87%
of enterprise employees access work email from personal mobile devices
46%
of mobile-related breaches involve an unmanaged or uncontrolled device
39%
of organizations have no formal mobile security policy or enforcement mechanism
12x
higher likelihood of data loss from a lost mobile device compared to a lost laptop without remote wipe capability

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Mobile device security in enterprise environments suffers from a persistent mismatch between the threat model and the controls deployed. Most organizations either over-manage mobile devices with full MDM enrollment policies that generate employee resistance and legal complexity for personal devices, or under-manage them by allowing unrestricted access to corporate email and data from any device with no controls whatsoever. The practical middle ground, which most security guidance fails to articulate clearly, is a tiered approach based on device ownership and data sensitivity. Corporate-owned devices warrant full MDM management. Personally-owned devices in a BYOD program warrant Mobile Application Management (MAM) without device management, combined with Conditional Access enforcement at the authentication layer. This guide covers what each approach actually requires to implement effectively and what the minimum viable controls are when neither full MDM nor MAM-only is yet deployed.

MDM vs. MAM: The Distinction That Determines Your BYOD Approach

Mobile Device Management and Mobile Application Management are architecturally different control models that organizations frequently conflate. MDM enrolls the entire device into a management system that gives the administrator control over device configuration, installed apps, network settings, and device restrictions, and provides the ability to remotely wipe the entire device. MAM manages only specific applications installed on the device, enforcing data handling policies within those apps without touching the rest of the device, the personal data, or the personal apps.

For corporate-owned devices, full MDM enrollment is appropriate and straightforward to justify: the employer owns the device and has legitimate authority to manage its configuration. For personally-owned devices in a BYOD program, full MDM enrollment creates significant legal and practical problems. In most jurisdictions, an MDM-enrolled personal device gives the employer visibility into device inventory, installed apps, and potentially location data. Employees are understandably reluctant to enroll their personal phone into their employer's MDM, and the resistance frequently results in either non-adoption or employees using unmanaged personal devices for work email anyway, which is worse from a security perspective than a well-designed MAM policy.

MAM-only enrollment resolves this tension by managing only the Microsoft Outlook app, Microsoft Teams app, or other corporate applications on the personal device, without any visibility into or control over the personal apps, photos, or data on the rest of the device. The corporate applications enforce data handling policies: corporate email cannot be copied to personal apps, corporate documents cannot be saved to local storage outside the managed app container, and the managed app data can be selectively wiped from the device without touching personal data. This model protects corporate data on personal devices while respecting the personal nature of the device and avoiding the legal complications of full device management.

The practical decision framework for MDM vs. MAM is: corporate-owned devices use full MDM. Personally-owned devices accessing corporate email and collaboration tools use MAM-only. Personally-owned devices requiring access to sensitive data beyond email and collaboration, such as production systems, financial data, or regulated information, should either be replaced with corporate-owned devices or access should be restricted to a browser-based Virtual Desktop Infrastructure session that never stores corporate data on the device.

Minimum Viable Mobile Security Controls

Before any MDM platform is deployed, the minimum viable mobile security controls can be enforced through Conditional Access policies that gate authentication based on device posture signals. These controls require no MDM agent on the device and apply to any device attempting to authenticate to corporate cloud services.

The five minimum viable controls are: PIN or biometric authentication enforcement (any device accessing corporate resources must have a lock screen configured, which Microsoft Conditional Access can verify for Intune-registered devices or require as a self-attestation for unregistered devices), disk encryption verification (iOS devices are encrypted by default when a passcode is set; Android devices require encryption to be enabled, which modern Android Enterprise policies enforce automatically), OS version minimum enforcement (blocking access from devices running operating system versions no longer receiving security updates removes the most severe vulnerability exposure from the mobile fleet), jailbreak and root detection (a jailbroken iOS device or rooted Android device has bypassed the platform's application sandboxing and code signing controls, fundamentally changing the threat model), and screen lock timeout (devices that remain unlocked indefinitely after being set down are a physical security risk that is trivially corrected by a Conditional Access policy requiring a maximum inactivity timeout).

