Managing Company Phones with Intune: iPhone and Android
How to secure, configure, and manage all company phones centrally — whether iPhone or Android.
The Problem: Uncontrolled Phones
Most SMBs have zero control over company phones:
- Employees download whatever apps they want
- Company data is stored without encryption
- If a phone is lost, anyone can access email and files
- No ability to remotely wipe data
Two Paths: MDM vs MAM
Many think you have to "take over" the entire phone. That is not true. Intune offers two levels:
MDM (Mobile Device Management) — Full Control
You manage the entire device. Best for company-owned phones.
- Force encryption, passwords, updates
- Restrict apps, camera, screenshots
- Remote wipe the entire device on loss
MAM (Mobile Application Management) — Protect Data, Not the Device
You manage only company apps and company data. Best for BYOD (employee's own phone).
- No device enrollment required — the employee keeps full control
- Company data in Outlook, Teams, OneDrive is protected with PIN and encryption
- Copy/paste between company apps and personal apps is blocked
- On termination: wipe only company data, personal photos stay
- Works on both managed and unmanaged devices
When to Choose What?
| Scenario | Recommendation | Why |
|---|---|---|
| Company-owned phone | MDM | Full control, zero-touch setup |
| BYOD (employee's phone) | MAM | Protects data without invading privacy |
| Sensitive industry (finance, healthcare) | MDM + MAM | Belt and suspenders |
| Just email and Teams | MAM | Simplest, fastest to roll out |
| Field workers with custom apps | MDM | Kiosk mode, app restrictions |
MAM in Practice: How It Works
- Employee installs Outlook/Teams from App Store or Google Play
- Signs in with company account — Intune detects automatically
- App Protection Policy activates — data in the app is encrypted, copying restricted
- No device enrollment needed — the employee barely notices
What the MAM Policy Controls:
- PIN/Face ID required to open company apps
- Copy blocked — cannot paste company data into WhatsApp
- Save locally blocked — files stay in OneDrive/SharePoint
- Screenshot blocked in company apps (Android)
- Jailbreak detection — blocks access on compromised devices
- Selective wipe — IT erases company data without touching personal content
Intune Management Per Platform
iPhone (iOS)
- Apple Business Manager — purchase and assign apps centrally
- MAM without enrollment — protect Outlook/Teams without MDM
- Supervised mode (MDM) — full control when needed
- App Store restrictions — only approved apps
Android (Samsung)
- Samsung Knox — extra security layer
- Work profile (MAM) — visually separates personal and company data
- Fully managed (MDM) — for company-owned devices
- Samsung DeX — use the phone as a computer
What You Can Control
| Feature | MDM | MAM |
|---|---|---|
| Require password/PIN | Device + apps | Apps only |
| Encryption | Entire device | Company data |
| Remote wipe | Entire device | Company data only |
| App restrictions | All apps | Company apps |
| Copy protection | Everything | Company ↔ personal |
| VPN configuration | Yes | Via per-app VPN |
| Requires enrollment | Yes | No |
| Employee privacy | Limited | Preserved |
Our Recommendation
Start with MAM — it covers 80% of security needs with 20% of the friction. Most SMBs need to protect email, Teams, and files — not control the entire phone.
Upgrade to MDM when:
- You purchase company-owned phones
- You have compliance requirements (finance, healthcare)
- You need kiosk mode or strict app restrictions
iPhone 15 Pro with Intune MAM policies — the best combination of security and usability. The employee installs Outlook and Teams, signs in, and protection activates automatically.