Managing BYOD Devices in an M365 Business Premium Environment

Effectively managing Bring Your Own Devices (BYOD) is crucial for organizations to balance flexibility with the security of company data. Microsoft 365 Business Premium provides a robust suite of tools, primarily through Microsoft Intune, to achieve this. The recommended approach focuses on Mobile Application Management (MAM) to protect corporate data at the application level without fully managing the user’s personal device, supplemented by Mobile Device Management (MDM) for certain scenarios and Conditional Access policies for granular control.

Here’s a comprehensive guide:

Recommended Approach: Prioritize App-Level Protection (MAM) for BYOD

For most BYOD scenarios, the least intrusive and generally recommended approach is to use Intune App Protection Policies (APP), also known as Mobile Application Management (MAM). This allows employees to use their personal devices to access company data within approved applications while ensuring that the data is protected.

Key Benefits of MAM for BYOD:

• Data Protection: Corporate data is protected within managed apps (e.g., Outlook, Teams, OneDrive) regardless of the device’s management state.
• User Privacy: Personal data and apps on the device remain separate and untouched by IT.
• Flexibility: Users prefer this less intrusive approach on their personal devices.
• Security: Prevents data leakage through copy/paste restrictions, mandating PINs for app access, and enabling remote wipe of corporate data from apps.

Core Components of the BYOD Strategy:

1. Microsoft Entra ID (formerly Azure AD) for Identity and Access Management:

   • Ensure all users have M365 Business Premium licenses assigned.
   • Utilize Entra ID groups to target policies effectively (e.g., “BYOD Users”).
   • Enforce Multi-Factor Authentication (MFA) for all users.

2. Intune App Protection Policies (APP/MAM):

   • Protect corporate data within specific applications on iOS, Android, and Windows devices.

3. Intune Device Compliance Policies (Optional MDM for specific needs):

   • If users need to access resources that require full device management or if your organization has stricter compliance requirements, you can offer device enrollment (MDM). Clearly communicate the implications of device enrollment to users.
   • For BYOD, enrollment is typically voluntary.

4. Conditional Access Policies:

   • Enforce access controls based on user identity, location, device health (if enrolled), and application.
   • Key for ensuring only approved apps and compliant configurations can access M365 services.

5. Data Loss Prevention (DLP) Policies:

   • Further protect sensitive information by defining policies that prevent data from being inappropriately shared or moved.

Step-by-Step Configuration Guide:

Phase 1: Initial Setup and Prerequisites

1. Ensure Licensing: Verify all users intended for BYOD access have Microsoft 365 Business Premium licenses assigned in the Microsoft 365 admin center.
2. Configure MDM Authority (if not already set):
   • In the Microsoft Intune admin center (intune.microsoft.com), navigate to Tenant administration > Tenant status.
   • Ensure the MDM authority is set to Microsoft Intune. If not, you’ll need to set it (this is a one-time setup).
3. Prepare User Groups:
   • In the Microsoft Entra admin center (entra.microsoft.com) or Microsoft 365 admin center, create user groups for policy assignments. For example, a group named “BYOD-Users” for users who will be using personal devices.

Phase 2: Configure Intune App Protection Policies (MAM)

These policies apply to applications, not the entire device, making them ideal for BYOD.

1. Navigate to App Protection Policies:
   • In the Microsoft Intune admin center, go to Apps > App protection policies.
2. Create a New Policy:
   • Click + Create policy and select the platform (iOS/iPadOS, Android, or Windows). It’s recommended to create separate policies for each platform for tailored settings.
3. Basics:
   • Name: Give your policy a descriptive name (e.g., “BYOD iOS App Protection”).
   • Description: (Optional) Add a description.
   • Click Next.
4. Apps:
   • Target policy to:
     • All public apps: Targets all Intune-aware public store apps.
     • Selected apps: Allows you to choose specific apps (recommended for control). Select key M365 apps like Outlook, OneDrive, SharePoint, Teams, Word, Excel, PowerPoint, and Microsoft Edge.
     • You can also add custom line-of-business (LOB) apps if they are integrated with the Intune SDK or wrapped.
   • Click Next.
5. Data Protection: This is a critical section for BYOD.
   