These five controls are achievable in a Conditional Access policy without any MDM agent on enrolled devices, using the device compliance signals available from the platform's operating system APIs. Microsoft Entra ID Conditional Access can evaluate device platform, OS version, and compliance state for devices registered in Entra ID, which users can accomplish through the Company Portal app or through work account enrollment. Apple's managed device attestation and Google's Android SafetyNet/Play Integrity APIs provide the jailbreak and root detection signals that Conditional Access policies query to determine device health.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

iOS-Specific Controls: Supervised Mode and Apple Business Manager

iOS device management has a two-tier capability model that significantly affects what security controls are available. Standard MDM enrollment using a user-initiated enrollment profile provides device inventory, configuration profile deployment, remote wipe, and app management, but leaves the user in control of the MDM relationship: they can remove the enrollment profile from Settings at any time, which unenrolls the device and removes all managed apps and data. Supervised mode, available only for devices enrolled through Apple Business Manager or Apple School Manager using Automated Device Enrollment (ADE), provides a fundamentally different level of management control.

Supervised mode is configured in Apple Configurator or established through ADE when the device first boots. Once supervised, the device cannot be unenrolled by the user without a factory reset. Supervised mode enables a set of additional management capabilities that are unavailable on standard-enrolled devices: app blocklist enforcement (preventing specific apps from being installed, such as competing MDM agents, screen recording apps, or consumer cloud storage apps), content filter enforcement (requiring all web traffic to pass through a managed content filter), MDM removal prevention (preventing the user from removing the MDM profile), and Activation Lock management (preventing a stolen device from being reactivated with a different Apple ID without the management server's consent).

Apple Business Manager is the prerequisite for deploying supervised mode at scale. ABM requires registering the organization's Apple ID, enrolling the MDM server (Intune, Jamf, or another supported platform) in ABM, and purchasing or deploying devices through the ABM program. Devices purchased through Apple's channel or a registered Apple reseller are automatically assigned to ABM and can be enrolled in supervised mode before the device reaches the end user, which means the device is managed before the user ever touches it. This zero-touch enrollment model is the standard for corporate mobile device management and eliminates the dependency on users initiating enrollment.

For the most sensitive use cases, iOS also supports Declarative Device Management (DDM), introduced in iOS 15, which allows the MDM server to declare a desired configuration state that the device continuously enforces rather than requiring the server to push each configuration change. DDM reduces the management traffic overhead and improves configuration drift detection, ensuring that a device that gets out of compliance is detected and remediated faster.

Android Enterprise: Work Profile and Fully Managed Device

Android Enterprise is Google's enterprise mobility management framework that provides a standardized API layer for MDM solutions to manage Android devices. Before Android Enterprise, Android device management was fragmented across device manufacturers with inconsistent APIs and capabilities. Android Enterprise defines two primary management modes that correspond to different device ownership models: Work Profile for personally-owned devices and Fully Managed Device for corporate-owned devices.

Android Enterprise Work Profile creates a separate encrypted container on the device for all work-related apps and data. Apps installed in the work profile have a distinct badge indicator visible to the user. Data cannot flow from the work profile to personal apps: copying text from a work email into a personal messaging app, for example, is blocked by the work profile boundary. The MDM administrator manages only the work profile, with no visibility into or control over the personal profile on the same device. When an employee leaves the organization or requests to unenroll, the MDM administrator can selectively wipe only the work profile without affecting the personal profile. This is the Android equivalent of MAM-only enrollment and is the appropriate model for BYOD Android devices.

Fully Managed Device mode is used for corporate-owned Android devices where the organization manages the entire device. In this mode, there is no separate personal profile: the device is entirely managed by the MDM policy. The administrator can restrict which apps can be installed, prevent the user from changing device settings, enforce password policies, and maintain full control over the device configuration. Kiosk mode, a subset of Fully Managed Device, locks the device to a single application for dedicated-purpose deployments like retail terminals, warehouse scanners, or check-in kiosks.

The Android Enterprise Recommended program provides a certification for devices that meet Google's minimum hardware and software requirements for enterprise deployment, including guaranteed OS update timelines and specific security feature requirements. When selecting Android hardware for corporate deployment, using Android Enterprise Recommended devices ensures a baseline of management capability and security update commitment that consumer-grade Android hardware may not provide.

Microsoft Intune and Conditional Access Integration

Microsoft Intune is the most widely deployed MDM and MAM platform in enterprise environments that have standardized on Microsoft 365. Its value relative to specialized mobile-only MDM platforms comes from its native integration with Microsoft Entra ID Conditional Access, Microsoft Defender for Endpoint, and the Microsoft 365 compliance framework, which creates a unified endpoint management and access control architecture rather than a standalone mobile security silo.

