimum OS version).
  • Remote Selective Wipe: In the event of an employee leaving the company or a device being lost/stolen, IT can remotely wipe only the corporate data from the managed applications, leaving the user's personal data intact. This is a critical feature for both security and privacy.
  • App Health Checks: Policies can detect if a device is jailbroken or rooted, preventing managed apps from running in an insecure environment.
  • Data Transfer Restrictions: Control how data moves between managed apps and external services, preventing accidental or malicious data leakage.

Why a Robust BYOD Policy with Intune MAM is Non-Negotiable

Many business owners underestimate the financial and reputational impact of neglecting this area. Whether you are aiming to prepare for future cyber threats or just looking to optimise your costs, understanding this topic can save thousands of pounds annually.

Mitigating Data Breach Risks

The primary reason for implementing Intune MAM is to protect your business's sensitive data. By securing corporate applications and data on personal devices, you significantly reduce the risk of:

  • Unauthorised Access: Preventing third parties from accessing company data if a device is compromised.
  • Data Leakage: Controlling how data moves between applications and external sources, minimising accidental sharing.
  • Compliance Failures: Demonstrating due diligence in protecting personal data, crucial for GDPR.

Achieving UK Regulatory Compliance

For UK SMEs, compliance with data protection laws is paramount.

  • GDPR (General Data Protection Regulation): GDPR mandates that organisations implement appropriate technical and organisational measures to protect personal data. Having a clear BYOD policy enforced by Intune MAM demonstrates a commitment to data security, helping you meet your obligations under Articles 25 (Data protection by design and by default) and 32 (Security of processing).
  • ICO (Information Commissioner's Office): The ICO, the UK's independent authority for upholding information rights, expects organisations to have robust security measures in place. In the event of a data breach involving personal devices, demonstrating the use of MAM policies can be vital in mitigating potential fines and showing that reasonable steps were taken to prevent the incident.
  • Cyber Essentials: While not explicitly mandating MAM, the UK government-backed Cyber Essentials scheme (and its higher-level Cyber Essentials Plus) requires organisations to implement controls around secure configuration, access control, malware protection, and patch management. Intune MAM directly contributes to these areas by ensuring applications are configured securely and access is controlled.

Enhancing Operational Efficiency and Employee Satisfaction

A well-implemented BYOD policy with Intune MAM can significantly boost your business's operational efficiency:

  • Streamlined IT Management: Centralised management of application policies reduces the burden on IT support.
  • Reduced IT Helpdesk Tickets: Clear policies and automated enforcement reduce user confusion and common security issues.
  • Improved User Experience: Employees can use their preferred devices while feeling confident that their personal data remains separate and private.

Cost Optimisation

While there's an investment in Microsoft 365 licensing, a robust BYOD strategy can lead to significant cost savings:

  • Reduced Hardware Costs: Eliminating the need to purchase and maintain company-owned mobile devices for every employee.
  • Lower Support Overhead: Fewer issues related to device management, as MAM focuses on applications rather than the entire device.
  • Avoidance of Fines: Proactive security reduces the risk of costly data breaches and associated regulatory penalties.

Common Pitfalls to Avoid in Your BYOD and Intune MAM Implementation

Implementing a BYOD policy with Intune MAM can be straightforward, but many businesses stumble over common mistakes. Avoiding these pitfalls is crucial for a successful and secure rollout.

  1. Neglecting a Clear, Comprehensive BYOD Policy:

    • Mistake: Assuming Intune MAM alone is enough, or having a vague policy document.
    • Why it Matters: The technology only enforces what your policy dictates. Without a clear, written BYOD policy, employees won't understand their responsibilities, what data can be accessed, or the implications of non-compliance. This can lead to confusion, resistance, and security gaps.
    • Solution: Develop a detailed policy covering acceptable use, data ownership, security requirements (e.g., PINs, OS updates), privacy expectations, and the process for departing employees.

  2. Insufficient User Training and Communication:

    • Mistake: Rolling out Intune MAM without explaining why it's being implemented or what it means for employees.
    • Why it Matters: Employees might perceive MAM as an invasion of privacy if they don't understand that it only targets corporate data. Lack of training can lead to misconfigurations, frustration, and workarounds that compromise security.
    • Solution: Conduct clear, concise training sessions. Explain the benefits for both the business and the employee (e.g., protecting personal privacy, enabling flexible work). Emphasise that personal data remains untouched. Provide accessible documentation and a point of contact for questions.

  3. Over-reliance on Default Settings Without Professional Configuration:

    • Mistake: Activating Intune MAM and assuming the default settings are sufficient for your specific business needs.
    • Why it Matters: Default settings are generic and rarely align perfectly with an SME's unique risk profile, compliance requirements, or workflow. This can result in either overly restrictive policies that hinder productivity or, more commonly, insufficient security that leaves vulnerabilities open.
    • Solution: Consult with an expert or a managed service provider (MSP) to tailor Intune MAM policies. Customise data protection policies (copy/paste, save-as), access requirements, and conditional access rules to fit your specific applications and data sensitivity.

  4. Skipping Regular Audits and Updates:

    • Mistake: Implementing Intune MAM and considering it a "set and forget" solution.
    • Why it Matters: The cyber threat landscape evolves constantly, as do UK regulations and Microsoft Intune's capabilities. Policies that were effective a year ago might be outdated today. Ignoring audits can lead to security drift, where policies become less effective over time.
    • Solution: Schedule periodic reviews (e.g., quarterly or bi-annually) of your BYOD policy and Intune MAM configurations. Check for new threats, update policies to reflect changes in business operations or regulations, and ensure all devices and applications remain compliant.

