We are constantly inundated with advertisements for new mobile phones and tablets. It always brings to mind the challenges that so many IT groups still have in getting their organizational leaders to agree to better, more secure company data and files on personal mobile devices.
Far more organizations than I would expect still use only basic security controls—like passwords and multi-factor authentication—to authorize access from mobile devices, but they don’t require known devices as an additional security layer. Requiring known devices and applications to get access to corporate data is easy and an effective way to help prevent both unauthorized access to and inappropriate use of sensitive information.
Ironically, almost none of these same organizations would consider allowing personal laptops or computers to access corporate resources, even though many of the same risks exist with mobile Apple or Android devices. Personal mobile devices are perhaps even more likely to be unpatched, insecurely configured, contain potential malware, and shared by people other than employees.
Many of the clients I see struggle with managing personally owned devices already own Intune licensing through their Microsoft 365 E3 or EMS E3 subscriptions. While Intune offers full management of devices (and this is appropriate if corporately owned), it also includes the ability to create and enforce mobile application management (MAM) policies on personally owned devices. MAM policies provide robust controls to govern how corporate data can be accessed from a mobile application, but without managing the device itself.
MAM policies protect data, not devices, and provide for the separate “sandboxing” of corporate data and applications from personal information, apps, photos, browser activity, and so forth. This segregation of corporate information makes it easy to protect while not interfering with the way people use their phones or tablets for everything else. For example, you can require specific email apps to access company email or restrict screenshots of corporate data while allowing personal app and data use to be unrestricted.
Further, conditional access policies can be enforced so that only known devices with device records in Entra ID and appropriate applications and application controls are permitted to access company resources. Again, this adds significant protection. Access is only granted if both valid account credentials and an authorized device are used to make the request.
I hear some flavor of the following objections in every conversation I have about application management. They are easily overcome and often driven by a lack of information about what is possible with Intune.
When you overcome the common objections above, there will still be some common edge cases and exceptions you should plan for:
There are several future advantages that implementing MAM can enable, so make sure to highlight these advantages when communicating changes to staff, as well as building support with leadership:
I hope it is clear that MAM policies can address both organizational risks and employee reservations regarding access and usage of sensitive corporate data. Intune offers a lot of flexibility to strike the right balance between security and usability for your organization. Our team helps organizations through this process all the time. Let us know if we can help!
Contact our team of experts today to get started on your journey to a more secure organization!