Skip to content
Business professional accessing protected corporate data on a personal smartphone and tablet
Cybersecurity

Protecting Corporate Data on Unmanaged Devices with Intune App Protection

Intune App Protection Policies (MAM) secure corporate data inside apps like Outlook, Teams, and OneDrive on unmanaged and BYOD devices, without enrolling or managing the device. You control the data, not the phone, which makes it the right fit for personal devices and contractor access.

Aayush Trivedi Aayush Trivedi · · · 8 min read

Your sales rep checks customer emails from her personal iPhone while waiting at the airport. Your contractor downloads project files to his home laptop. Your office manager reviews invoices on her tablet during lunch.

None of these devices belong to you. You didn’t configure them. You don’t manage them. You have no idea what other apps are installed, whether the operating system is current, or if basic security practices are followed. But your customer data, financial records, and confidential business information are sitting on those devices right now.

This is the reality of modern work: remote teams, hybrid schedules, contractors, and the simple expectation that people can work from anywhere. The flexibility is real. So are the risks. The good news is that you can protect corporate data on those devices without taking control of the devices themselves, and the tool most Canadian businesses already own to do it is Microsoft Intune.

The short version: Intune App Protection Policies (also called Mobile Application Management, or MAM) secure corporate data inside individual apps like Outlook, Teams, and OneDrive, without enrolling or managing the whole device. You control the data, not the phone. That is what makes it the right fit for BYOD, personal devices, and contractor access.

Intune App Protection Policies (MAM)

Intune App Protection Policies are rules that protect corporate data inside approved business apps rather than managing the entire device. Also known as Mobile Application Management (MAM), they let you enforce security controls (encryption, PIN, copy/paste limits, selective wipe) on personal or unmanaged devices that are never enrolled in device management.

The problem with devices you don’t control

When employees and contractors access corporate resources from personal devices, you lose visibility into what happens to that data. An employee might copy customer contact lists into a personal note-taking app. Project files could be saved to a personal cloud storage account. Sensitive emails might be forwarded to personal addresses for “convenience.” None of this requires malicious intent. People just work the way that feels natural, and the technology doesn’t enforce any boundaries.

The risks compound quickly:

  • Corporate data gets copied to personal apps and cloud storage you can’t see or control
  • Sensitive information remains on devices long after employees or contractors leave
  • Lost or stolen phones and laptops expose business data to unknown parties
  • IT has no visibility into how corporate information is accessed, shared, or stored

Traditional device management (MDM) doesn’t solve this in personal-device scenarios. You can’t reasonably demand full control over someone’s personal phone. Employees and contractors won’t accept it, and it raises legitimate privacy concerns. Requiring full enrollment usually means people work around the policy instead of complying with it. The answer isn’t managing devices. It’s managing data.

What are Intune App Protection Policies?

Intune App Protection Policies protect corporate data within applications rather than requiring control of the entire device. They apply directly to approved business apps such as Outlook, Microsoft Teams, OneDrive, and the Microsoft 365 apps. Think of it as a secure container inside those apps: when someone opens Outlook on their personal device, corporate data stays inside the protected application, and the security controls apply to the business app, not the whole phone or laptop.

Crucially, App Protection Policies work independent of device enrollment. The device never has to be enrolled in Intune management for the policy to take effect, which is exactly what makes personal and BYOD devices workable. Business data stays in business apps, personal data stays personal, and the device owner’s privacy is respected because you are not touching their photos, personal email, or other apps.

What can Intune App Protection actually control?

When implemented properly, App Protection Policies address the specific risks that personal-device access creates. There are four capability areas that matter most.

1. Data leakage prevention

The foundation is keeping corporate data from leaving approved apps. You can block copy and paste of corporate content into personal apps, restrict “Save As” to approved corporate locations only, and prevent sharing through unmanaged applications. The data simply can’t leave the secure container through normal use.

Tip:

Pair App Protection with Microsoft Purview DLP for defense in depth. Purview adds centralized data classification and sensitivity labels, so you can enforce consistent, sensitivity-based rules across apps, users, and locations, not just inside the app container.

2. App-level security and authentication

App Protection enforces security at the application level, so corporate data stays protected even if the device itself is unlocked or shared. You can require an app-specific PIN or biometric to open business apps, automatically lock apps after a period of inactivity, and block access from rooted or jailbroken devices. Someone who picks up an unlocked phone still can’t get into Outlook or Teams without meeting the app’s own requirements.

3. Identity-based access and Conditional Access

Combined with Microsoft Entra ID, App Protection Policies get stronger through Conditional Access. Access decisions are based on user identity, authentication strength, and sign-in risk, not device ownership alone. You can require multi-factor authentication, allow corporate data to open only in protected apps, and block high-risk or suspicious sign-in attempts. This layered model aligns directly with Zero Trust principles: verify explicitly, and never assume a device is trusted just because it connected.

4. Selective wipe of corporate data

When access should end, you can remove only the corporate data from the protected apps. A selective wipe clears business data from managed apps while leaving personal data, photos, and apps completely untouched. If a contractor’s engagement concludes, an employee leaves, or a device goes missing, you pull the company data and nothing else. This is the single most valuable capability for BYOD and contractor scenarios, because it lets you offboard cleanly without ever owning the device.

