Secure Sensitive Data with Mobile Application Management

Tom Papahronis
Tom Papahronis

Strategic Advisor - eGroup | Enabling Technologies

We are constantly inundated with advertisements for new mobile phones and tablets. It always brings to mind the challenges that so many IT groups still have in getting their organizational leaders to agree to better, more secure company data and files on personal mobile devices.

Far more organizations than I would expect still use only basic security controls—like passwords and multi-factor authentication—to authorize access from mobile devices, but they don’t require known devices as an additional security layer. Requiring known devices and applications to get access to corporate data is easy and an effective way to help prevent both unauthorized access to and inappropriate use of sensitive information.

Ironically, almost none of these same organizations would consider allowing personal laptops or computers to access corporate resources, even though many of the same risks exist with mobile Apple or Android devices. Personal mobile devices are perhaps even more likely to be unpatched, insecurely configured, contain potential malware, and shared by people other than employees.

Table of Contents

Use the Microsoft Application Management Tool You Already Have: Intune

Many of the clients I see struggle with managing personally owned devices already own Intune licensing through their Microsoft 365 E3 or EMS E3 subscriptions. While Intune offers full management of devices (and this is appropriate if corporately owned),  it also includes the ability to create and enforce mobile application management (MAM) policies on personally owned devices. MAM policies provide robust controls to govern how corporate data can be accessed from a mobile application, but without managing the device itself. 

MAM policies protect data, not devices, and provide for the separate “sandboxing” of corporate data and applications from personal information, apps, photos, browser activity, and so forth. This segregation of corporate information makes it easy to protect while not interfering with the way people use their phones or tablets for everything else. For example, you can require specific email apps to access company email or restrict screenshots of corporate data while allowing personal app and data use to be unrestricted.

Further, conditional access policies can be enforced so that only known devices with device records in Entra ID and appropriate applications and application controls are permitted to access company resources. Again, this adds significant protection. Access is only granted if both valid account credentials and an authorized device are used to make the request.

Common Objections to MAM and How to Overcome Them

I hear some flavor of the following objections in every conversation I have about application management. They are easily overcome and often driven by a lack of information about what is possible with Intune.


  • Before MAM, fully enrolling personal devices in Intune device management was a heavy lift that occasionally could require the reset of devices to get it to work. With MAM, the process is much easier and comes down to communication and a thoughtful rollout process. 
  • A one-time effort is required to deploy MAM, but the ongoing complexity of maintaining an expensive corporate mobile plan or requiring people to carry two devices has become a thing of the past.
  • Corporate MAM application policies are largely transparent and only apply to corporate apps. Personal data and apps do not change.

Enrollment Effort

  • While staff will need to install a broker app—either Microsoft Authenticator or Company Portal—to enable MAM, they do so from the app store they already use.
  • Once installed, they simply authenticate to register their device and add the required corporate apps to access company data.
  • No separate iCloud or Google Play account is required.

“Big Brother”

  • The MAM polices do not allow the company to control the device. The sandboxed corporate data and apps are the only elements that the company can control. If someone leaves the company, for example, their data is not at any risk of restriction or deletion. 
  • Personal data simply is not visible to Intune. MAM only allows for the protection and deletion of corporate data in the case of a lost or stolen device. If the employee deletes the corporate apps and broker app, the device is no longer affiliated with their employer at all.

Challenges to Anticipate

When you overcome the common objections above, there will still be some common edge cases and exceptions you should plan for:

  • Resistance to switching to Outlook mobile. The native iOS and Android mail applications are not manageable with MAM policies, so organizations will often require Outlook mobile to be used instead. Employees can find it hard to break from the native app.  (Personal accounts can easily be added to Outlook mobile alongside their Exchange Online account, or they can maintain their personal mail in the native app.)
  • You may have to develop a fair and equitable way to compensate people for using their personal devices. A partial stipend or device credit are effective ways to do that and are less expensive and complex than having a corporate plan. Leadership buy-in is required to make this work.
  • There may be groups or individuals in the organization that cannot (or will not) use a personal device. Make sure you have a way to allow for this limitation. Having a limited number of corporate devices available or requiring the use of their corporate laptop instead of a mobile device are methods I have seen that work well.

Carrots Instead of Sticks

There are several future advantages that implementing MAM can enable, so make sure to highlight these advantages when communicating changes to staff, as well as building support with leadership:

  • Requiring Authenticator as the broker app will also set the stage for future Passwordless authentication. Not having to remember a password and moving MFA prompts away from SMS make the authentication experience easier and more fluid for everyone.
  • Regulatory compliance generally requires mobile device controls. Security regulations and frameworks like NIST, CIS, and HIPAA (among many others) all require the organization to exclude access from unmanaged devices.  MAM helps meet that requirement.  (Cyber insurance policies also often require mobile device controls.)
  • Enabling secure personal device use keeps the organization out of porting personal numbers to or from a corporate plan. At best, this process is difficult, time-consuming, and frustrating for employees and the IT or telecom team. MAM also enables a way to reduce or eliminate corporate mobile plan costs.

I hope it is clear that MAM policies can address both organizational risks and employee reservations regarding access and usage of sensitive corporate data. Intune offers a lot of flexibility to strike the right balance between security and usability for your organization. Our team helps organizations through this process all the time. Let us know if we can help!

Ready to Secure Your Data with Mobile Application Management?

Contact our team of experts today to get started on your journey to a more secure organization!