   • Send org data to other apps:
     • Policy managed apps: Recommended. This restricts data sharing (like copy/paste) to other apps also managed by an App Protection Policy.
     • All apps: Less secure, allows data transfer to any app.
     • No apps: Most restrictive.
   • Receive data from other apps:
     • Policy managed apps: Recommended.
   • Save copies of org data:
     • Allow: If you want users to be able to save corporate data to local storage or other locations.
     • Block: Recommended for BYOD to prevent corporate data from being saved to unmanaged personal storage. If blocked, ensure users can save to approved corporate locations like OneDrive or SharePoint.
   • Restrict cut, copy, and paste between other apps:
     • Policy managed apps with paste in: Recommended. Allows copy/paste within policy-managed apps and allows pasting into managed apps from unmanaged apps but not the other way around for sensitive data.
     • Blocked: Most restrictive.
   • Screen capture and Google Assistant (Android) / Siri (iOS):
     • Block: Recommended to prevent data leakage via screenshots or voice assistants. Note that recent Intune SDK updates might enable blocking screen capture by default under certain conditions.
   • Encrypt org data: Require.
   • Sync policy managed app data with native apps or add-ins: Block or Allow based on your security posture. Blocking prevents potential data leakage to unmanaged native contact or calendar apps.
   • Printing org data: Block unless there’s a strong business need.
   • Restrict web content transfer with other apps: Configure which browsers are allowed to open web links from managed apps. It’s best to require links to open in a managed browser like Microsoft Edge.
   • Org data notifications: Choose how much information is shown in notifications. Block org data is the most secure.
   • Click Next.
6. Access Requirements:
   • PIN for access: Require. Set PIN requirements (e.g., type, length, simple PIN, fingerprint/face ID).
   • Work or school account credentials for access: Can be required instead of or in addition to a PIN after a certain period of inactivity.
   • Recheck the access requirements after (minutes of inactivity): Define a timeout.
   • Conditional Launch:
     • Offline grace period: Define how long apps can run offline before requiring re-authentication.
     • Max PIN attempts: Set the number of attempts before an app reset or corporate data wipe.
     • Min app version: Specify minimum versions for apps to ensure security updates.
     • Disabled account: Action to take if the user account is disabled.
     • Jailbroken or rooted devices: Block access or Wipe data. Recommended to block.
     • Min OS version: Set minimum OS requirements.
     • Device model(s) (Android only): Can restrict specific device models if needed.
     • SafetyNet device attestation (Android): Required. Helps ensure the device integrity.
     • Require device lock (iOS): Ensure the device itself has a passcode.
   • Click Next.
7. Assignments:
   • Click + Add groups and select the “BYOD-Users” group (or other appropriate groups) you created earlier.
   • Click Next.
8. Review + create:
   • Review your settings and click Create.

Repeat these steps for each platform (Android, iOS/iPadOS, Windows). For Windows, App Protection Policies primarily apply to Microsoft Edge and other enlightened apps.

Phase 3: Configure Conditional Access Policies

Conditional Access policies act as a gatekeeper, ensuring specific conditions are met before granting access to M365 resources.

1. Navigate to Conditional Access:
   • In the Microsoft Intune admin center, go to Endpoint security > Conditional Access. This will redirect you to the Microsoft Entra admin center. Alternatively, go directly to entra.microsoft.com > Protection > Conditional Access.
2. Create a New Policy:
   • Click + Create new policy.
3. Name: Give your policy a descriptive name (e.g., “BYOD – Require Approved App and App Protection”).
4. Assignments:
   • Users:
     • Include: Select your “BYOD-Users” group.
     • Exclude: (Optional) Exclude emergency access accounts or specific service accounts.
   • Target resources (Cloud apps or actions):
     • Select Cloud apps.
     • Include: Choose All cloud apps (most comprehensive, but be careful not to lock yourself out – exclude your admin account during testing or use the “What If” tool). Alternatively, select specific apps like Office 365 Exchange Online, Office 365 SharePoint Online, Microsoft Teams, etc.
   • Conditions:
     • Device platforms:
       • Configure: Yes.
       • Include: Android and iOS. (And Windows if you have Windows BYOD).
     • Client apps:
       • Configure: Yes.
       • Select: Mobile apps and desktop clients and Browser. (Consider if you need to differentiate policies for browser access vs. app access).
5. Access controls:
   • Grant:
     • Select Grant access.
     • Require approved client app: This ensures users are using apps that can be managed by Intune (e.g., Outlook mobile instead of native mail apps).
     • Require app protection policy: This is crucial. It ensures that the App Protection Policies you configured are applied to the app before access is granted.
     • For multiple controls: Select Require all the selected controls.
     • (Optional but Recommended for stronger security) Require multi-factor authentication: If not already enforced globally, this adds another layer of security.
     • (Optional, for enrolled devices) Require device to be marked as compliant: If you are also implementing device compliance policies for enrolled BYOD devices.
6. Enable policy:
   • Set to Report-only initially to test the impact.
   • Once satisfied, change to On.
7. Click Create.

Common Conditional Access Policies for BYOD:

• Require MFA for all users accessing cloud apps. (A foundational policy)
• Require approved client app and app protection policy for mobile access to M365. (As detailed above)
• Block access from unsupported/non-compliant device platforms.
• Limit session controls for unmanaged devices (e.g., block downloads using Microsoft Defender for Cloud Apps integration, though this requires additional licensing/configuration).

