Choosing between bring your own device (BYOD) and managed devices is an important strategic business decision, which involves more than technology alone. In this blog, we explore what factors play a part in making this choice and how Microsoft Intune supports both approaches.
Scenario 1:
Jane, an employee at a tech company, uses her personal phone for work, saving documents from work to her iOS Files. When Jane leaves the company, she has the company's source code on her personal device.
Without the safeguards provided by Device/App Management solutions, such as ‘retire device’ capabilities or restrictions on file transfers, company data is irretrievable and potentially at the disposal of a competitor, where Jane has just started a new job.
Scenario 2:
A company distributes phones to employees without device management policies. An employee, Mark, uses his personal Apple ID on his device, inadvertently locking corporate assets to his personal account.
When a disgruntled Mark exits the company, he leaves behind a phone tied to his Apple ID. The company, needing to repurpose the device, cannot unlock the phone due to company policies set against sharing passwords. This predicament underlines the necessity of management policies which ensure corporate property remains within company control.
Ways this is fixed with Intune
BYOD
App protection policies coupled with conditional access preventing organisation data transfer to unmanaged Applications (such as an iOS File App).
Once User is scheduled for offboarding, IT Admin would selectively wipe organisation data via Intune (OR delete/retire device – this would trigger organisation app data removal)
Managed Device
Device restriction for document viewing, coupled with app protection policies for an additional layer.
Once the user is scheduled for offboarding, the device is handed back to IT and wiped, ready to be reprovisioned for another user.
Optional policy to block Apple ID sign-in, otherwise force device wipe from Intune.
Policy Summary Cheat Sheet
Restriction
Managed Device
Un-managed Device
Enforce Backup Encryption
Full Control
Full Control
iCloud Org Data Storage restrictions
Full Control
Full Control
Apple Watch
Full Control
Full Control
Diagnostic and usage data
Full Control
Full Control
Screen recording
Full Control
Full Control
Application Protection Policies
Full Control
Full Control
Compliance Policies
Full Control
Partial Control
Document Viewing Controls
Full Control
Partial Control - Implicit controls via App Protection and CA (Conditional Access) Policies
Siri Controls
Full Control
Partial Control - Implicit controls via App Protection and CA Policies
Safari Controls
Full Control
Partial Control - Implicit controls via App Protection and CA Policies
Password Controls
Full Control
Partial Control - Implicit controls via App Protection and CA Policies
Restricted Applications
Full Control
Partial Control - Implicit controls via App Protection, Compliance and CA Policies
Document Downloads from Safari URLs Marked as Managed
Full Control
No Control
TLS Certificate Minimums
Full Control
No Control
PKI Updates
Full Control
No Control
Personalized Advertising
Full Control
No Control
Device Setting Modification
Full Control
No Control
Block Application Removal
Full Control
No Control
Software update Deferral
Full Control
No Control
Control Native App Visibility
Full Control
No Control
Home Screen
Full Control
No Control
App Store Controls
Full Control
No Control
Apple ID Controls
Partial Control – Can allow/block Apple ID, Cannot Allow/Block Managed/Personal Apple ID
No Control
Conditional Access
Enforce Managed Device Access Only
Enforce Managed App Access Only
So, what's next?
Stay tuned for Part 2, where we will be delving into budget considerations; OS environment support; data leak risks; how to organise managed devices with Apple IDs; understanding Apple ID limitations; and the critical role of conditional access in device policy enforcement.
Take the complexity out of Microsoft Intune deployments with SureDeploy. Elevate your device management capabilities and enhance your security score.
Alex Alamein
