Close this search box.

Mobile Device Management Security Best Practices with Microsoft Intune


Michael Segura

Systems Engineer

Whether it’s laptops, phones, or tablets, more than half of workers use personal devices to access business data, applications, and networks in today’s mobile world, Gartner reports. Unfortunately, those devices can be easily compromised – making a robust enterprise mobility management strategy using a solution like Microsoft Intune vital for keeping company data and systems safe from cyber-attacks.

Nearly half of companies suffered a mobile device-related security breach with major consequences over the past year, according to Verizon’s 2022 Mobile Security Index report. And 40% of organizations still fear their current protections can’t effectively secure remote work.

Employees often relax security behaviors with mobile devices; for instance, 43% wrongly believe their email provider will block any dangerous emails, Verizon reports. 1 in 6 employees also used a personal instance of a cloud storage app to steal company data when they left.

Blame for inadequate security falls on companies as well: less than a third of organizations ban the use of unsecured public Wi-Fi on mobile devices, for instance – and only about half of those enforce the policy, Verizon reports.

As BYOD (Bring Your Own Device) becomes an expected part of workplace culture, stringent security safeguards are essential for improving visibility, device security, and overall performance. Read on to learn mobile device management security best practices with Microsoft Intune, the top-rated cloud-based device and application management solution on the market.

Choosing the right mobile management approach for your business

Put simply, Microsoft Intune enables employees to use the devices and applications they love for work purposes while configuring settings to meet company compliance and security needs. Devices are easily managed from a single, secure place in the cloud, with flexible options that allow you to choose the best approach for your business.

Microsoft Intune integrates with Azure Active Directory and Office 365 applications like Outlook, OneDrive, SharePoint, Teams, and even third-party applications ensuring corporate policies are consistently applied when mobile devices utilize those platforms.

Companies can choose from two Intune approaches – and many maximize protection by enabling both. While employees often feel more at ease with Mobile Application Management (MAM) because it wields less control over their devices, MDM ensures BYOD devices accessing company resources meet your security standards.

  1. Mobile Device Management (MDM) secures your corporate resources being accessed from mobile devices like smartphones, laptops, and tablets, working with Windows, macOS, iOS, and Android operating systems. Devices must be enrolled (register) via the portal to access corporate resources, Intune will validate if the device meets proper requirements prior to allowing the user to access the data securing your environment and standardizing the type of devices allowed. Intune enrollment will report device status and health to track any changes that may get the device out of compliance and immediately block access to corporate resources if they do. User privacy is vigilantly protected by limiting admin access to necessary data like device serial numbers and application names, and blocking access to personal data like pictures, web surfing history, or location.
  2. Mobile Application Management (MAM) works at the application level and doesn’t care about the device they are in, it protects applications by ensuring sensitive corporate data isn’t sent or copied to non-approved locations. MAM works with iOS and Android operating systems. Devices don’t have to enroll in MAM software; rather, corporate apps are pushed into enterprise app stores for employees to download onto their devices. Apps are run in secure containers so personal and corporate data stay separate.

When devices and applications are managed in Intune, administrators can:

  • Deploy and authenticate apps on on-premises and mobile devices.
  • Push certificates to devices so users can easily access company Wi-Fi or use a VPN to connect to the network.
  • Configure devices with rules and settings that comply with your security standards. For instance, blocking “jailbroken” devices that removed software restrictions imposed by the manufacturer. You can also prevent non-required applications from running during connection sessions.
  • Maintain visibility into enrolled devices, ensuring compliance with security requirements like antivirus protections, updated operating systems, and strong passwords.
  • Protect company data by controlling the way users’ access and share information within applications. For instance, preventing screenshots of data in Teams or controlling copy/paste of information from Outlook work accounts.
  • Wipe company data if a device is lost, stolen, or not used anymore.

4 considerations for successful MAM/MDM solutions

A well-planned strategy is essential to maximizing the benefits of Microsoft Intune:

1. Know your technology.

Assess the types of devices and applications running in your environment, ensuring hardware and operating systems work with the solution you want to deploy. Determine a definitive number of devices you will need to manage, what they connect to internally, and what applications need to be protected. Define objectives and permitted mobile devices; for instance, you may only accept certain brands for business tasks and ban less-secure devices like older versions of IOS or Android.

2. Configure your environment based on your unique business requirements.

Microsoft Intune allows extensive customization to achieve the right balance of security, privacy, and productivity. Important considerations include:

  • Role-based access control. Only authorized users should have access to the admin and user portal.
  • Enrollment restrictions. Besides the type of device, you should also limit the number per person to reduce the risk of rogue devices.
  • Compliance policies. Enforce detection of weak passwords, jailbroken devices, unwanted applications, and more.
  • App protection policies. Determine rules that ensure data accessed from applications is not leaked. Rules can vary from app to app so users aren’t restricted from performing necessary tasks.
  • Conditional access. Specify conditions that grant or deny access to apps or services.

3. Clearly communicate internal policies.

Transparency, frequent communication, and training are essential to employee buy-in of your MAM/MDM solution, ensuring staff knows what’s expected of them and easing privacy concerns. Outline employee responsibilities surrounding restricted applications, website or network access, data usage, and more. And make sure they understand that while they don’t have to enroll personal devices if an MDM solution is implemented, they won’t be able to access company resources from devices not compliant with company policies. In addition, your internal support organization, like the End-user Service Desk, needs to be aware of the specific policies to better assist end-user reported problems accessing company data or applications.

4. Block non-compliant devices.

Once you have communicated your Intune policies, set a deadline for securing your environment. Ensure employees have ample time to make required changes like installing system updates on devices they choose to enroll.

Give employees freedom of choice without compromising security

Traditionally, security efforts have heavily focused on data center infrastructure. But neglecting endpoint vulnerabilities in the era of BYOD and remote work risks a serious security breach.

Microsoft Intune’s MAM and MDM solutions deliver freedom of choice over work devices without compromising security and data protection – wherever and however your employees choose to work.

Want to learn more about implementing Microsoft Intune and other BYOD protections? Schedule a free consultation with our IT transformation experts.

Written by

Systems Engineer
Microsoft Certified Professional specialized in modern technologies with more than 5 years of experience delivering high quality services within the Auxis organization. Segura has successfully onboarded multiple clients via Auxis’ managed services operations models and currently helps existing and new clients modernize their technologies. Michael has exceeded customer expectations by delivering top notch customer service and technical knowledge, as well as proper documentation to support their business during transition periods and for ongoing operations.