BYOD vs Corporate Devices: MAM App Protection Patterns That Work
The proliferation of personal devices accessing corporate data is no longer an edge case, it is the default. Remote and hybrid working patterns mean that employees routinely access Microsoft 365 from personal iPhones, Android devices, and home laptops that the organisation does not own, cannot image, and has no legal right to fully manage. Mobile Application Management (MAM) without enrollment provides the solution: protecting corporate data within managed applications without touching the personal device or its private content.
MAM Without Enrollment: The Architecture
MAM without enrollment (sometimes called MAM-WE or app-level management) operates exclusively at the application layer. Intune does not enroll the device, does not gain device-level visibility, and cannot access personal apps, photos, or messages. Instead, Intune manages the corporate data within specific applications - Outlook, Teams, OneDrive, SharePoint, Edge, and other Intune-managed apps.
The management boundary is the app. Corporate data inside Outlook is encrypted and governed by Intune policy. Personal email accounts in the device's native mail app are completely untouched. This separation is legally critical under GDPR Article 5(1)(c) (data minimisation), the organisation should not process personal device data that is unnecessary for its legitimate purpose.
App Protection Policies for iOS and Android
Navigate to Microsoft Intune admin centre > Apps > App protection policies > Create policy and select the target platform.
Data transfer controls (the core of MAM):
These settings control how data moves between managed and unmanaged apps on the device:
- Send org data to other apps: "Policy managed apps" - this prevents users from copying corporate email text from Outlook and pasting it into WhatsApp, iMessage, or any unmanaged app. Data can only be shared with other Intune-managed apps.
- Receive data from other apps: "All apps" - users can paste content from personal apps into corporate apps (useful for pasting addresses or phone numbers into Outlook) but cannot extract data out.
- Restrict cut, copy, and paste between apps: "Policy managed apps with paste in", the most common setting. Users can paste into managed apps but cannot copy out to unmanaged apps.
- Save copies of org data: "Block" - prevents saving corporate attachments to the device's local storage, personal iCloud, Google Drive, or other unmanaged cloud storage.
- Allow users to save copies to selected services: Configure exceptions for OneDrive for Business and SharePoint only.
Access requirements:
- PIN for access: Required, minimum 6 digits. This is an app-level PIN, separate from the device PIN. Even if the user's device has no screen lock, the corporate apps require authentication.
- PIN type: Numeric (or Passcode for higher security)
- Biometric instead of PIN: Allow (Face ID, Touch ID, fingerprint)
- PIN reset after (days): 365 (annual rotation)
- App PIN when device PIN is set: "Require" for high-security environments, "Not required" for better user experience in lower-risk scenarios
Conditional launch:
These settings determine what happens when the device or app state changes:
- Offline grace period: 720 minutes (12 hours). If the device cannot contact Intune for 12 hours, block access. This ensures that a stolen device cannot access corporate data offline indefinitely.
- Jailbroken/rooted devices: Block access. This is critical - jailbroken devices cannot provide the app-level isolation that MAM depends on.
- Min OS version: Set to current minus one major version. Older OS versions may have unpatched vulnerabilities in the app container.
- Max allowed device threat level: If integrated with Microsoft Defender for Endpoint (mobile threat defence), block access when the threat level exceeds "Secured."
Selective Wipe
One of MAM's most powerful capabilities is selective wipe, the ability to remove all corporate data from managed apps without affecting personal data. This is invoked in two scenarios:
Manual wipe (employee departure): Navigate to Intune > Apps > App selective wipe > Create wipe request. Select the user and the device. Intune will remove all corporate data from managed apps on that device - Outlook cache, Teams data, OneDrive files, SharePoint cached content - while leaving personal photos, messages, and apps completely intact.
Automatic wipe (policy violation): Configure the conditional launch settings to wipe app data automatically when conditions are violated. For example, if the device is jailbroken, the corporate data can be wiped without human intervention. Similarly, if the offline grace period is exceeded (suggesting a lost device), automatic wipe triggers.
Wipe delay and notification: Configure a grace period before wipe to allow users to remediate. For example, if the OS version falls below the minimum, send a warning and give 7 days to update before wiping corporate data.
When to Use MAM vs MDM
The decision framework is straightforward:
Use MAM without enrollment when:
- The device is personally owned (BYOD)
- The organisation has no legal basis to manage the full device
- Users need access to email, Teams, and documents on personal mobile devices
- GDPR or privacy regulations restrict employer visibility into personal devices
- The organisation wants to deploy quickly without device enrollment friction
Use MDM (full enrollment) when:
- The device is corporate-owned
- The organisation needs to manage device settings (Wi-Fi profiles, VPN, certificates)
- Full disk encryption enforcement is required (BitLocker, FileVault)
- Application deployment and updates need to be centrally managed
- The device accesses highly sensitive data (financial systems, patient records)
Use both (MDM + MAM) when:
- Corporate devices need both device-level management and app-level data protection
- Defence in depth is required - even if a corporate device is compromised, app-level encryption provides a second boundary
- Regulatory requirements demand both device compliance and application-level data loss prevention
Common Pitfalls
Pitfall 1: Not targeting all necessary apps. If you protect Outlook and Teams but not Edge, users can access SharePoint via the browser and download files to unmanaged storage. Include Microsoft Edge in your app protection policy and configure it as the managed browser.
Pitfall 2: Inconsistent policies across platforms. Create identical policies for iOS and Android. A gap on one platform becomes the path of least resistance for data leakage.
Pitfall 3: Ignoring the Company Portal app. While MAM without enrollment does not require device enrollment, users must have the Company Portal app installed (iOS) or the Intune app installed (Android) for policy delivery. Communicate this requirement clearly during onboarding.
Pitfall 4: Forgetting about Windows BYOD. MAM for Windows (via Windows MAM, previewed in 2024) is now available for Edge-based access to M365 web apps. Configure app protection policies for the Windows platform to extend MAM to personal laptops accessing M365 via the browser.
MAM without enrollment is not a compromise, it is the architecturally correct approach for personal devices. It respects the privacy boundary that GDPR demands, provides the data protection that compliance requires, and delivers the user experience that adoption depends on.