In today’s workplace, Bring Your Own Device (BYOD) has become the norm rather than the exception. Employees expect the freedom to access work resources from their personal smartphones and tablets and businesses want to support productivity without compromising security. This is where Microsoft Intune and App Protection Policies (APPs) step in.

MDM vs MAM: Understanding the Difference

Before diving into app protection policies, it’s important to understand two key concepts in Intune:

  • Mobile Device Management (MDM): Focuses on managing the entire device. When a device is enrolled in MDM, IT has broad control - such as enforcing PIN codes, encrypting storage, remotely wiping the device, etc. This is ideal for corporate-owned devices.

  • Mobile Application Management (MAM): Instead of managing the whole device, MAM focuses only on apps and the data within them. App Protection Policies fall under MAM, allowing organisations to secure corporate data inside apps like Outlook, Teams and OneDrive - without intruding on the user’s personal space.

This distinction is crucial in BYOD scenarios: users keep their personal freedom, while IT keeps business data safe.

Creating and Assigning App Protection Policies

App Protection Policies in Intune let you define how data is accessed and shared inside managed apps. Here’s the typical flow:

  1. Define the policy: Decide what controls you want to enforce. For example:

    • Require a PIN before accessing the app.
    • Prevent data from being copied to personal apps.
    • Encrypt data stored by the app.

  2. Choose your apps: Select Microsoft 365 apps (Outlook, OneDrive, etc) or supported third-party apps.

  3. Assign to users or groups: Rather than targeting devices, APPs are assigned to user identities in Entra ID. This means if a user signs into Outlook on multiple devices, the same protections follow them everywhere.

  4. Test before rollout: Always pilot with a small group before pushing to the wider organisation.

A Real-World Deployment Scenario

Imagine a consultancy where employees frequently access client files from personal iPhones. Without controls, sensitive spreadsheets could be downloaded to the device and shared through personal messaging apps - creating a huge compliance risk.

With Intune App Protection Policies, IT can enforce the following:

  • Client data stays within approved apps like OneDrive.
  • Files opened in Word or Excel cannot be saved to personal storage.
  • If an employee leaves the company, corporate data is wiped from the apps without touching their personal photos, messages or apps.

This balance keeps both the business and the employee happy: secure for IT, seamless for the user.

Common Mistakes to Avoid

While APPs are powerful, misconfigurations are common. Here are a few pitfalls:

  • Skipping user communication: End users should know why protections are in place - otherwise, restrictions may cause frustration.
  • Over-restricting data flow: Blocking too many actions (eg. copy/paste) can harm productivity. Strike the right balance between security and usability.
  • Ignoring app updates: New app versions may affect how policies behave. Keep apps updated and test policies regularly.
  • Not combining with Conditional Access: APPs secure data once inside the app, but without Conditional Access, users could still sign in from personal devices under risky conditions (eg. without MFA, from a jailbroken phone, from an unusual location, etc). CA acts as a gatekeeper before a user even gets into the app.

Conclusion: Striking the Right Balance

BYOD brings flexibility and productivity, but it also introduces risk. Microsoft Intune App Protection Policies provide a practical way to protect company data without taking ownership of personal devices.

For IT teams, the key is balance: set controls that secure sensitive data, but don’t hinder the user experience. Start small, test policies, communicate with users and refine as you go. Done well, Intune APPs turn BYOD from a security headache into a business enabler.