Intune compliance policies define the requirements a device must meet to be considered compliant and eligible for access to protected resources. A compliance policy for iOS devices might require a minimum iOS version of 17.0, device passcode enforcement, no jailbreak detection, BitLocker or disk encryption enabled, and Microsoft Defender for Endpoint within a maximum threat level of Low. Devices that do not meet these requirements are marked non-compliant in Intune, which the Entra ID Conditional Access policy evaluates in real time when the user attempts to authenticate. A Conditional Access policy that requires a compliant device as a grant control will block authentication from a non-compliant device and redirect the user to the Company Portal with instructions for remediation.

Intune App Protection Policies implement the MAM-only enrollment model. An App Protection Policy applies to specific managed applications (Outlook, Teams, Word, Excel, and others in the Intune-managed app list) and enforces data handling restrictions within those apps: preventing copy/paste to unmanaged apps, requiring a PIN to open the managed app, preventing screenshots, and enabling selective wipe of the managed app data. App Protection Policies apply whether or not the device is enrolled in Intune, making them the enforcement mechanism for BYOD scenarios where users decline MDM enrollment but still need access to corporate email and collaboration tools.

The Conditional Access policy that enforces mobile security for Microsoft 365 resources should require either a compliant MDM-enrolled device or an Intune-protected app (for MAM-only enrollment) as a grant condition for all cloud app access from mobile platforms. This configuration ensures that users accessing corporate resources from mobile are either on a managed, compliant device or using a managed application that enforces data protection policies, without blocking access entirely for employees who use personal devices.

Jamf, Mobile Threat Defense, and the Lost Device Response

Jamf is the leading MDM platform for organizations that run predominantly Apple hardware. While Intune's strength is its integration with the Microsoft ecosystem, Jamf's strength is its depth of Apple platform support: Jamf Pro provides management capabilities for iOS, iPadOS, macOS, and tvOS from a single console, with support for Apple-specific features like Apple Business Manager integration, Volume Purchase Program app deployment, and Apple Silicon-specific management controls. Organizations with a significant Mac fleet often choose Jamf for unified Apple management even if they use Intune for Windows endpoints.

Jamf Now is the simplified tier of Jamf management targeting smaller organizations that need basic iOS and macOS management without the full complexity of Jamf Pro. It provides enrollment, configuration profile deployment, app installation, and remote wipe capability with a simpler interface and lower per-device cost. Organizations that need only basic mobile management for a small fleet and do not require the advanced compliance reporting, custom extension attributes, or Jamf Pro API integrations are well-served by Jamf Now.

Mobile Threat Defense (MTD) products extend MDM security with on-device behavioral analysis that detects threats MDM policies alone cannot prevent. Microsoft Defender for Endpoint's mobile capabilities provide app scanning, network protection against phishing and malicious URLs, and jailbreak detection for iOS and Android. Lookout and Zimperium offer standalone MTD products that integrate with both Intune and Jamf. The MTD agent on the device generates a device risk score that feeds into the Conditional Access compliance evaluation: a device that triggers an MTD alert for a malicious network connection or suspicious app installation can be automatically marked non-compliant, blocking access to corporate resources until the threat is resolved. For high-risk users such as executives, finance personnel, or anyone with access to particularly sensitive systems, MTD deployment adds a detection layer that complements the prevention-oriented MDM compliance policy.

The lost and stolen device response is where MDM investment has the most immediate, tangible impact. Remote wipe capability allows a lost device to be wiped to factory settings the next time it connects to the internet, preventing access to any corporate data stored locally on the device. Selective wipe removes only the managed app container or the MDM enrollment profile without performing a full factory reset, which is the appropriate response for a personally-owned BYOD device: preserving the employee's personal data while removing corporate access. Find My (iOS) and Find My Device (Android) provide location tracking for enrolled devices, which is relevant for device recovery but requires clear policy documentation regarding when and how the employer uses location data for enrolled personal devices. Pre-enrollment is the non-negotiable requirement: a device that was never enrolled in MDM cannot be remotely wiped after it is lost.

BYOD Privacy Considerations and Policy Framing

BYOD mobile security programs fail when the privacy implications for employees are not clearly defined and communicated before enrollment. Employees who do not understand what their employer can and cannot see on their enrolled personal device will either decline enrollment, enroll with reluctance and distrust, or unenroll as soon as they encounter any concern about privacy. A transparent privacy policy that accurately describes the scope of MDM visibility is both an ethical obligation and a practical requirement for program adoption.

With MAM-only enrollment using Intune App Protection Policies, the employer has no visibility into personal apps, personal data, photos, location, or device inventory outside the managed application container. The only data visible to the administrator is the managed application usage data and the compliance status signals (jailbreak detected, OS version, app PIN configured) that the managed app reports. This is the minimum-visibility model and is appropriate for most BYOD scenarios.