  5. Inadequate Microsoft 365 Licensing:

    • Mistake: Assuming all Microsoft 365 subscriptions include full Intune MAM capabilities.
    • Why it Matters: Lower-tier licenses (e.g., Microsoft 365 Business Basic, Standard) may not include Intune MAM. Attempting to implement without the correct licensing will lead to functionality gaps or outright failure.
    • Solution: Verify your current Microsoft 365 licensing. Intune MAM capabilities are typically included with Microsoft 365 Business Premium, Enterprise E3, or Enterprise E5 subscriptions. If you're unsure, consult with your Microsoft licensing partner or an MSP.

Practical Steps to Implement a Secure BYOD Strategy with Intune MAM

To get started with securing your personal phones with Intune MAM, consider the following structured approach.

Step 1: Define Your Comprehensive BYOD Policy

Before touching any technology, clearly define the rules of engagement. This policy should be a formal document that employees acknowledge and agree to. Key elements include:

  • Scope: Which devices are allowed? Which roles/employees can participate?
  • Acceptable Use: What corporate data can be accessed? What activities are prohibited?
  • Security Requirements: Minimum OS versions, PIN/biometric requirements, agreement to MAM policies.
  • Data Ownership: Clearly state that all corporate data accessed on the device remains the property of the business.
  • Privacy Expectations: Reassure employees that only corporate data and applications are managed, not their personal information.
  • Support: What level of IT support is provided for personal devices?
  • Offboarding: What happens to corporate data when an employee leaves? (e.g., remote selective wipe).
  • Consequences of Non-Compliance: What happens if the policy is violated?

Step 2: Assess Your Microsoft 365 Licensing

Review your current Microsoft 365 subscription to ensure you have the necessary licenses for Intune MAM. As mentioned, Microsoft 365 Business Premium, Enterprise E3, or E5 typically provide the required functionality. If you're on a lower tier, you'll need to upgrade or purchase add-on licenses. This is a crucial foundation for any Intune deployment.

Step 3: Design and Configure Your Intune MAM Policies

This is where you translate your BYOD policy into technical controls. Work with an IT professional or MSP to:

  • Identify Core Applications: Determine which Microsoft 365 apps (Outlook, Teams, OneDrive, SharePoint) and any other line-of-business apps need MAM protection.
  • Create App Protection Policies:
    • Data Relocation: Restrict cut, copy, and paste between managed and unmanaged apps.
    • Save As Controls: Prevent saving corporate data to personal cloud storage or local device storage.
    • Access Requirements: Enforce PIN or biometric authentication for managed apps.
    • Conditional Access: Integrate with Azure AD to ensure devices meet compliance standards before granting access.
    • Offline Access: Define how long data can be accessed offline.
    • Encryption: Ensure data within managed apps is encrypted.
  • Configure App Configuration Policies: Push out specific settings to managed apps, such as email signatures or default save locations.
  • Implement Selective Wipe: Ensure the ability to remotely wipe corporate data from managed apps is configured and tested.

Step 4: Communicate and Train Your Team

A structured rollout plan is essential for user adoption and compliance.

  • Pre-Launch Communication: Inform employees about the upcoming changes, explaining the benefits (security, flexibility) and addressing privacy concerns.
  • Training Sessions: Provide clear, concise training on how to enrol devices, what the policies mean for their day-to-day work, and who to contact for support.
  • Ongoing Education: Regularly remind employees of the policy and provide updates on best practices.

Step 5: Implement and Monitor

  • Phased Rollout: Consider a pilot program with a small group of users before rolling out to the entire organisation. This allows you to identify and resolve issues early.
  • Monitor Compliance: Use Intune's reporting features to monitor device and application compliance. Identify non-compliant devices or users and take corrective action.
  • Regular Audits: Periodically review your BYOD policy and Intune MAM configurations to ensure they remain effective against evolving threats and comply with current UK regulations.

Step 6: Consider Cyber Essentials Certification

Implementing Intune MAM and a robust BYOD policy will significantly strengthen your security posture, making it easier to achieve Cyber Essentials certification. This UK government-backed scheme provides a clear baseline of cyber security controls, and Intune MAM directly addresses several areas, particularly around secure configuration and access control. Achieving this certification demonstrates your commitment to cyber security to clients, partners, and the ICO.

Key Takeaways

  • BYOD is a double-edged sword: It offers flexibility and cost savings but introduces significant security and compliance risks for UK SMEs.
  • Intune MAM is key for BYOD: It secures corporate data within specific applications on personal devices, without infringing on personal privacy, making it ideal for BYOD.
  • MDM vs. MAM: Understand the difference – MDM manages the whole device (company-owned), MAM manages applications and data (personal devices).
  • Compliance is crucial: Intune MAM helps UK businesses meet GDPR obligations and demonstrate due diligence to the ICO.
  • Avoid common pitfalls: Don't neglect a clear policy, user training, expert configuration, or regular audits.
  • Structured implementation: Follow a step-by-step approach from policy definition to ongoing monitoring for a successful and secure rollout.
  • Consider Cyber Essentials: A strong BYOD strategy with Intune MAM contributes directly to achieving this vital UK cyber security certification.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch