Part 2 Bring your own iOS device vs. managed device policies in Intune

This blog is part 2 of 2 in a series all about iOS bring your own device (BYOD) in comparison to managed device policies in Microsoft Intune. Click the link to read part 1.

Budget considerations

• Corporate devices require an upfront investment; however, their use ensures uniformity and control throughout their lifespan, providing greater management control of applications.
• BYOD devices offer another option, with Mobile Application Management and minimal compliance policies to provide controlled access, allowing IT to separate corporate data on phones.
• BYOD can create risks such as weak passwords and insecure applications, but Intune's app protection and conditional access policies (CA policies) can reduce them through carefully managed data interactions and enhanced security measures.
• Larger organisations must weigh the possible long-term financial effects of data breaches when choosing devices fully controlled by corporate.

Sustaining diverse OS environments with BYOD

Without a corporate device strategy, organisations often revert to BYOD. Unfortunately, this often results in additional IT expenses, due to:

1. Compatibility issues between policies and applications, as devices are from different vendors.
2. Assessment of BYOD feasibility or minimum requirements to gain access to corporate resources.
3. Challenges facing users who cannot afford devices with the latest updates.

Mitigating data leak risks

BYOD policies involve more inherent risks, even with Intune managed applications in place. App protection policies have restrictions such as:

1. Inability to protect data stored on personal devices prior to policy implementation.
2. Protection only extends to specific apps/devices assigned for protection, leaving others unregulated.
3. Users retain full control of their devices.
4. Compliance policies could be considered intrusive.
5. Restrictions on features like Bluetooth/USB transfer could be impractical.
6. Limited control over network connections.

Managed devices and Apple IDs for user login

• Your organisation should communicate clearly that managed devices should only be used for work activities and discourage use of personal Apple IDs on managed devices for security reasons (Intune can enforce restrictions).
• Align device use with security protocols by restricting specific Apple services via Intune.
• Intune allows companies to monitor the compliance of Apple IDs against company policies, as well as define exceptions for specific individuals via IT policies regarding specific Apple services.
• Determine necessary Apple Native Services based on user needs or organisational departments (e.g., accessing corporate banking apps with Apple Pay for finance, accounts, and sales).

Understanding Apple ID limitations

Apple ID policies

Your organisation can opt to either allow managed or unmanaged Apple IDs within your organisation, or completely prohibit them.

Managed Apple IDs may provide more security but could limit service access. Personal Apple IDs provide full access to Apple services with increased security risks. No Apple IDs allow maximum protection but restrict functionality and access.

Enforcement and trust

Trust between Intune and its managed Apple ID users is of utmost importance, as they cannot prevent personal use of an Apple ID account.

Intune's role

Provides policy enforcement flexibility; however, organisational strategies should recognise limitations associated with controlling Apple ID usage.

Real world example:

Some users require Apple Pay services on corporate phones, which necessitates permitting personal Apple IDs with associated risks - although these risks can be reduced with full device management.

The role of conditional access in device policy enforcement

• Ensures compliance with corporate and BYOD policies.
• Finds an optimal balance between security and user convenience to prevent policy circumvention.
• Limits access to organisational data by only permitting compliant devices access. Acts as a preventative measure against data breaches by monitoring device and app usage.
• For effective implementation and understanding of policy impacts. User education will be necessary.

Real world example:

In a BYOD scenario, you would implement a compliance policy with minimal device restrictions, checking the device has a password and is not jailbroken. An App Protection Policy would set control actions such as restricting copy and paste between organisation apps and unmanaged apps, saving data between organisation apps and unmanaged apps and ensuring device compliance. Furthermore, CA Policies restrict access to Office 365 apps through only Managed Apps.

Real world example:

For a managed device scenario, create a CA policy which would ensure any device authorised to access organisation data has access. Optionally for additional restrictions, ensure app protection is also enabled.

In summary...

• BYOD vs. Managed devices: Consider cost, IT capacity, and security.
• BYOD advantages: Cost-saving on hardware, but risks data leaks and OS management challenges.
• Managed devices: Tighter control, albeit at a higher cost.
• Intune's role: Essential in both scenarios for data protection and device management.
• Decision factors: Your organisation must consider budget, tech environment diversity, security imperatives, and operational efficiency.

Take the complexity out of Microsoft Intune deployments with SureDeploy. Elevate your device management capabilities and enhance your security score.