Confirm licensing: App Protection Policies are included with Microsoft Intune (part of Microsoft 365 E3/E5 and Business Premium). Most mid-market businesses already own this.

Create the policy: In the Microsoft Intune admin center, go to Apps > App protection policies, then create a policy per platform (iOS/iPadOS, Android, Windows).

Choose the protected apps: Target the Microsoft 365 apps your team actually uses (Outlook, Teams, OneDrive, Word, Excel), where corporate data lives.

Set data-protection and access rules: Block copy/paste and save-to-personal, require a PIN or biometric, set an inactivity timeout, and block jailbroken/rooted devices. Microsoft’s data protection framework offers baseline, enhanced, and high-security presets to start from.

Layer on Conditional Access: Require MFA and app-based Conditional Access so corporate data only opens in protected apps on compliant sign-ins.

Assign, test, and monitor: Assign the policy to user groups, test on a real BYOD device, then track it under Apps > Monitor to confirm it is applying.

MAM vs full device management: which do you need?

App Protection (MAM) and full device management (MDM) are not competitors; they solve different problems. Use MDM for company-owned devices you can fully control. Use MAM App Protection for personal and unmanaged devices where you only need to protect the data.

ConsiderationFull device management (MDM)App Protection (MAM)
Device enrollment requiredYesNo
Best forCompany-owned devicesPersonal / BYOD / contractor devices
Scope of controlEntire deviceCorporate data inside approved apps
User privacyIT sees the whole devicePersonal apps and data stay private
OffboardingFull device wipe or retireSelective wipe of corporate data only
User frictionHigher (often resisted on personal devices)Lower (no enrollment)

Why App Protection is ideal for BYOD and contractors

The personal-device challenge becomes especially acute with contractors, consultants, and temporary workers. They need access to corporate systems to do their jobs, but full device management is rarely practical or appropriate. Contractors often work for multiple clients at once, so enrolling their device in your management system creates conflicts. Temporary workers may only need access for weeks. The overhead of enrollment, and the complications of removing it later, simply don’t make sense.

App Protection Policies provide the middle path. Contractors get the access they need through protected apps, your corporate data stays secured, and when the engagement ends you remove the business data without touching anything else on their device. It also simplifies compliance: when your agreements require protecting client data, you can demonstrate that controls exist regardless of who owns the hardware. The protection travels with the data, not the device.

You will not control the device, and for personal devices that trade-off is the right one. Intune App Protection gives you meaningful, enforceable data security (leak prevention, app authentication, Conditional Access, and selective wipe) while respecting the boundaries of device ownership. Employees use the devices they prefer, contractors work without enrolling personal equipment, and corporate data stays protected throughout.

Getting App Protection right

App Protection Policies are powerful, but the details decide whether they actually protect you. Policies that are too loose leave gaps; policies that are too aggressive frustrate users until they find workarounds. In practice, a handful of misconfigurations show up again and again:

  • Data transfer left open to “All apps” instead of “Policy managed apps,” so corporate data can still flow into personal apps despite the policy being “on.”
  • App Protection deployed without app-based Conditional Access. This is the big one. The policy protects data inside the managed app, but nothing forces users into that app in the first place, so they reach corporate data through the mobile browser or an unmanaged mail client and bypass the whole thing.
  • Browser access left unrestricted. Data opened in Safari or Chrome sits outside the app container. Unless you route it through a managed browser like Edge, mobile web is a common blind spot.
  • Copy and paste left at “Any app” rather than restricted to managed apps, which quietly reopens the leak the policy was meant to close.
  • PIN and timeout settings tuned so aggressively that users hunt for workarounds. Over-tightening undermines a policy as surely as leaving it loose.

Treat App Protection and Conditional Access as a pair, not two separate projects. An App Protection Policy on its own secures data inside the managed app; a Conditional Access rule that requires app protection is what actually forces users into those apps and blocks the unmanaged paths around them. Deploy one without the other and you have a policy that looks complete in the console but leaks in the real world.

The right configuration balances real protection against day-to-day usability, and it should be reviewed as Microsoft adds settings and as your workforce changes.

At BALANCED+ we design and manage these policies as part of our managed cybersecurity and Microsoft 365 management services, tuning App Protection, Conditional Access, and Purview together so corporate data stays secure on every device without slowing your team down. If personal and contractor devices are touching your business data today, that is worth a conversation. Get in touch and we will review your current setup.

Sources

Written by Aayush Trivedi

IT Analyst

Aayush Trivedi is an IT Analyst at BALANCED+, where he works across endpoint management, Microsoft 365 administration, and day-to-day client support. His focus is on the practical side of keeping business data secure: configuring device and application protection, tightening Microsoft 365 security settings, and helping teams work safely from wherever they are. He works regularly […]

Frequently Asked Questions

Need IT Expertise?

Our team is ready to help. Book a free consultation and see how we can support your business.