Purpose
This document explains what an organization can and cannot access on Bring Your Own Device (BYOD) such as personal mobile phones or laptops when managed using Microsoft Intune. It also explains security protections and data wipe scenarios.
Core Privacy Principles
Microsoft Intune is designed with privacy in mind. It only collects information required to manage and secure organizational data. Microsoft does not use personal data for advertising, profiling, or marketing purposes. Organizations may provide their own privacy notices through the Intune Company Portal.
What the Organization Can Access
The organization may access limited device and work-related information including:
– Device model, manufacturer, and operating system
– Device compliance status
– Serial number or IMEI (mobile devices)
– Managed corporate applications and their status
– Device ownership (personal or corporate)
The organization cannot access unmanaged personal applications.
What the Organization Cannot Access
The organization cannot see, collect, or access personal data such as:
– Personal emails, messages, or call history
– Photos, videos, or media files
– Personal contacts or calendars
– Web browsing history
– Personal account passwords
– Personal documents or files
BYOD Management Options
Application Management Only (MAM):
Only corporate applications and their data are managed. The device itself is not enrolled, and personal data remains completely private.
Device Management (MDM):
The device is enrolled and security policies are applied. Personal data is still not accessible, but the organization can enforce compliance such as PINs and encryption.
Security of Corporate Data
Corporate data is protected using encryption, app-level security policies, and access controls. Organizations can prevent copying corporate data to personal apps or storage locations.
Data Wipe Scenarios
Selective Wipe:
Removes only corporate data, corporate apps, and work accounts. Personal data remains intact. This is the standard approach for BYOD devices.
Full Wipe:
Restores the device to factory settings, removing all data including personal data. This is typically used only for corporate-owned devices or extreme security situations.
Lost or Stolen Devices
If a BYOD device is lost or stolen, the organization can perform a selective wipe to remove corporate data. A full wipe is generally avoided for personal devices unless explicitly authorized.
User Control
Users are informed about what data is collected and can remove corporate access by unenrolling the device. Unenrollment triggers a selective wipe of corporate data only.
