Earlier, we discussed the pros and cons of having personal devices enrolled in MDM and the best practices to avoid any possible data leakage. In this post, I will help you with configuring your Intune tenant to allow enrollment of personal devices and will also make it an automated process.
We all know that there are multiple options available in Intune for enrolling and managing Android devices, but for this post, I will stick to “Personally-Owned Devices with Work Profile“.
Personally-owned devices with work profiles are used to manage corporate data and apps on user-owned “personal” Android devices. By default, enrollment of personally-owned work profile devices is enabled, and no specific configuration is required. However, I personally believe that if you do not have all security measures like MAM, Zero-Trust and MFA, then it should be allowed in a controlled way.
Sometimes Restrictions Are Helpful
Don’t use the Bing-Bang approach if you are planning for the BYOD rollout or starting with it. Thankfully, Microsoft allows you to restrict enrollment based on device attributes. When restrictions are applied, users on restricted devices are blocked from enrolling their devices in Microsoft Intune.
For BYOD, you need to use “Device platform restrictions” to allow or block devices based on platforms, versions, and management types.
You can apply this restriction to devices running:
- Android device administrator
- Android Enterprise work profile
- Windows 10/11
You can further enforce restrictions based on these platforms’ maximum/minimum OS versions. To configure the device platform restriction policy, log in to your Microsoft Endpoint Manager admin center and navigate to Devices > Enroll devices > Enrollment device platform restrictions and select the required platform and then Create restriction.
Provide the name and description of the restriction.
Configure the restrictions for the selected platform based on the requirement:
Similarly, the restrictions can be configured for the iOS family also:
The next layer of security is conditional access.
If you are not using Multi-Factor Authentication, make a U-Turn; configure and enable it before proceeding further.!
As MAM is the recommended approach with BYOD for securing corporate data on personal devices without Conditional Access, the corporate data remains vulnerable on users’ personal devices.
Conditional Access is a gatekeeper that checks for user identity, location, and device health and can allow or deny access based on conditions configured.
Configure device compliance policies to ensure the device meets your configuration and security requirements. The compliance policy evaluation will determine the device’s compliance status, which will be reported to Intune and Azure AD. Based on the CA & compliance policy evaluation, the device will be allowed or blocked access to your corporate data/resources.
Mobile Application Management
The next layer for securing your corporate data on personal devices is – MAM. MAM allows you to manage and protect your organization’s data within an application. Many public store apps, such as the Microsoft Office apps, can be managed by Intune MAM.
There are two scenarios for which MAM can be used:
- Managed devices (MDM) – devices that are enrolled and managed through Intune
- Un-enrolled devices – devices that are not enrolled in Intune
The app management capabilities are well documented in MS Docs.
With Intune, different app configuration policy channels are:
- Managed Devices – The entire device is managed by Intune
- Managed Apps – For the app that has either integrated the Intune App SDK or has been wrapped using the Intune Wrapping Tool and supports App Protection Policies (APP).
To protect corporate data in your LoB apps with MAM policies, you must wrap them. I have written a post on wrapping the app. Pull up the article and wrap up your app.
Now, the app protection policies can differ based on your requirement. This is what I have configured in my tenant:
Make sure you force encryption and restrict web content transfer with Edge as managed browser.
If you can push & enforce Microsoft Defender for Endpoint, combining it with CA, it will give you full-proof security.
Scope of Automation
By now, everything is configured, and you are ready to roll out BYOD. If your organization doesn’t allow everyone to enrol their personal devices in Intune, you can automate the entire process.
It ensures no scope for human errors and automates the enrollment
You have multiple options to automate your BYOD rollout using the following:
The flow could be somewhat like this:
You simply need to create a form where users requests to enrol their personal devices.
In the next post, I will share the enrollment guides for Android & iOS and discuss “User Enrollment” and “Device Enrollment” features for iOS devices. Do share your feedback & suggestions.