Endpoint Management: MDM, Intune and BYOD Policies

Endpoint management is the practice of centrally monitoring, securing, and configuring every device that connects to your organisation's network and data. This includes Windows PCs, macOS laptops, iPhones, iPads, Android phones, and increasingly Linux workstations and IoT devices. Without endpoint management, each device is a potential entry point for malware, data leakage, or compliance violations.

Modern endpoint management platforms go far beyond the simple remote-wipe tools of the early smartphone era. They handle device enrolment, operating system configuration, application deployment, security policy enforcement, compliance reporting, and integration with identity providers for conditional access decisions.

MDM is a category of software that allows IT administrators to enrol devices into a management platform and push policies, configurations, and applications to them over the air. When a device is MDM-enrolled, the management server can enforce encryption, require a lock-screen PIN, restrict which apps can be installed, configure Wi-Fi and VPN profiles, and remotely wipe the device if it is lost or stolen.

MDM works by installing a management profile (on Apple devices) or a device administrator/device owner agent (on Android). On Windows, MDM leverages the built-in MDM client that has been part of the operating system since Windows 10. This client communicates with the MDM server over HTTPS, checking in periodically to receive updated policies and report compliance status.

Microsoft Intune (now part of the Microsoft Intune Suite under the broader Microsoft Endpoint Manager umbrella) is a cloud-native endpoint management platform included in many Microsoft 365 licence tiers. It supports Windows, macOS, iOS/iPadOS, Android, and Linux, making it one of the most versatile MDM solutions available. For organisations already invested in the Microsoft ecosystem, Intune integrates natively with Azure AD (Microsoft Entra ID), Microsoft Defender for Endpoint, and Conditional Access.

Intune provides a rich set of capabilities that cover the full device lifecycle:

• Device enrolment – Users can self-enrol via the Company Portal app, or devices can be pre-provisioned using Windows Autopilot, Apple DEP/ABM, or Android Zero-Touch.
• Compliance policies – Define rules such as minimum OS version, encryption enabled, no jailbreak/root, and threat level from Defender. Non-compliant devices can be blocked from accessing corporate data.
• Configuration profiles – Push Wi-Fi, VPN, email, and certificate settings. On Windows, you can also deploy Group Policy-like settings via the Settings Catalog.
• App deployment – Deploy Microsoft 365 apps, Win32 applications, line-of-business apps, and managed Google Play or Apple App Store apps directly to enrolled devices.
• Conditional Access – When paired with Azure AD, Intune compliance status feeds into Conditional Access policies. For example, a device that is not encrypted or has an outdated OS can be blocked from accessing Exchange Online or SharePoint.

Before deploying MDM, you need to decide on a device ownership strategy. The three main models are:

• BYOD (Bring Your Own Device) – Employees use their personal devices for work. The organisation typically manages only the work apps and data, not the entire device.
• COPE (Corporate-Owned, Personally Enabled) – The organisation purchases the device but allows employees to use it for personal activities as well. IT manages the full device but carves out a personal space.
• COBO (Corporate-Owned, Business Only) – The organisation owns the device and restricts it entirely to business use. IT has full control with no personal apps or accounts permitted.

For BYOD scenarios where employees are uncomfortable with full device enrolment, Mobile Application Management (MAM) offers a lighter-touch approach. With Intune MAM (also called App Protection Policies), you manage only the corporate apps and the data within them, without enrolling the device itself. For example, you can require a PIN to open Outlook, prevent copy-paste from Teams to a personal app, enforce encryption of app data, and remotely wipe only the corporate data if the employee leaves—all without touching personal photos, messages, or apps.

MAM-only policies work with Microsoft 365 apps on iOS and Android and do not require the device to appear in your MDM console. This makes it an excellent compromise for organisations that want basic data protection on personal devices without the legal and cultural friction of full MDM enrolment.

Regardless of ownership model, certain security policies should be enforced on every managed device:

• Disk/device encryption – BitLocker on Windows, FileVault on macOS, and native encryption on iOS and Android.
• Screen lock with PIN or biometrics – Prevent unauthorised access if a device is left unattended or stolen.
• Remote wipe capability – The ability to erase corporate data (selective wipe) or the entire device (full wipe) remotely.
• OS version compliance – Block devices running outdated, unpatched operating systems from accessing corporate resources.
• App restrictions – Block known-malicious apps or restrict installation to approved app catalogues.

For corporate-owned devices, automated enrolment programmes streamline provisioning. Apple Business Manager (ABM), formerly the Device Enrolment Programme (DEP), allows Apple devices purchased through authorised resellers to be automatically enrolled into your MDM the first time they are turned on. The user unboxes the device, connects to Wi-Fi, and it configures itself with your policies, apps, and settings without any IT intervention.

Android Enterprise provides a similar framework for Android devices. It supports fully managed (COBO), work profile on company-owned device (COPE), and work profile on personally-owned device (BYOD) modes. Zero-Touch Enrolment, available from participating manufacturers like Samsung, Google Pixel, and others, mirrors Apple ABM by enrolling devices automatically at first boot.