Cybersecurity

Mobile Device Management (MDM) for a BYOD Workforce

Microsoft Intune managing company data on a personal smartphone while leaving the staff member's personal apps and photos untouched

Mobile device management is how you keep company email and data secure when staff read it on phones, tablets and personal laptops you don’t own. The real problem with bring-your-own-device (BYOD) is the privacy trade-off, and the fix is usually app-protection policies that secure the company data inside an app without taking control of someone’s entire personal phone.

The problem MDM and MAM actually solve

The moment a staff member adds their work Microsoft 365 account to the Mail app on their own iPhone, your company data is sitting on a device you have no control over. No screen lock policy, no encryption guarantee, no way to remove the data if the phone is lost or the person leaves. Multiply that across a 40-person business and you have email, OneDrive files and Teams chats scattered across dozens of unmanaged personal devices.

This is the gap two related technologies close. Mobile device management (MDM) manages the whole device — it enrols the phone or laptop and enforces a passcode, encryption and OS version, and gives you the ability to wipe it. Mobile application management (MAM), or app-protection policy, manages only the company apps and the data inside them. It can require a PIN on the work app, block copy-paste out to personal apps, and wipe just the company data, while never touching the photos, messages or personal accounts on the device.

The distinction matters because most BYOD failures aren’t technical — they’re about trust. Staff don’t want their employer controlling their personal phone, and they’re right to be cautious. MAM answers that objection, and getting the choice right is the difference between a policy people accept and one they quietly work around.

The BYOD privacy tension, and why it kills full enrolment

Ask any team to enrol their personal phones in full MDM and you’ll hear the same fear: “Can the company read my texts? Can they wipe my photos?” With full device enrolment, the honest answer is that the company can see device-level inventory, push configuration, and yes, issue a full wipe that takes the personal data with it. Even when an MSP would never do that, the perception alone pushes people to refuse, use a second unmanaged device, or forward work email to a personal account — far worse for security than the problem you started with.

App-protection policy removes the objection. The company gets a security boundary around its own data — the work account, its files, its email — and the staff member keeps full ownership of everything else. When they leave, you wipe the company container and their holiday photos are untouched. For BYOD this is almost always the right model; you reserve full device management for hardware the business actually owns.

Microsoft Intune: the tool most Melbourne SMEs already have

If you’re on Microsoft 365 Business Premium or any E3/E5 licence, you already own Microsoft Intune — it’s bundled, which is why it’s the default MDM/MAM platform for businesses in our patch. Intune does both jobs from one console and ties into the rest of the Microsoft security stack. Four pieces do the heavy lifting.

Device compliance policies

A compliance policy defines what “healthy” means for a device: minimum OS version, disk encryption on, a passcode of a set length, not jailbroken or rooted. Intune continuously checks enrolled devices and marks each one compliant or non-compliant. On its own this is just a status flag — its power comes from what you connect it to.

App protection policies

This is the MAM layer. An app-protection policy applies to the Microsoft apps (Outlook, Teams, OneDrive, the Office apps) and governs the data inside them. You can require a separate PIN or biometric to open the work app, block cut/copy/paste into personal apps, stop “Save As” to personal storage, encrypt company data, and force a selective wipe of only the in-app company data on command. Critically, this works whether or not the device is enrolled in MDM at all.

Conditional access

Conditional access is the enforcement engine, and it lives in Microsoft Entra ID rather than Intune itself. It evaluates each sign-in and applies rules — for example, only grant access to Exchange Online if the device is marked compliant, or only allow Outlook if an approved app-protection policy is applied. That turns a compliance flag into a real control: a non-compliant or unmanaged device simply doesn’t get the data. We go deeper in our guide to conditional access policies in Microsoft 365.

Selective wipe at offboarding

When someone leaves, you don’t chase their personal phone. From the Intune console you issue a wipe of company data — on a MAM-protected BYOD device that removes the work account and its cached files and leaves the rest alone; on a company-owned enrolled device you can do a full wipe and reset. Combined with disabling the account, this is how secure offboarding actually happens — the step most businesses skip until a former employee still has live access three weeks later.

MDM full enrolment vs MAM app-protection

The single most useful decision in any BYOD rollout is which of these two models a given device gets. Here’s how they compare.

 MDM (full device enrolment)MAM (app-protection policy)
What it managesThe entire device — OS, settings, all appsOnly the company apps and the data inside them
Best forCompany-owned phones, tablets and laptopsPersonal (BYOD) devices
Staff privacyCompany can see device inventory and push configCompany sees nothing outside the work apps
Passcode / encryptionEnforced at the device levelApp-level PIN; device passcode encouraged not forced
Wipe at offboardingFull device wipe possibleSelective wipe of company data only
Staff acceptanceOften resisted on personal devicesHigh — personal data is untouched
Control levelHighestFocused on the data that matters

In practice a typical setup uses both: full MDM on the laptops and phones the business bought and owns, and MAM-only app-protection on staff personal devices, with conditional access requiring one or the other before any company data is released.

