In this particular case we will look at one of the scenarios which will allow IOS and Android users to enroll BYOD devices in Intune in order to securely access company data. There is multiple ways to deal with IOS and Android device setup and enrollment for organization but we will look into making sure our setup allows only enrolled devices to be able to access organizational office 365 apps and data.
By default any user can connect to company email and Office 365 Apps from IOS and Android Device without restriction. Our goal is not to allow this and only enable enrolled device access based on our compliance policies.
As more employees use their personal devices for work, securing corporate data on smartphones and tablets has never been more important. Microsoft Intune provides powerful tools to manage and restrict Bring Your Own Device (BYOD) access, ensuring sensitive business information stays protected—without compromising user experience.
Why Use Microsoft Intune to Restrict BYOD Access
The Bring Your Own Device (BYOD) trend offers flexibility and productivity, but it also introduces significant security challenges for businesses. With employees accessing work data on personal iOS and Android devices, organizations need a secure and scalable solution.
Protect Corporate Data Without Taking Over Personal Devices
Conditional Access Ensures Only Compliant Devices Connect
Remote Wipe Options for Lost or Stolen Devices
Seamless Integration with Microsoft 365 and Azure AD
For small and medium-sized businesses embracing BYOD, Microsoft Intune offers the ideal mix of security, flexibility, and ease of use. It protects corporate data on iOS and Android devices, ensures compliance, and respects employee privacy—all while integrating with the Microsoft 365 tools you’re already using. If you’re looking for a scalable and secure way to manage BYOD access, Intune is the smart move. In this article we will show you one of the simple ways to configure BYOD for small or midium business.
The tactic that we will use consists of creating two groups. One group will be for users who will not enroll there IOS devices and will be protected by assigning App protection policies to it. Other group will be for users who will enroll there IOS devices into Intune.
Lets get started and review the configuration process.
Steps we take to prepare our Office 365 Tenant for IOS BYOD devices
1. Create Security group called Users_with_smartphones.
2. Create Conditional Access Policy called IOS_and_Android_ConditionalPolicy01
3. Assign Users_with_smartphones group to IOS_and_Android_ConditionalPolicy01 Conditional Policy.
4. Create IOS Compliance Policy called IOS_Compliance_pol1cy
5. Assign Users_with_smartphones group to IOS_Compliance_pol1cy Compliance Policy
6. Create Enrollment profile called IOS_Enrollment_profile_company_portal.
7. Assign Users_with_smartphones group to IOS_Enrollment_profile_company_portal Enrollment profile
8. Assign users to Users_with_smartphones group.
9. Create App protection policy called IOS_Application_Protection_Policy
10. Create group called Users_protection_policy
11. Assign Users_protection_policy group to protection policy called IOS_Application_protection_policy
Create Security Group
Microsoft 365 Admin center – Teams & groups – Security groups
Create security group called Users_with_smartphones
Create Conditional Access Policy
Microsoft 365 Admin Center – Identity – Protection – Conditional Access
We will now create Conditional Access Policy so no one can connect without being enrolled.
Under Assignments we added group called Users_with_smartphones
Under Target resources we specified Office 365
Client apps under Conditions include Browser and Mobile apps and desktop client
Device platform under Conditions will include both iOS and Android.
note: we included Android as we want to make sure users with iOS devices can not use Android to connect as they will be removed from App Protection group.
Under Grant we will make sure that Require device to be marked as complaint is selected.
Create iOS device compliance policy
Microsoft 365 Admin center – Microsoft Intune – Devices – Manage devices – Compliance
Create iOS/IPadOS compliance policy called iOS_Compliance_pol1
We made sure Jailbroken devices are blocked and require the device to be under low device threat option is selected. Group we created earlier called Users_with_smartphones will be added to included groups.
Create Enrollment profile
Next step we will look into creating enrollment profile for users that willing to enroll there iOS devices in Office 365 Intune.
Microsoft 365 Admin center – Microsoft Intune – Devices – Device onboarding – Enrollment – Apple
Prerequisites: As a prerequisite we will need to configure MDM Push Certificate. Getting Certificate is simple and you can get this completed by following this Microsoft Article.
Ones MDM Push Certificate created we can now under Enrollment type create our Enrollment profile. Go to Microsoft 365 Admin center – Microsoft Intune – Devices – Device onboarding – Enrollment – Apple – Enrollment Options – Enrollment types and create iOS/iPadOS profile. You will need to assighn group called Users_with_Samrtphones we created earlier to this profile.
Device enrollment end user tasks
In order to Enroll your users must do the following steps.
Go to the Apple App Store, and install the Intune Company Portal app.
Open the Company Portal app, and sign in with their work or school account (
user@contoso.com). After they sign in, your enrollment profile applies to the device.
Apps Protection Policy
This is optional step but in our case we still want users that are not willing to enroll there iOS devices to be able and access Office 365 Apps with additional security. To accomplish this we will create separate group for all users who are not willing to enroll and add this group to Application protection Policy.
- Create group called Users_protection_policy
- Go to Microsoft 365 admin center – Microsoft Intune – Apps – Manage apps – Protection
Create protection policy for iOS/iPadOS devices with required settings. Assign group called Users_protection_policy to this policy.
The idea behind this is that any users who are willing to enroll in Intune will be added to Users_with_smartphones group and Users who are not willing to enroll will be added to group called Users_protection_policy. With this setup all users can access Company Office 365 Data with some level of security.
Looking for a new IT Partner?
Talk to us about your current business needs and future IT goals, so we can help choose the right technology to move your business forwards.