Browse all topics
All guidesGlossary

Microsoft 365 mobile device security

Securing mobile access to Microsoft 365 — MAM, MDM, Conditional Access, and the BYOD vs corporate distinction.

Mobile access to Microsoft 365 is universal — every user has Outlook, Teams, OneDrive on their phone. Whether the device is corporate-owned or personal (BYOD) dramatically changes the security model. Designing for both is essential for a complete posture.

Two device populations

Corporate-owned devices

IT provisions, manages, and (when needed) wipes the entire device. Patterns:

  • Apple Business Manager + Intune for iOS/iPadOS.
  • Android Enterprise with Intune for Android.
  • Full Mobile Device Management (MDM) — Intune enrolled.
  • Defender for Endpoint for mobile threat defence.

The device is a corporate asset; IT has broad control.

Personal devices (BYOD)

The user owns the device; IT can only manage corporate apps and data. Patterns:

  • Mobile Application Management without enrolment (MAM-WE) — only specific apps managed.
  • Intune App Protection Policies govern app behaviour.
  • No full device control — IT can't see personal apps, browsing history, photos.

The device is the user's; only the corporate app surface is managed.

Conditional Access for mobile

The Conditional Access policy that ties this together:

For users accessing Microsoft 365 from iOS or Android, require approved client app + app protection policy.

What this does:

  • iOS native Mail / Android default Gmail can't sign into corporate accounts (no MAM).
  • Outlook for iOS / Android with App Protection Policy can sign in.
  • Teams, OneDrive, Word, Excel, PowerPoint with appropriate MAM can sign in.

The only path to corporate email on personal devices is via approved Microsoft mobile apps with MAM enforced.

App Protection Policies (MAM-WE)

Configure in Intune for each managed app:

Data protection

  • Encryption — corporate data inside the app encrypted.
  • No copy / paste to non-managed apps.
  • No save to local files / external storage.
  • No screenshots in some scenarios.
  • No print of corporate data.

Access requirements

  • PIN required to open the app (or biometric).
  • Re-auth every N hours.
  • Conditional launch based on device state.

Conditional launch

  • Minimum OS version — block sign-in on outdated OS.
  • Minimum app version — block outdated apps.
  • Block jailbroken / rooted devices.
  • Block based on threat intelligence (with Defender for Endpoint Android / iOS).
  • Remote wipe corporate data without touching personal data.

Threat protection

For both corporate and personal devices, Microsoft Defender for Endpoint for Android / iOS adds:

  • Web protection — block malicious URLs.
  • Network protection — alert on insecure network connections.
  • Malware detection on installed apps.
  • Vulnerability assessment of installed apps.

Conditional Access can require Defender's risk level to be below threshold for sensitive app access.

Corporate-only apps

For specific high-sensitivity apps, restrict to corporate devices only:

  • Conditional Access policy requires compliant device for the app.
  • MAM on personal devices isn't enough; full MDM required.

Useful for: very confidential SaaS apps, admin tools, executive-level resources.

Mobile browser access

For web-app access from mobile browsers:

  • Conditional Access App Control routes the session through Defender for Cloud Apps.
  • Block downloads from the mobile browser.
  • Prevent copy / paste from the browser.
  • Watermark the session for confidential content.

For BYOD scenarios where users access via browser, this is the right control.

Specific scenarios

Executives

  • Corporate iPhone / Android with full MDM.
  • MAM on personal devices for occasional access.
  • Phishing-resistant MFA (FIDO2 / passkey).
  • Defender for Endpoint monitoring.

General employees

  • MAM-WE on personal devices as default.
  • Corporate devices for specific roles.
  • Standard Conditional Access policies.

Frontline workers

  • Shared corporate devices with dedicated mode.
  • Hot desking sign-in patterns.
  • Specific frontline app access scoped per role.

Operational considerations

  • User education — communicate why MAM exists.
  • Help-desk procedures for mobile issues.
  • Periodic policy review — Microsoft adds new MAM controls.
  • Reporting — visibility into managed devices and apps via Intune.

For Microsoft 365 customers serious about mobile security, the combination of Conditional Access requiring approved client apps + MAM on personal devices + MDM on corporate is the standard pattern. Sophisticated, defensible, doesn't require heavy investment in BYOD device management.