With full MDM enrollment of a personal device, the visibility scope expands. Depending on the MDM platform and enrollment type, the administrator may be able to see installed apps (names only, not content), device model and OS version, device serial number, storage capacity, battery level, and in some configurations, network connection information. The administrator typically cannot see personal photos, messages, email content, browser history, or location unless location services are specifically enabled and disclosed in the enrollment agreement. Android Enterprise Work Profile enrollment explicitly limits administrator visibility to the work profile only, with no access to personal profile data, even under full MDM enrollment.

The BYOD policy document that employees sign before enrollment should explicitly state: what data the organization can access, what data the organization cannot access, what actions the organization can take on the device (selective wipe vs. full wipe), and under what circumstances those actions would be taken. Legal review of the BYOD policy by employment counsel is important in jurisdictions with strong employee privacy laws, and the policy should be updated when the MDM platform's capabilities change.

The bottom line

Mobile device security is not primarily a technology problem. It is a policy and architecture problem that technology enforces. The technical controls available in iOS, Android Enterprise, Intune, and Jamf are sophisticated and effective, but they only reduce risk if the enrollment model matches the device ownership model, if the Conditional Access policies actually gate access on device compliance, and if employees understand and accept the controls applied to their devices. Build the policy framework first, select the right enrollment model for each device population, and use Conditional Access as the enforcement mechanism that ensures the policy applies regardless of which access path a user chooses.

Frequently asked questions

Can an MDM administrator see personal photos and messages on an enrolled BYOD device?

Generally no, though the answer depends on the MDM platform and enrollment type. With Intune App Protection Policy (MAM-only) enrollment, the administrator has no visibility into any personal data, only the compliance state of the managed application. With full MDM enrollment, the administrator can see device inventory information (apps installed, OS version, model) but not the content of personal messages, photos, or browsing history. Android Enterprise Work Profile explicitly restricts administrator visibility to the work profile container only. Document the specific visibility scope in your BYOD policy and have employees acknowledge it before enrollment.

What happens to corporate data on a personal device when an employee leaves the organization?

With MAM-only enrollment, the administrator performs a selective wipe that removes the managed application and its data container from the device, leaving all personal data intact. With full MDM enrollment, the administrator can perform a selective wipe of the MDM enrollment profile and all managed apps and data, or a full factory reset if the device is corporate-owned. The ability to perform selective wipe on personal devices makes the case for MAM-only enrollment over full MDM for BYOD: employees are more willing to enroll knowing that their personal data will not be affected by the offboarding wipe.

What is the minimum configuration for securing corporate email on personal mobile devices?

The minimum effective configuration for corporate email on personal devices is an Intune App Protection Policy applied to the Outlook mobile app, combined with a Conditional Access policy requiring an Intune-protected app for access to Exchange Online. The App Protection Policy enforces PIN to open, prevents copy/paste to unmanaged apps, blocks screenshots, and enables selective wipe of the Outlook data container. This configuration requires no device enrollment by the employee, respects personal device privacy, and protects corporate email data without requiring full MDM management of the personal device.

How do you handle mobile devices that are too old to receive OS security updates?

Devices running an end-of-life operating system version represent a permanent vulnerability because they cannot receive security patches. The appropriate response depends on device ownership: corporate-owned devices running unsupported OS versions should be replaced on a defined timeline. For personally-owned devices, a Conditional Access minimum OS version requirement blocks access to corporate resources from devices running outdated OS versions. Communicate the minimum OS version requirement to employees before enforcement, provide a grace period for voluntary updates, and be prepared for employees who cannot update their device to either request a corporate device or accept restricted access.

Should you deploy Mobile Threat Defense for all employees or only for high-risk users?

MTD deployment has a per-device cost that makes universal deployment a budget decision. For most organizations, a tiered approach is practical: deploy MTD for executives, finance personnel, legal teams, system administrators, and anyone with access to particularly sensitive systems or large volumes of regulated data. For the broader employee population, MDM compliance policies with OS version requirements, jailbreak detection, and Conditional Access enforcement provide a reasonable baseline without the MTD per-device cost. Revisit the coverage tier if a threat incident occurs involving mobile devices outside the current MTD scope.

Sources & references

  1. Apple Platform Security Guide
  2. Android Enterprise Security Whitepaper
  3. Microsoft Intune Documentation
  4. NIST SP 800-124: Guidelines for Managing Mobile Device Security
  5. Verizon Mobile Security Index

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.