The modern network has an incredible diversity of endpoints accessing data. This increases the attack surface, and endpoints can easily become the largest gaps in your Zero Trust security strategy.

By Jason Louth, Technical Architect,

Whether a device is personally owned (Bring Your Own Device) or a corporate-owned and fully managed device, we want to maintain visibility into the endpoints accessing our network. Doing so will ensure we are only allowing healthy and compliant devices to access corporate resources. Likewise, we are concerned about the health and trustworthiness of mobile and desktop apps that run on those endpoints. We want to ensure those apps are also healthy and compliant and that they prevent corporate data from leaking to consumer apps or services through malicious intent or accidental means.

Get visibility into device health and compliance

Gaining visibility into the endpoints accessing your corporate resources is one of the steps to completing your Zero Trust device strategy. Typically, companies are proactive in protecting PCs from vulnerabilities and attacks, but mobile devices often go unmonitored and without similar protection. To help limit risk exposure, we need to monitor every endpoint to ensure it has: a trusted identity, security policies, a method for evaluating risk level. For example, if a personal device is jailbroken, we can block access to ensure that enterprise applications are not exposed to known vulnerabilities.

Restrict access from less secure or compromised devices

Understanding and auditing the health and compliance status of an endpoint via Intune enrollment, we can use Azure AD Conditional Access to enforce more granular, risk-based access policies. For example, we can ensure that no vulnerable devices (like devices with malware) are allowed access until remediated, or ensure logins from unmanaged devices only receive limited access to corporate resources.

Enforce security policies on mobile devices and apps

We have two options for enforcing security policies on mobile devices: Intune Mobile Device Management (MDM) and Intune Mobile Application Management (MAM). In both cases, once data access is granted, we can control what the user does with the data. For example, if a user accesses a document with a corporate identity, we want to prevent that document from being saved in an unprotected consumer storage location or from being shared with a consumer communication or chat app. With Intune MAM policies in place, they can only transfer or copy data within trusted apps such as Office 365 or Adobe Acrobat Reader, and only save it to trusted locations such as OneDrive or SharePoint. Intune ensures that the device configuration aspects of the endpoint are centrally managed and controlled. Device management through Intune enables endpoint provisioning, configuration, automatic updates, device wipe, or other remote actions. Device management requires the endpoint to be enrolled with an organizational account and allows for greater control over things like disk encryption, camera usage, network connectivity, certificate deployment, and so on. Meanwhile, Intune Mobile Application Management is concerned with management of the mobile and desktop apps that run on endpoints. Where user privacy is a higher priority, or the device is not owned by the company, app management makes it possible to apply security controls (such as Intune app protection policies) at the app level on non-enrolled devices. The organization can ensure that only apps that comply with their security controls, and running on approved devices, can be used to access emails or files or browse the web.

With Intune, Mobile Application Management is possible for both managed and unmanaged devices. For example, a user’s personal phone (which is not Mobile Device Management-enrolled) may have apps that receive Intune app protection policies to contain and protect corporate data after it has been accessed. Those same app protection policies can be applied to apps on a corporate-owned and enrolled tablet. In that case, the app-level protections complement the device-level protections. If the device is also managed and enrolled with Intune MDM, you can choose not to require a separate app-level PIN if a device-level PIN is set, as part of the Intune MAM policy configuration.


Securing your devices is one of the largest contributing factors in securing your corporate data as a part of a Zero Trust strategy. While it is not the entire answer, it is a part of a larger suite of tools offered with Microsoft 365 to secure your identities, devices and data with a wholistic and unified approach to deployment and administration within a Zero Trust Framework.