Phase 4: (Optional) Configure Device Enrollment and Compliance Policies (MDM for BYOD)

If you decide to support or require device enrollment for certain BYOD users or scenarios:

1. Configure Enrollment Restrictions:
   • In the Intune admin center, go to Devices > Enroll devices > Enrollment device platform restrictions.
   • Create restrictions to allow or block personally owned devices for specific platforms (iOS/iPadOS, Android, Windows, macOS). For BYOD, you’d typically allow personally owned devices for the platforms you support.
2. Create Device Compliance Policies:
   • Go to Devices > Compliance policies.
   • Click + Create policy. Select the platform.
   • Name: e.g., “BYOD iOS Device Compliance”.
   • Settings: Configure requirements such as:
     
     • Minimum/Maximum OS version.
     • Device passcode/PIN.
     • Device encryption (usually enabled by default on modern devices).
     • Jailbroken/rooted device detection (mark as non-compliant).
     • Microsoft Defender for Endpoint risk level (if integrated).
   • Actions for noncompliance:
     • Mark device noncompliant: Immediately or after a grace period.
     • Send email to end user: Notify them of non-compliance and how to remediate.
   • Assignments: Assign to your “BYOD-Users” group or a group specific to enrolled BYOD devices.
3. Communicate Enrollment Process to Users:
   • Users typically enroll via the Intune Company Portal app, which they can download from their respective app stores.
   • Provide clear instructions on how to enroll and the implications (what IT can and cannot see/do on their device).
   • Windows BYOD Enrollment: Users can go to Settings > Accounts > Access work or school > Connect.
   • Android BYOD Enrollment: Typically uses Android Enterprise personally owned work profiles, which separates work and personal data at the OS level.
   • iOS/iPadOS BYOD Enrollment: Uses standard Apple MDM enrollment.

Phase 5: Configure Data Loss Prevention (DLP) (Optional but Recommended)

Microsoft Purview Data Loss Prevention can help prevent leakage of sensitive information.

1. Navigate to Microsoft Purview:
   • Access the Microsoft Purview compliance portal (https://www.google.com/search?q=compliance.microsoft.com).
2. Data Loss Prevention:
   • Go to Data loss prevention > Policies.
   • Click + Create policy.
   • Use a template (e.g., for PII, financial data) or create a custom policy.
   • Name your policy.
   • Locations: Choose where the policy applies (e.g., Exchange email, SharePoint sites, OneDrive accounts, Teams chat and channel messages, Devices). For “Devices,” this applies to Windows endpoints with Purview DLP enabled.
   • Policy settings:
     • Define conditions (e.g., content contains sensitive info types like credit card numbers, social security numbers).
     • Define actions (e.g., restrict access, block sharing, show policy tips to users, send alerts to admins).
   • User notifications and overrides: Configure how users are informed and if they can override the policy with justification.
   • Incident reports: Set up alerts and reporting.
   • Test it out first or Turn it on right away.
   • Assign the policy.

DLP for BYOD scenarios often relies heavily on protecting data within the M365 services and through App Protection Policies. Endpoint DLP for Windows devices provides more direct control on the device itself.

Phase 6: User Communication and Training

• Clearly communicate your BYOD policy to users.
• Explain what data is being managed/protected and what remains private.
• Provide instructions on how to install managed apps (like Outlook, Teams) and access corporate resources.
• If offering device enrollment, explain the benefits and implications.
• Train users on best practices for data security on their personal devices.

Phase 7: Monitoring and Maintenance

• Monitor App Protection Policy status: In Intune, go to Apps > Monitor > App protection status.
• Monitor Device Compliance: In Intune, go to Devices > Monitor > Device compliance status.
• Review Conditional Access policy reports: Check sign-in logs in Entra ID to see how policies are being applied.
• Review DLP alerts and reports in Microsoft Purview.
• Keep policies updated as M365 features evolve and your security requirements change.
• Regularly review user access and group memberships.

Important Considerations for M365 Business Premium:

• Simplified Admin Console vs. Full Intune Console: M365 Business Premium offers a simplified admin experience. For more advanced Intune configurations, you might need to access the full Microsoft Intune admin center (intune.microsoft.com).
• Microsoft Defender for Business: Included with M365 Business Premium, it provides endpoint security for devices, including those enrolled in Intune. This enhances protection against malware and other threats.
• Windows Information Protection (WIP) was deprecated: The modern approach for data protection on Windows is through Intune App Protection Policies (especially for Edge) and Microsoft Purview DLP.

By implementing this layered approach, focusing on App Protection Policies for broad BYOD adoption and supplementing with Conditional Access and optional device enrollment/compliance, organizations using M365 Business Premium can effectively secure corporate data while providing users with the flexibility of using their personal devices.