Full Guide: Secure BYOD Phones Using Intune App-Only (MAM) Policies
top of page
Search

Full Guide: Secure BYOD Phones Using Intune App-Only (MAM) Policies

  • Hanna Korotka
  • 6 hours ago
  • 4 min read
Full Guide: Secure BYOD Phones Using Intune App-Only (MAM) Policies

Why Secure BYOD Phones Matter


Remote staff love the freedom of using their own phones; security teams fear the leaks that freedom can create. Good news: you can secure BYOD phones without enrolling the whole device or wiping family photos. All you need is one Intune Mobile App Management (MAM) policy and a matching Conditional Access rule that forces users into protected Microsoft 365 apps only.


Below is an end-to-end playbook—tested in real customer environments—that turns unmanaged iPhones and Androids into safe business tools in under an hour.


Prerequisites


  • Microsoft Intune licence (Microsoft 365 Business Premium, EMS E3/E5, or similar) to create App Protection Policies.

  • Microsoft Entra ID P1 for Conditional Access.


1 – Map your data-protection goals


Microsoft groups every Intune App Protection Policy into three stacked tiers:


  • Enterprise basic (Level 1) – Adds an app-specific PIN, encryption, and selective wipe; Android phones must pass hardware attestation. Perfect for low-risk users and a painless pilot.

  • Enterprise enhanced (Level 2) – Blocks copy/paste to personal apps, stops "save to device", and refuses to run on out-of-date OS versions. This is the sweet spot for most staff who handle everyday business data.

  • Enterprise high (Level 3) – Tightens everything: longer PINs, shorter offline grace, screen-capture blocks, and Mobile Threat Defense hooks. Reserve it for executives or anyone working with highly sensitive data.


Pick the level that matches your risk tolerance, then replicate Microsoft’s recommended settings when you create the policy; you can always tighten or relax later.


2 – Build the Intune App Protection Policy


  1. Sign in to the Microsoft Intune admin center.

  2. Select Apps > Protection. This selection opens the Protection details, where you create new policies and edit existing policies.

  3. Select Create and select either iOS/iPadOS or Android. The Create policy pane is displayed.

  4. On the Basics page, add Name and Description.

  5. Click Next to display the Apps page. Click Select public apps, search for Outlook, Teams, OneDrive (and any other Microsoft 365 apps you use), then Select. These are the only apps that will receive the policy.

  6. Adjust policy setting (Data protection, Access requirements, Conditional launch).

  7. The Assignments page allows you to assign the app protection policy to groups of users. You must apply the policy to a group of users to have the policy take effect.

  8. Click Next: Review + create to review the values and settings you entered for this app protection policy.

  9. When you're done, click Create to create the app protection policy in Intune.


3 – Create a Conditional Access rule that funnels users into protected apps


Your App Protection Policy only works if users actually open Outlook, Teams, OneDrive and other Microsoft 365 apps. A single Conditional Access (CA) policy makes sure of that by allowing mobile access only through “approved” apps that carry your MAM settings.


  1. Open the Microsoft Entra admin portal and go to Identity > Protection > Conditional Access > Policies > + New policy.

  2. Name the policy.

  3. Assign users and exclude break-glass accounts so you’re never locked out.

  4. Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps').

  5. Under Conditions > Device platforms, set Configure to Yes.

    1. Under Include, Select device platforms.

    2. Choose Android and iOS.

    3. Select Done.

  6. Under Access controls > Grant, select Grant access.

    1. Select Require approved client app and Require app protection policy

    2. For multiple controls select Require one of the selected controls

  7. Confirm your settings and set Enable policy to Report-only or On.

  8. Select Create to create and enable your policy.


What your users will see — step-by-step


iOS (iPhone & iPad)

  1. Open the App Store. Search for and download the Outlook app (or other Microsoft app like Teams).

  2. Open Outlook.

    • If the app recognizes your work account, tap Add Account.

    • If it doesn’t, type your name@yourdomain.com address first, then tap Add Account.

  3. Enter your password and tap Sign In.

    • Depending on your company’s settings, you might also be asked to approve with Microsoft Authenticator or a text/phone code.

  4. If you see a prompt to Register the device, tap Register.

    • This verifies your identity so the organization can validate the phone.

  5. When Outlook asks to add another account, choose Maybe Later.

  6. Tap Skip (or swipe) through the feature tips.

  7. Outlook will display: “Your organization is now protecting its data in this app. You need to restart the app to continue”. Tap OK.

  8. Close and reopen Outlook.

    • When prompted, set a PIN (or use Face ID/Touch ID if allowed).


You’re all set—corporate mail is now protected by your company’s Intune App Protection Policy.


Android

  1. Open the Google Play Store. Search for and download the Outlook app (or other Microsoft app like Teams).

  2. Open the Outlook app.

  3. Once opened you should receive a message that tells you to install the Intune Company Portal app

  4. For App Protection policies to work they need a broker app. On Android this can either be the Authenticator App or the Company Portal. On IOS, just the Authenticator App is required.

  5. Click the Get the app link which will take you to the download location for the Intune Company Portal app in the Play Store. Install the app. Once the Intune Company Portal is installed return to Outlook and sign-in again by clicking on Add Account. This time you will be asked to register your device. Click Register.

  6. Once the registration of the device is complete the App Protection policy will kick in and you will be presented with this screen which is where the PIN policy will now be enforced. Click Continue to set a 4-digit PIN and click OK.


After setting the PIN you’ll finally be taken to your Inbox!


With a single App Protection Policy plus Conditional Access, you secure BYOD phones while respecting employee privacy and slashing help-desk load. No full device enrollment, no tug-of-war over personal data—just safe, sandboxed corporate apps.


How PlexHosted Can Help


As a Microsoft-certified MSSP, PlexHosted can:

  • Design your BYOD policy set in a one-day workshop.

  • Automate roll-out with step-by-step user comms.

  • Monitor policy health and Secure Score for ongoing compliance.


Sound useful? Let’s talk. Grab a 30-minute call on our calendar and we’ll walk through your current mobile posture, highlight quick wins, and show how Intune MAM can be live inside a week—no strings attached.



 
 
 

Get the Latest News to Your Inbox

bottom of page