Company-owned vs BYOD enrolment paths

The enrolment path follows ownership. For company-owned devices, you enrol into full MDM — on iOS usually through Apple Business Manager so the device is supervised and locked to your tenant from first boot; on Windows it’s Autopilot, which ships a laptop that configures itself at first sign-in. These get the full set of compliance and configuration policies because the business owns the hardware.

For BYOD, you avoid full enrolment wherever you can. The staff member installs the standard Microsoft apps, signs in with their work account, and the app-protection policy applies automatically — no enrolment, no agent on the device, nothing that touches their personal data. Where a BYOD device genuinely needs full management you use a model that ring-fences the work side, such as a work profile on Android, but for most SMEs MAM-only covers it without the friction.

How this maps to the Essential Eight and secure offboarding

Mobile device management isn’t a standalone exercise — it’s how several Essential Eight controls reach the devices outside your office walls. The Australian Cyber Security Centre (ACSC) Essential Eight expects multi-factor authentication, patched operating systems and applications, and restricted admin privileges. Intune enforces those on a phone or laptop you can’t physically touch: compliance policies hold devices to a current, patched OS; conditional access pairs with MFA so a stolen password alone doesn’t open the mailbox; and app-protection keeps company data inside sanctioned apps.

Offboarding is where the absence of MDM gets expensive. We worked with a construction firm in Box Hill that had no device management at all — staff used personal phones for site photos, email and the project app. When a site supervisor left for a competitor, the business had no way to remove its data from his phone and no record of what he could still reach. With Intune in place, offboarding is a five-minute job: disable the account, issue a selective wipe of company data, done. That firm now runs MAM on every personal device and full MDM on the company-issued tablets on site.

A sensible BYOD plus MDM policy outline

We have a separate post on writing the BYOD policy itself; here the focus is the technical controls it should mandate. A workable policy ties the rules to enforceable Intune settings rather than good intentions:

  • Eligibility. Define which roles may use BYOD and which must use company-owned devices — sensitive client or health data often warrants company hardware.
  • Minimum device standard. Require a supported, currently-patched OS and a device passcode or biometric, blocked by conditional access if not met.
  • App-protection mandatory. Company data is accessed only through the approved Microsoft apps with app-protection applied — no native mail clients, no forwarding to personal accounts.
  • Access conditions. Conditional access requires a compliant or app-protected device before email, files or Teams are released.
  • Separation of data. Block copy, paste and “Save As” from work apps into personal storage so company data can’t leak sideways.
  • Offboarding and loss. State in writing that the business will selectively wipe company data on exit or device loss — never personal data on a BYOD device — with a single point of contact who actions it the same day.

The policy and the platform have to match. “Devices must be encrypted” means nothing if no system checks; a compliance policy that enforces it does. That pairing — written rules backed by enforced technical controls — is the whole point, and the part most businesses get half-right.

Frequently asked questions

Can my employer read my personal texts or photos if I enrol in MDM?

On a personal BYOD device set up with app-protection (MAM) only, no — the business sees nothing outside the work apps and cannot read your messages, photos or personal accounts. On a company-owned device in full MDM, the business can see device inventory and configuration and can issue a full wipe, which is exactly why we keep full enrolment for company-owned hardware and use app-protection for personal devices.

What’s the difference between MDM and MAM?

MDM (mobile device management) manages the whole device — passcode, encryption, OS, all apps — and is right for company-owned hardware. MAM (mobile application management, or app-protection policy) manages only the company apps and the data inside them, leaving the rest of a personal device alone. For BYOD, MAM is almost always the better fit.

Do I need extra licences for Microsoft Intune?

Usually not. Intune is bundled with Microsoft 365 Business Premium and the E3 and E5 plans, so most SMEs on those licences already own it and aren’t using it. On a lower plan it’s available as an add-on, but for most Melbourne businesses the capability is already paid for.

What happens to company data when someone leaves?

You issue a selective wipe from the Intune console, removing the company account and its cached files. On a BYOD device that’s all it touches — personal data stays put. Pair it with disabling the user’s account so access is revoked immediately. That’s the secure offboarding step businesses without device management can’t perform.

Getting it set up properly

Intune is powerful, but a misconfigured rollout either locks staff out of email or quietly enforces nothing. The work is in the detail: scoping which devices get MDM versus MAM, writing conditional access that doesn’t break legitimate access, and tying offboarding into a repeatable process. As a Melbourne MSP founded in 2014 with 13 Australian-employed engineers, we set up and run Intune across the metro as part of our cybersecurity services and managed IT services, on per-user fixed monthly pricing so it isn’t a surprise line item. If staff devices are reaching your company data with no controls in place, get in touch and we’ll map out what BYOD security should look like for your business.

← Previous Data Classification: The First Step Most Security Programs Skip

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.