Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Securing Mobile Devices with Intune

Best practices for managing and securing iOS and Android devices in the enterprise, covering enrollment types and security configurations.

By Ali Alame
intuneiosandroidmobile-managementmdm

Mobile devices are the new perimeter. With employees accessing email, Teams, and documents from their phones, securing these endpoints is non-negotiable. Microsoft Intune offers comprehensive management for both iOS and Android ecosystems.

The Mobile Security Challenge

Mobile security involves balancing three competing needs:

  1. Security: Protecting corporate data.
  2. Privacy: Respecting user's personal data (especially on BYOD).
  3. Usability: Ensuring employees can work efficiently.

Enrollment Strategies

Choosing the right enrollment method is the first step in securing mobile devices.

iOS/iPadOS Enrollment

  • User Enrollment: Best for BYOD. Separates work and personal data on a distinct APFS volume. Limited management capabilities (privacy-focused).
  • Device Enrollment: Standard enrollment via Company Portal. Full device management.
  • Automated Device Enrollment (ADE): For corporate-owned devices. Devices are supervised and enrolled out-of-the-box (formerly DEP).

Android Enrollment

  • Android Enterprise Work Profile: Best for BYOD. Creates a separate "Work" container. IT manages the container; the user manages the rest.
  • Corporate-Owned, Fully Managed: For company phones. IT controls the entire device.
  • Corporate-Owned with Work Profile (COPE): A hybrid approach. IT controls the device, but the user gets a private personal profile.
  • Dedicated Device: For kiosks and ruggedized devices.

Essential Security Policies

Regardless of the platform, you should enforce these core security settings via Configuration Profiles:

1. Passcode Policy

  • Require a passcode (PIN).
  • Minimum length (e.g., 6 digits).
  • Block simple passcodes (e.g., 123456).
  • Wipe device (or work profile) after X failed attempts.

2. Encryption

  • iOS: Encrypted by default, but ensure the passcode policy is active to protect the key.
  • Android: Require encryption.

3. OS Updates

  • Enforce minimum OS versions.
  • Use update policies to force updates on corporate devices.

4. Jailbreak/Root Detection

  • Block compromised devices immediately using Compliance Policies.

Managing Updates

Keeping mobile OSs up to date is critical for security.

  • iOS: You can force updates on Supervised devices (ADE). For BYOD, use Compliance Policies to block access if the OS is too old.
  • Android: On fully managed devices, you can control the "System update" window (e.g., Automatic, Windowed, Postpone).

App Management

Don't just manage the device; manage the apps.

  • VPP (Volume Purchase Program): For iOS, buy and distribute apps silently.
  • Managed Google Play: For Android, approve and deploy apps to the Work Profile.
  • App Configuration Policies: Pre-configure app settings (e.g., set the server URL for a VPN app or email signature for Outlook).

Conclusion

Securing mobile devices with Intune requires a mix of the right enrollment model, strong configuration profiles, and strict compliance policies. By separating work and personal data (especially on Android Enterprise and iOS User Enrollment), you can achieve high security without compromising user privacy.