MAM vs MDM: Securing BYOD Without Invading Employee Privacy

In my last article, I took you on a deep dive into Bring Your Own Device, and laid out all the trials and tribulations that it brings for businesses.

Now, I’m itching to focus on more of the technical aspects of BYOD. And that’s with another two acronyms, MAM and MDM.

For most organisations, the sweet spot for BYOD is using Intune’s Mobile Application Management (MAM) capabilities. This approach – formally called App Protection Policies – protects your corporate data within specific apps without requiring full device enrollment. Let me walk you through why this matters and how to implement it.

Why MAM over MDM for BYOD?

When discussing mobile device management, you’ll hear these two acronyms constantly:

MDM (Mobile Device Management):

• Requires device enrollment
• Gives IT control over the entire device
• Can enforce device-level policies (passcode requirements, OS version, encryption)
• Can locate, lock, or completely wipe the device
• Appropriate for corporate-owned devices

MAM (Mobile Application Management):

• No device enrollment required
• IT only manages corporate applications and data within those apps
• Cannot access personal apps, photos, messages, or other personal data
• Can only wipe corporate data, never personal data
• Perfect for BYOD scenarios

What MAM Actually Protects

When you deploy App Protection Policies via Intune, here’s what you can control within managed apps like Outlook, Teams, OneDrive, and SharePoint:

• Data Transfer: Prevent copying data from Outlook to WhatsApp or personal email
• Screen Capture: Block screenshots of sensitive information
• Save As Controls: Only allow saving to approved corporate locations (OneDrive for Business)
• Printing: Block or restrict printing to managed printers only
• Offline Access: Require re-authentication after a defined offline period
• Encryption: Ensure corporate data is encrypted at rest within the app

All of this protection happens without IT ever seeing your personal photos, messages, or apps. The separation is complete.

Bring Your Own Device: Case Study

The Problem? (Real-World Example)

One of our clients, a small-sized charity with around 20 employees, came to us with a classic BYOD challenge. Their team was accessing client files and emails from personal devices while working remotely, creating significant compliance risks under GDPR. As they’re a charity, they couldn’t afford to ensure all employees had corporate owned and managed devices.

• Charity accessing client files from personal devices
• Significant compliance risk (GDPR)
• Couldn’t afford corporate owned device roll-out as they’re a charity

The Solution:

1. Deployed Intune App Protection Policies (MAM) for iOS, iPadOS and Android devices
2. Enforced “work profiles” on iOS, iPadOS and Android devices – providing OS-level separation between work and personal apps
3. Implemented Conditional Access policies requiring multi-factor authentication (MFA) and device compliance checks
4. Configured selective wipe capabilities so departing employees’ corporate data could be removed without touching personal files

The Results:

• Zero impact on employee productivity (they kept using their preferred devices)
• Full GDPR compliance for data access and protection
• IT gained visibility into corporate data access without invading privacy
• Lost or stolen devices could be secured via wipe of only corporate data
• Employees actually preferred the solution because their privacy was respected

Critical Security Considerations for BYOD

Even with the right technology in place, BYOD only works if you nail these 5 security fundamentals:

1. Multi-Factor Authentication is Non-Negotiable
2. Conditional Access Policies
3. Block Jailbroken and Rooted Devices
4. Enforce OS Updates
5. Lost Device Procedures

I go into much more detail about each-step in my Comprehensive Guide to Bring Your Own Device.

What I recommend to AAG Clients that use BYOD

Having implemented BYOD solutions for dozens of clients, here’s what I’ve learned:

Businesses that build trust with employees through transparency and respect for privacy, have a much higher rate of adoption (and therefore compliance). This is achieved by starting with MAM, not MDM, because the app protection policies provide strong security without triggering privacy concerns (great for compliance). Whilst publishing your BYOD policy in your employee handbook and being crystal clear about what IT can and cannot see are great for building trust.

I also recommend offering a corporate device alternative. Not everyone wants to use personal devices for work, and that’s completely reasonable. So, having an option for those who prefer complete separation allows employees to feel in control of their privacy and work-life balance. Despite all this, people leave, and you must plan for the exit. Your process should cleanly remove all corporate data without touching personal files. Test this regularly.

As with everything security and tech related, you must monitor and refine. BYOD isn’t set-and-forget. Review your policies regularly. Track compliance rates. Listen to user feedback. Adjust as threats evolve.

What’s the solution for your business?

BYOD, MAM, MDM, none of them exist in isolation – it’s one part of a broader Zero Trust security strategy. And each organisation’s requirements differ. The solution for a 20-person charity won’t work for a 150-person logistics firm. That’s where having a trusted MSP partner makes all the difference.

Because to truly protect your organisation’s data in a mobile-first world, you’ll need to consider:

• Conditional Access for risk-based access control
• Microsoft Purview for data classification and loss prevention (we’ll cover this in a future article)
• Microsoft Defender for Endpoint for mobile threat detection
• Azure Virtual Desktop for high-security scenarios requiring application access

Let’s Have a Conversation

Look, I’m not here to sell you MAM, or a one-size fits all BYOD, that’s not what I do. What I do is understand your detail – your industry, your risk appetite, your budget, your user expectations – and then design a solution that actually fits all of those boxes.

Maybe BYOD makes perfect sense for your organisation. Maybe it doesn’t. Maybe corporate devices are the way forward. Maybe you’re already using corporate devices but aren’t as well protected as you think. Or maybe you need a hybrid approach with different policies for different user personas. The only way to know is to have an honest conversation about your requirements.

—

Special thanks to Jason Rothwell for his comprehensive technical analysis that informed much of the technical content in this article. You can read his full breakdown here.