After noticing that there’s still a lot of concern from customers around adopting BYOD, I decided to write this blog post to highlight the latest Intune capabilities and how Microsoft are trying to put to bed old cost, security, administration and user experience concerns that are generally associated with allowing personal devices.
Ensuring that personal devices meet the organisation’s defined level of security whilst not putting users off could leave much less justification for corporate devices in the future. This is further supported by the potential cost savings that can be made and incentives that can be given, for example; contribution to a users’ phone bill if they opt out of having a work phone.
With that said, I think it’s important that work phones are always an option to users, as the mandatory use of personal devices for work purposes isn’t always popular.
Below are the common concerns I hear about BYOD with some ways Intune now mitigates them:
“Supporting personal devices increases costs”
Intune’s per user licensing doesn’t leave you with any increased bills for allowing personal devices and every personal device used in place of a corporate device can offer cost savings in hardware and company phone contracts.
“Personal devices are a security risk”
Users have the right to freedom on their personal devices, making them inherently different from corporate devices – however Intune’s capabilities now mitigate common risks that come with this freedom.
Intune’s application management policies now provide a different approach – secure the corporate data where it resides, as opposed to securing the devices that it resides on. By creating a corporate app partition on the device and separating them from personal data, application management doesn’t impact the user’s freedom and instead just ensures it has much less bearing on corporate security.
“Some users don’t like us having control over their personal device”
Some users may consider the enrolment process (as with any MDM) and having MDM policies applied to their device to be overbearing. As mentioned above; Intune’s application management policies can now allow you to secure apps and corporate data, enforcement of which is also much less visible to the user.
Device Management vs Application Management
When looking to adopt Intune capabilities for BYOD, a key decision is if and how device management and application management will be used.
Device management provides device-level control and visibility – including the ability to apply MDM policies, wipe entire devices, report on software and hardware information and deploy mobile apps. Application management provides mobile app control and visibility – including the ability wipe corporate data, encrypt app data and other data loss prevention (DLP) options.
Application Management in more detail
Application Management is nothing new to Intune, in the past it has been (and still is with Intune integrated with Configuration Manager) available using Mobile Application Management (MAM) policies that were deployed alongside mobile apps with Intune device management. However, last year an advancement became available to application management policies in Intune; the ability to apply them to users’ apps on unenrolled device. This new MDM-less application management is referred to as Intune App Protection and supported by most Microsoft iOS and Android apps for Office 365.
As Intune App Protection policies are applied within apps, there is no control of the underlying device from Intune, for example the entire device cannot be wiped and standard MDM policies cannot be applied. However, importantly corporate data can still be wiped at any time and many organizations conclude that they do not require device-level control for personal devices. Intune App Protection policies have various settings to help protect corporate data within mobile apps, such as;
– Require PIN for access apps
– Restrict cut, copy and paste with other apps
– Encrypt app data
– Disable printing from apps
– Block managed apps from running on jailbroken or rooted devices
– Require minimum iOS or Android operating system
There are several elements to an Intune App Protection Policy:
– Platform – iOS or Android (separate policies should be created for both)
– Policy settings – security options that are applied to the mobile app, including the above options and more
– User assignment – Azure AD user(s) or group(s) that will receive the policy
– Apps – the mobile apps that the policy will take affect for
The assigned user(s) receive the policy settings when they authenticate to Office 365 services on any of the selected apps, for example when they setup the Outlook app and add an Office 365 mailbox.
Intune App Protection policies are a great advancement for Intune, with a focus on issues commonly associated with BYOD. Corporate data can be secured on devices and the user experience is much improved with a setup process that is almost invisible and simpler than Intune enrolment.
When you have decided if and how personal devices will be allowed and managed, the following are additional considerations to further enhance and enforce:
Require enrolment – If you decide that Intune enrolment should be required for every mobile device with access to IT services, whether they be personal and/or corporate; Azure AD conditional access policies can be used to prompt users to enrol.
Block personal devices – if you decide that you do not wish to support personal devices at all, Azure AD conditional access should be used to force enrolment and then personal devices blocked through enrolment restrictions. Intune can differentiate between personal and corporate devices by having corporate device identifiers (serial or IMEI numbers) imported.
Intune App Protection supported apps – if you decide to deploy Intune App Protection policies, then Intune App Protection conditional access can be used to ensure that only apps supporting policies can be used.
In conclusion, Intune is helping to make BYOD more viable and challenge old arguments against allowing personal devices, providing easier yet securer options for users.