Mobile Device Management - Can my employer see my data?

By Chris Dawson

Protecting your organisation’s data is as important as ever, and that protection begins with the devices that use and store that data. No matter the device and who owns it, ensuring company data remains secure is becoming increasingly difficult as the world of hybrid working takes hold. As flexibility works its way across our workforces, the scope of devices in use is changing, and now more than ever, we are seeing more people carry out some degree of their work from a mobile phone.

Whilst this is nothing new, the challenges it presents are greater than ever before. Whereas once the ‘work phone’ reigned supreme, an increased use in Bring-Your-Own-Device (BYOD) has seen push back on typical Mobile Device Management (MDM), with many employees not wanting to enrol their personal device into such a solution. Trust plays an important part in this, both from an employee, as well as an employer perspective. Many employees lack trust in their organisation’s MDM solution, with various worries related to privacy and control over their personal items. From the employer’s point of view, there needs to be a level of control over organisational data, no matter the device. 

This presents a challenge; does an organisation block access from non-enrolled, BYOD devices? If an organisation decides to allow personal mobile devices, how can they protect the data that could potentially sit on them? 

Mobile Application Management 

This is where MAM comes in. Otherwise known as Mobile Application Management, MAM only manages business data within a managed application. This is opposed to MDM, where the entire device is enrolled and can be managed by an organisation. Thanks to the use of a broker app, this method is lightweight and requires no device enrolment on the employee’s part. This makes using personal devices far more palatable to the employee, as the organisation can only see and control the data within specific business apps.  

Whilst there are several interpretations of MAM, Microsoft’s version is delivered via Microsoft Endpoint Manager (Intune), in the form of App Protection policies. These policies segregate business data into a separate container, meaning policies do not affect personal data. MAM can be deployed to both enrolled and unenrolled devices, with the latter being known as MAM-WE, or MAM without enrolment. 

For example, if you used Microsoft Outlook as your main email app, then only your work email account would be subject to app protection policies. Any access controls, data protection and even data wipes only apply to your work data. This separation between personal and corporate data, along with the ability to deploy to Android, iOS & Windows, makes MAM-WE perfect for BYOD situations. 

BYOD Controls 

App protection policies provide a variety of controls, covering items such as: 

  • Data protection
  • This includes data leakage, encryption settings and backups
  • Access requirements
  • Set access controls such as pin requirements and minutes of inactivity
  • Conditional launch
  • Prevent access to work data via specific conditions, such as blocking jailbroken/rooted devices

Providing comprehensive controls, these policies give organisations the confidence that their data is protected to their satisfaction, even when it may not sit on an enrolled device.  

For an app to be protected, it must first be integrated with the Intune SDK (Software Development Kit) or wrapped by the Intune App Wrapping Tool. A full list of such apps can be found here: Supported Microsoft Intune apps | Microsoft Docs  

Whilst this limits the number of apps that can be managed, Conditional Access policies can be leveraged to ensure that employees are only allowed to access work data from specific apps, such as Microsoft Outlook in place of Apple Mail. Conditional Access can also be used to enforce app protection policies, providing scalability and flexibility to ensure that the relevant apps are always covered. 

With Microsoft Endpoint Manager being included within the Microsoft 365 licensing model, it may well be that your organisation can already deploy MAM. Whereas once protecting corporate data on personal devices was a challenge from both an employee and employer perspective, MAM works to make life easier on both fronts by working to provide trust to both parties. 

Learn more about MAM

If you would like to learn more about Microsoft’s MAM solution and how it could potentially work for your organisation, please email our team at or visit our website. 

Alternatively, many of customers attend our Microsoft Cloud Accelerator Program (MCAP) workshops that help businesses fully understand Microsoft solutions, and even help with achieving stakeholder buy-in. Existing Microsoft customers may be eligible for Microsoft funded workshops. You can browse our workshops here. 

subscribe to our blog 2

Sign Up for our Blog

We promise that we won't SPAM you.