Microsoft Blog for MSPs and IT Pros

Security

Protecting Corporate Data on Personal Cell Phones | Microsoft Security

Bymsp4msps

Jan 13, 2025
If you want to provide secure access to your corporate data on personal smart phones without enrolling that device under full IT management, stay tuned because in this article, I am going to show you the exact policies you need to configure to protect your organization.

Access on the Go

When we think about users wanting to access corporate data on the go such as email and chat, we really run up against conflicting options. As IT admins, we do not want users insecurely accessing corporate data on a device we know nothing about. Personal devices could easily be compromised or jailbroken, leaving our corporate data and environment vulnerable. On the other hand, if we ask end users to enroll their smartphones under management, they will vehemently reject that idea. They naturally assume that IT will then be able to:
  • Read their text messages (i.e. “I hate my boss”)
  • Access their personal photos
I also think we naturally DONT want to extend our management to these devices given the support burden that causes. It would have to be baked into our IT service contract.

MDM vs MAM

When we think about a compromise to this problem leveraging Microsoft 365 solutions, we get into the concept of MDM and MAM. MDM stands for Mobile Device Management and it involves fully enrolling and managing devices leveraging Intune. MAM stands for mobile application management and you can think of it as a lightweight form of management where a user does not need to enroll their smartphone but we can manage the applications and data on those devices. This is truly the best of both worlds and I recommend setting up these policies in every environment by default.

Creating App Protection Policies

The first policy I am going to show you is in the Intune Admin center called an App Protection policy. This policy allows us to target iOS and Android devices and specify the applications we want to protect and the controls we want to implement. Common controls you will see here as we walk through this is the ability to:

  • Prevent cut/copy/paste to unmanaged apps
  • Prevent Save As capabilities to unmanaged apps like iCloud, Google Drive, etc.
  • Require additional authentication to access the app like a pin or FaceID

End-User Experience: 

Creating Conditional Access Restrictions

From here, we can implement “layer 2” protections that can restrict things further. Specifically, we can create a conditional access policy that forces users to leverage these applications vs the native mail client on the smartphone. It ensures they are using a compliant app (outlook) so we have control over the data and can apply the additional protections coming from the app protection policy. Follow these steps to implement: Conditional Access – Require approved app or app protection policy – Microsoft Entra ID | Microsoft Learn

End User Experience:

As you can see in the video above, not exactly the best end-user experience given it takes them to a pretty ambiguous support article they will not understand. For this reason, its important to send proper notice and communication before turning on this policy. 

Other End-User Considerations

When I’ve implemented this in customer environment, usually the biggest pushback i get is from some unique snowflake executives of the company really hating not being able to use the native mail and calendar apps on the device. I mean they really hate it. They want all of their data to be blended together with their personal gmail. So its important to communicate the security importance and if you have to make concessions, I would recommend the following:
  1. If they insist on keeping the native clients, make them enroll the device under full MDM management
  2. If the above also gets pushback, make an exclusion group to the policy for these users and make them sign a risk waiver. We still want to apply this to as many users in the organization as possible.

Selective Wipe Request

You can follow these steps to send selective wipe request to end-users smartphones which would wipe the data on that device at the application layer: How to wipe only corporate data from apps – Microsoft Intune | Microsoft Learn

This is typically something you want to incorporate into a user offboarding SOP. 

Share with the Community
        

By msp4msps

Related Post

Security

Phishing in Microsoft Teams | Use these protections

Dec 14, 2024 msp4msps
Security

How secure is your Microsoft environment? | Find out in minutes

Dec 14, 2024 msp4msps
Security

Data Protection with Guest Users in Microsoft 365 | Secure Device Access

Nov 25, 2024 msp4msps