top of page

Don't Let Your Business be the Next Stryker

  • Writer: Brady Woudstra
    Brady Woudstra
  • Mar 21
  • 3 min read

BYOD: Securing Phones without Compromising Employee Privacy? Yes, it's possible. Mobile Application Management, a Microsoft Intune feature, protects your business interests and your employees' personal information.


Most of you probably heard about the massive attack on medical tech giant Stryker on March 11 that required no malware or ransomware. Just one compromised account. You're probably wondering, "What can I do to keep this from happening to me?" Never fear. Over the next two blog posts, we'll be walking you through how to set up your Microsoft environment to ensure the next Stryker isn't you.

Many organizations want employees to access company email and files on their phones. It’s convenient, increases productivity, and employees prefer using their own devices.


But there’s a common concern:

“If we allow work email on personal phones, does IT get control of the entire device?”


The answer is no, not if it’s configured correctly.


Microsoft Intune allows businesses to protect company data without taking over an employee’s personal phone. The key is using the right device enrollment type.


Let’s walk through the safest option for most organizations.


The Challenge with BYOD

When employees use personal phones for work, businesses still need to protect company data such as:

  • Email

  • Teams messages

  • OneDrive or SharePoint files

  • Internal business applications


At the same time, employees expect their personal photos, texts, apps, and browsing activity to remain private.


If BYOD is handled incorrectly, companies could:

  • Accidentally gain control of the entire device

  • Create privacy concerns for employees

  • Be responsible for wiping personal data


This is where Intune App Protection Policies and App-based enrollment come in.


The Best Approach: Mobile Application Management (MAM)

For most organizations using employee-owned phones, the best approach is Mobile Application Management (MAM) using Microsoft Intune.


In Microsoft Intune documentation, this model is often referred to as “MAM without enrollment.” This approach protects corporate data inside managed applications without requiring the device to be fully managed.


Instead of enrolling and controlling the entire device, Intune applies security controls only to approved business applications, such as:

  • Outlook

  • Microsoft Teams

  • OneDrive

  • SharePoint

  • Microsoft Office mobile apps


This creates a secure container for company data within those apps while leaving the rest of the employee’s phone completely private.


For example, organizations can configure policies that:

  • Require a PIN or biometric unlock before opening company apps

  • Prevent copying company data into personal apps

  • Block saving company files to personal storage

  • Require multi-factor authentication (MFA)

  • Automatically remove company data if access is revoked


Because the device itself is not enrolled, the company never gains control of the employee’s personal phone.


What IT Can See (and What It Can’t)

Employees often worry about privacy when enrolling a device. With MAM, IT can only see limited information about the managed apps.

graphic of phone separation of data.

IT can see:

  • If the device is compliant with policy

  • App version information

  • Whether company data is present

  • Whether security policies are applied


IT cannot see:

  • Personal photos

  • Text messages

  • Call logs

  • Personal email accounts

  • Browsing history

  • Installed personal apps

This keeps a clear separation between company data and personal data.


Selective Wipe: Removing Only Company Data

One of the biggest advantages of Intune BYOD protection is Selective Wipe.


If an employee:

  • Leaves the company

  • Loses their phone

  • Violates security policy


IT can remove only the company data from the device. Personal apps, photos, and files remain untouched. This protects the business without interfering with the employee’s personal device.


When Full Device Enrollment Is Needed

In some cases, organizations may require full device enrollment instead of app-based protection.


Examples include:

  • Company-owned phones

  • Highly regulated industries

  • Devices accessing sensitive internal systems


In those situations, IT can enforce stronger policies such as:

  • Device encryption

  • OS version requirements

  • Remote device wipe

  • Application control


However, for personal phones, app-based protection is typically the best balance between security and privacy.


Why This Matters for Small Businesses

With the right Microsoft Intune configuration, you can:


  • Allow employees to use their preferred devices

  • Avoid privacy concerns

  • Maintain compliance with security best practices


Want help implementing secure BYOD policies in Microsoft 365?

Elevate Cyber Solutions helps organizations configure Microsoft Intune, identity security, and device management the right way.

 
 
bottom of page