Intune - Work e-mail on personal phones

Secure the Data, Not the Device: The modern approach to work phones.

Blog /

If you have ever asked an employee to use their personal iPhone or Android for work email, you have probably encountered “the resistance“.

The moment you ask them to “enroll” their device in your IT system, the walls go up. “Will you see my photos? Can you track my location? What if you accidentally wipe my phone?” (Or maybe you don’t ask them to enrol anything!)

These are valid concerns. For years, the only way to secure corporate email on a mobile device was to take control of the entire device using MDM (Mobile Device Management). It was an all-or-nothing approach that made employees uncomfortable.

But there is a better way. It is called MAM, and it is likely the feature you have been looking for – even if you didn’t know it existed!

The “Old” Way: MDM (Mobile Device Management)

How it works: The IT department can push Wi-Fi passwords, force OS updates, require complex PINs to unlock the screen, and – most controversially – wipe the device back to factory settings.
The problem: While perfect for company-owned assets, MDM is overkill for personal devices (BYOD). Employees hate it because it feels like an invasion of privacy.

Most people are familiar with MDM. This is the traditional standard. When you enrol a device in MDM (using Microsoft Intune, for example), the company gains administrative control over the hardware.

Intune: For personal devices, organisations should utilise Mobile Application Management (MAM)
For personal devices, organisations should utilise Mobile Application Management (MAM) to secure corporate data within specific apps, ensuring user privacy by allowing IT to wipe only business files while leaving personal content untouched. In contrast, organisation-owned assets require Mobile Device Management (MDM), which grants administrators full control over the entire device – hardware and software alike – providing comprehensive oversight and the ability to perform a full factory reset to ensure total security for company equipment.

The Solution: What is MAM?

MAM stands for Mobile Application Management.

Unlike MDM, which controls the device, MAM only controls the application. It allows IT to place a protective “bubble” around specific corporate apps – like Microsoft Outlook, Teams, and OneDrive – while leaving the rest of the phone completely untouched.

The “Container” Concept

Inside the container (Outlook/Teams): The data is encrypted, requires a PIN to access, and is fully controlled by the company.
Outside the container (Instagram/Personal Photos): The company can see nothing, touch nothing, and control nothing.

Most people are familiar with MDM. This is the traditional standard. When you enrol a device in MDM (using Microsoft Intune, for example), the company gains administrative control over the hardware.

What information can an organisation see when I enroll my device?

Things your organisation can never see

Your organisation can’t see:

  • Calling and web browsing history
  • Email and text messages
  • Contacts
  • Calendar
  • Passwords
  • Pictures, including what’s in photos or the camera roll
  • Content of user-created documents

Things your organisation can always see

Your organisation can always see:

  • Device owner
  • Device name
  • Device serial number
  • Device model, such as Google Pixel
  • Device manufacturer, such as Microsoft
  • Operating system and version, such as iOS 12.0.1
  • Device IMEI

Why MAM Wins for Personal Devices (BYOD)

If you use Microsoft 365 and Intune, you can deploy MAM policies that solve the biggest security headaches without upsetting your staff.

1. The “Copy/Paste” Block

The most powerful feature of MAM is controlling data leakage. You can set a policy that says:

A user can read a confidential email in the Outlook app, but they cannot copy text from that email and paste it into their personal Notes app or WhatsApp.
Users can however copy between Outlook, Excel and Teams

2. The “Selective” Wipe

If an employee leaves the company or loses their phone, you don’t have to factory reset the device. With MAM, you issue a “App Selective Wipe.” Next time the phone connects to the internet, it deletes only the Outlook email, Teams chats, and OneDrive files. The user’s personal photos, contacts, and apps are left exactly as they were.

3. No “Enrolment” Scares

With MAM, the user simply downloads Outlook from the App Store and signs in. They don’t have to give the company “Device Administrator” rights. Intune recognizes their login and says, “Okay, you can access this email, but we are going to apply a few security rules to this app first.”

Summary: Which one do you need?

Use MDM (Device Management) if you own the device. If you bought the phone for the employee, you should control it to ensure it is encrypted, tracked, and secure.
Use MAM (App Management) if the employee owns the device. It gives you the security you need (encryption, ability to wipe corporate data) without the privacy invasion that employees fear.

Conclusion

Security doesn’t have to mean “control at all costs.” By switching from an MDM-only mindset to using MAM for personal devices, you protect your business data just as effectively, but you also respect your employees’ boundaries. It is one of the few wins in IT where you actually get better security and happier users at the same time.

MTG manage Intune with both MDM or MAM policies. In fact, MAM is a standard part of our Managed IT ITaaS offering.

Related Posts

Scroll to Top