BYOD on Microsoft 365: Letting Staff Use Personal Devices Without Losing Control

"Can I just put my work email on my phone?"

Eight words that start more data-governance conversations than any other. Bring Your Own Device is a reality in every SME we work with, people want email, Teams, and OneDrive on the phone that's already in their pocket. Saying "absolutely not" is rarely realistic. Saying "yes, knock yourself out" is a breach waiting to happen.

The right answer sits in the middle, and Microsoft 365 has the tools for it. Here's the practical setup.

What BYOD actually risks

A personal device accessing work data becomes a problem when:

• It's lost or stolen, and you can't remotely wipe it without nuking personal photos too
• The employee leaves, and you have no clean way to remove corporate data
• It's infected, malware on the personal side reaches into work email or SharePoint
• Data gets copied out, work email dragged into a personal Gmail, attachments saved to iCloud Drive
• It's shared at home, a partner, a child, anyone borrowing the laptop gets incidental access

You can't stop staff having personal devices. What you can do is stop those personal devices being a route out for corporate data.

Two levels of control, pick the right one

Microsoft 365 offers two different approaches:

Level 1, Mobile Application Management (MAM)

Also called "App Protection Policies." The business doesn't manage the device, it manages the app.

• You don't own the phone
• You don't know their screen lock PIN
• You can't see their Safari history or photo library
• But you can enforce rules inside Outlook, Teams, OneDrive, Word, Excel etc.

Policies you can push into those apps:

• Require a PIN to open the app
• Require device encryption before the app will load
• Block copy-paste from the app into personal apps
• Block saving attachments to iCloud / Google Drive
• Require the app data to be encrypted at rest
• Wipe the app data on demand (without touching personal data)

This is the right default for phones. Staff get their apps working quickly, the business keeps control of corporate data inside those apps, nobody has to "hand their phone over to IT."

Level 2, Mobile Device Management (MDM)

Full device enrolment via Intune. The device is enrolled in your tenant, compliance policies apply, the business sees device inventory and state.

• You can require disk encryption
• Block jailbroken / rooted devices
• Push Wi-Fi configs and certificates
• Wipe the whole device

More power, but more invasive. Staff often resist enrolling personal phones into MDM, understandably, because it means IT can wipe the whole phone, family photos included, if the employee leaves under bad terms. Save MDM for corporate-owned laptops and the edge cases (senior users who genuinely want full protection).

Rule of thumb: corporate laptops and phones → MDM. Personal phones and personal laptops → MAM. That's the pattern that works for 90% of SMEs.

What a MAM policy actually looks like

An app protection policy for iOS or Android typically includes:

• Data transfer, restrict cut/copy/paste between managed and unmanaged apps. Managed apps can share data between each other, but nothing leaves.
• Save as, disable saving work files to unmanaged destinations (iCloud, Dropbox, local photos).
• Printing, optionally disable printing corporate data.
• PIN, require a 6-digit PIN to open the app, reset after 30 minutes of inactivity.
• Encryption, require app data encryption (default on iOS, explicit on some Android devices).
• Jailbreak / root detection, block the app from working on compromised devices.
• Offline grace period, if the device can't reach M365 for 30 days, the app wipes its data automatically.
• App version enforcement, users must be on a supported version of Outlook or Teams.

Set it once, applied to every user. They see nothing except a prompt for the app PIN the first time.

Conditional Access, the backstop

MAM policies work with Entra ID Conditional Access to enforce a simple rule: no app protection policy, no access.

A useful starting Conditional Access policy for BYOD:

• Users, All users (with a break-glass admin exclusion)
• Cloud apps, Office 365 (Exchange Online, SharePoint, OneDrive, Teams)
• Device platforms, iOS, Android
• Client apps, Mobile apps and desktop clients
• Grant, Require app protection policy

Now anyone signing into work email on their personal phone is forced to use a managed version of Outlook or Teams with the app protection policy applied. The native Mail app on iOS? Blocked, it doesn't support app protection policies and thus can't be trusted with corporate data.

This is the single most important BYOD control you can set. It stops the most common leak route: the built-in iOS Mail app quietly syncing work email to a device you have no control over.

BYOD laptops, the tricky one

Phones are straightforward. Personal laptops are harder because they're genuinely more capable. A few patterns that work:

Option A, Web-only access

Block native desktop apps on unmanaged devices. Staff can use Outlook on the web, Teams on the web, OneDrive on the web. No local data, nothing cached. Conditional Access policy:

• Device platform: Windows, macOS
• Client apps: Desktop apps
• Device state: not compliant (not Intune-enrolled)
• Grant: Block

Clunky but safe. Good for occasional use; not great as a long-term arrangement.

Option B, Browser-based session controls

Let staff use web versions of the apps, but use Conditional Access App Control (session policies in Defender for Cloud Apps) to block downloads, printing, and cut/paste within the browser session. Requires the MDCA licensing we cover in that guide.

Option C, Require enrolment

If staff genuinely need full desktop app access from a personal laptop, enrol the device in Intune and apply MDM policies. Many staff refuse, which is usually a sign that the business should provide a work laptop instead.

Option D, Virtual desktop

Windows 365 Cloud PCs or Azure Virtual Desktop. The personal laptop becomes a thin client; all corporate data stays in the cloud desktop. Nothing ever lands locally. Works well for finance and legal staff where data-residency is high-stakes, less practical for general admin use.

The joiner / mover / leaver story

Half the value of BYOD controls is felt on the day someone leaves. With app protection policies in place:

1. Disable the user in Entra ID
2. In Intune, issue a selective wipe against their user identity
3. Next time their phone pings home (usually within minutes), Outlook, Teams, OneDrive, SharePoint apps wipe their data
4. Personal photos, contacts, messages, untouched

No awkward "please drop your phone off at reception." No phone call asking a leaver to delete their own email. Corporate data is gone; personal data isn't. Both sides win.

Write it down

Even with the tooling in place, you need a written BYOD policy. Practical things to include:

• Which apps employees can use for work (Outlook, Teams, OneDrive, yes. Native Mail, WhatsApp, no)
• Who owns the data in those apps (the business)
• What happens when they leave (selective wipe)
• What happens if the device is lost (report it immediately, remote wipe)
• Whether the business will contribute to the phone bill (usually a contentious one, decide)
• That staff consent to corporate data being wiped on separation

This matters because enforcement works best when it's obvious, not surprising. Staff sign it when they join, and the "wait, you can wipe my phone?" conversation never happens.

The short version

• Phones, App Protection Policies + Conditional Access requiring them. Native Mail blocked.
• Personal laptops, default to web-only access; enrol in Intune only if the user genuinely needs more.
• Every policy audited through Conditional Access so unmanaged devices can't back-door their way in.
• Written BYOD policy signed by every user.
• Joiner/mover/leaver wired to selective wipe.

Get those five things in place and BYOD goes from a quiet risk to a clean, auditable part of how the business works. If you'd like help designing the policies or running them out, get in touch.