Choosing between bring your own device (BYOD) and managed devices is an important strategic business decision, which involves more than technology alone. In this blog, we explore what factors play a part in making this choice and how Microsoft Intune supports both approaches.
Scenario 1:
Jane, an employee at a tech company, uses her personal phone for work, saving documents from work to her iOS Files. When Jane leaves the company, she has the company's source code on her personal device.
Without the safeguards provided by Device/App Management solutions, such as ‘retire device’ capabilities or restrictions on file transfers, company data is irretrievable and potentially at the disposal of a competitor, where Jane has just started a new job.
Scenario 2:
A company distributes phones to employees without device management policies. An employee, Mark, uses his personal Apple ID on his device, inadvertently locking corporate assets to his personal account.
When a disgruntled Mark exits the company, he leaves behind a phone tied to his Apple ID. The company, needing to repurpose the device, cannot unlock the phone due to company policies set against sharing passwords. This predicament underlines the necessity of management policies which ensure corporate property remains within company control.
Ways this is fixed with Intune
BYOD
App protection policies coupled with conditional access preventing organisation data transfer to unmanaged Applications (such as an iOS File App).
- Once User is scheduled for offboarding, IT Admin would selectively wipe organisation data via Intune (OR delete/retire device – this would trigger organisation app data removal)
Managed Device
Device restriction for document viewing, coupled with app protection policies for an additional layer.
- Once the user is scheduled for offboarding, the device is handed back to IT and wiped, ready to be reprovisioned for another user.
- Optional policy to block Apple ID sign-in, otherwise force device wipe from Intune.
Policy Summary Cheat Sheet
|
Restriction
|
Managed Device
|
Un-managed Device
|
|
Enforce Backup Encryption
|
Full Control
|
Full Control
|
|
iCloud Org Data Storage restrictions
|
Full Control
|
Full Control
|
|
Apple Watch
|
Full Control
|
Full Control
|
|
Diagnostic and usage data
|
Full Control
|
Full Control
|
|
Screen recording
|
Full Control
|
Full Control
|
|
Application Protection Policies
|
Full Control
|
Full Control
|
|
Compliance Policies
|
Full Control
|
Partial Control
|
|
Document Viewing Controls
|
Full Control
|
Partial Control - Implicit controls via App Protection and CA (Conditional Access) Policies
|
|
Siri Controls
|
Full Control
|
Partial Control - Implicit controls via App Protection and CA Policies
|
|
Safari Controls
|
Full Control
|
Partial Control - Implicit controls via App Protection and CA Policies
|
|
Password Controls
|
Full Control
|
Partial Control - Implicit controls via App Protection and CA Policies
|
|
Restricted Applications
|
Full Control
|
Partial Control - Implicit controls via App Protection, Compliance and CA Policies
|
|
Wi-Fi Controls
|
Full Control
|
Partial Control
|
|
Defender Configuration
|
Full Control - silent onboarding
|
Partial Control - Requires user action
|
|
App Configuration Policies
|
Full Control
|
Partial Control - Managed App Policies
|
|
Applications
|
Managed via VPP
|
User Installation
|
|
Gaming Controls
|
Full Control
|
No Control
|
|
Camera
|
Full Control
|
No Control
|
|
FaceTime
|
Full Control
|
No Control
|
|
System Apps
|
Full Control
|
No Control
|
|
iCloud Services (Photo Sync, Library, Stream, backups, credential sync)
|
Full Control
|
No Control
|
|
Handoff
|
Full Control
|
No Control
|
|
AirPlay outgoing request control
|
Full Control
|
No Control
|
|
Block Apple Watch Auto unlock
|
Full Control
|
No Control
|
|
AirDrop
|
Full Control
|
No Control
|
|
Apple Watch Pairing
|
Full Control
|
No Control
|
|
Bluetooth
|
Full Control
|
No Control
|
|
Pairing with Unknown Devices
|
Full Control
|
No Control
|
|
USB Access to files
|
Full Control
|
No Control
|
|
NFC
|
Full Control
|
No Control
|
|
Device Recovery
|
Full Control
|
No Control
|
|
Document Downloads from Safari URLs Marked as Managed
|
Full Control
|
No Control
|
|
TLS Certificate Minimums
|
Full Control
|
No Control
|
|
PKI Updates
|
Full Control
|
No Control
|
|
Personalized Advertising
|
Full Control
|
No Control
|
|
Device Setting Modification
|
Full Control
|
No Control
|
|
Block Application Removal
|
Full Control
|
No Control
|
|
Software update Deferral
|
Full Control
|
No Control
|
|
Control Native App Visibility
|
Full Control
|
No Control
|
|
Home Screen
|
Full Control
|
No Control
|
|
App Store Controls
|
Full Control
|
No Control
|
|
Apple ID Controls
|
Partial Control – Can allow/block Apple ID, Cannot Allow/Block Managed/Personal Apple ID
|
No Control
|
|
Conditional Access
|
Enforce Managed Device Access Only
|
Enforce Managed App Access Only
|
So, what's next?
Stay tuned for Part 2, where we will be delving into budget considerations; OS environment support; data leak risks; how to organise managed devices with Apple IDs; understanding Apple ID limitations; and the critical role of conditional access in device policy enforcement.
Take the complexity out of Microsoft Intune deployments with SureDeploy. Elevate your device management capabilities and enhance your security score.
Alex Alamein
