Mobile Device Management and BYOD Policy for Australian Businesses: Securing Hybrid Work

Managed IT & Cybersecurity

Mobile Device Management and BYOD Policy for Australian Businesses: Securing Hybrid Work

The average Australian SMB now operates in a way that would have seemed unusual five years ago. Staff check work email on their personal iPhones before the kids are up. A sales manager reviews a proposal in a client's waiting room using a tablet they also use for Netflix. A property manager logs into SharePoint from a personal laptop sitting on a kitchen bench in Wollongong. This is the reality of hybrid work in Australia — and most businesses have done precisely nothing to manage the security implications.

Mobile device management, or MDM, is the category of technology that addresses this problem. Paired with a clear BYOD (Bring Your Own Device) policy, it allows Australian SMBs to establish meaningful security controls over the devices — owned personally or by the business — that access company data. This article explains how it works, what the real risks are, what a proper policy needs to cover, and how to implement it without turning your business into a fortress that nobody wants to work in.

The Hybrid Work Security Problem

COVID-19 normalised remote and hybrid work across Australia practically overnight. By 2021, most Australian SMBs had staff working from home at least part of the week. Many have never fully reversed that. The devices those staff members use are often personal ones — personal because the business didn't provision company hardware fast enough, personal because the role didn't previously require a company device, or simply personal because the employee and their manager never thought to raise it.

The result is an informal arrangement that carries real security consequences. When a staff member's personal iPhone connects to Microsoft 365 to check work email, that device becomes an endpoint in your corporate environment. But unlike the company laptop in the office — which may have endpoint protection, enforced disk encryption, and managed updates — the personal iPhone probably has none of those controls applied.

Think about what that means in practice. A personal Android device may be running an operating system version from three years ago, with no security patches applied since the owner's carrier stopped pushing updates. The device may have no screen lock, or a four-digit PIN shared with a family member. It may be connected to a home WiFi network with default router credentials that haven't been changed since installation. It may have dozens of apps installed from sources of varying trustworthiness. And it almost certainly backs up to a personal iCloud or Google account — meaning any work documents saved locally are now sitting in personal cloud storage that the business has no visibility over or control of.

None of this is unusual. It is, in fact, the default state of most personal devices in Australia. The problem is not that your staff are doing anything wrong — it is that the business has extended access to corporate systems without extending any of the controls that make that access safe.

This is the gap that MDM and BYOD policy are designed to close.

What Is BYOD? The Three Models

Before diving into technology, it helps to understand the three device ownership models that organisations typically choose between. They exist on a spectrum from maximum employee flexibility to maximum IT control.

BYOD — Bring Your Own Device

Under a BYOD model, employees use their personal devices to access work systems. The device belongs to the employee. The business has no ownership claim over the hardware and limited ability to control the device itself. What the business can control — and what MDM makes possible — is how the device accesses business data: which apps are approved, whether the device meets minimum security requirements before access is granted, and what happens to the work data when the employee leaves.

BYOD is the most common arrangement in Australian SMBs, often by default rather than design. It is the lowest-cost model from a hardware perspective, but it requires the most careful policy and technical implementation to manage the security risks appropriately.

COPE — Corporate-Owned, Personally Enabled

Under a COPE model, the business owns the device but allows employees to use it for personal purposes — installing personal apps, using personal accounts, and so on. Because the business owns the hardware, it can apply full device management policies, enforce encryption, control which apps are installed, and execute a remote wipe of the entire device if needed.

COPE is simpler from an IT security standpoint because there is no ambiguity about the business's right to manage the device. The trade-off is cost: the business bears the expense of purchasing and maintaining the hardware.

CYOD — Choose Your Own Device

CYOD sits between COPE and full freedom. The business provides a curated list of approved devices — perhaps three or four options across different price points and form factors — and employees choose which one they want. The business purchases the device and manages it fully, but employees have some say in what they end up using. It balances user preference with consistent IT management.

For most Australian SMBs, the practical choice is between BYOD and COPE. CYOD tends to suit larger organisations with the administrative capacity to run a structured device procurement programme. The rest of this article focuses primarily on making BYOD manageable, while acknowledging that COPE removes a significant layer of complexity for businesses willing to invest in company-owned hardware.

What Is Mobile Device Management (MDM)?

Mobile device management is software that allows an organisation to manage and secure devices — mobile phones, tablets, and laptops — from a central administrative console. Rather than relying on each device owner to apply settings manually, MDM lets IT administrators push configurations, enforce policies, deploy applications, and take action (such as a remote wipe) across a fleet of devices from one place.

For COPE and CYOD devices, where the business owns the hardware, MDM can enforce full device policies: mandatory screen lock, disk encryption, approved application lists, OS version minimums, and the ability to wipe the entire device remotely if it is lost or stolen.

For BYOD devices, where the device belongs to the employee, MDM typically operates in one of two ways. The first is a full device enrolment, which gives IT more control but raises understandable employee concerns about privacy. The second — and the approach recommended for BYOD — is a work profile or mobile application management (MAM) mode. In this mode, MDM manages only the work applications and data on the device, without touching personal photos, messages, contacts, or apps. From the employee's perspective, work and personal are separated into two distinct spaces on the same device.

Microsoft Intune for Australian SMBs

The most relevant MDM platform for Australian SMBs is Microsoft Intune, which is part of the Microsoft 365 ecosystem. For businesses already using Microsoft 365 Business Premium, Intune is included — which means there is often no additional licensing cost to implement MDM.

Intune allows businesses to enrol devices (both company-owned and personal), define compliance policies that devices must meet before they can access Microsoft 365 resources, deploy and manage applications remotely, and execute a selective remote wipe that removes work data from a device without affecting personal content.

For businesses already invested in Microsoft 365, Intune is the natural starting point. It integrates directly with Microsoft Entra ID (formerly Azure Active Directory) and works alongside Conditional Access — the technology that can enforce an "only compliant, enrolled devices may connect" rule across your entire Microsoft 365 environment.

The Security Risks of Unmanaged BYOD

Without MDM and a formalised BYOD policy, the following scenarios are not hypothetical — they happen regularly in Australian businesses.

A staff member's personal phone is left on a café table and walked away with. The device has no screen lock. The finder now has access to the employee's work email, SharePoint documents, and any saved credentials. The business has no way to remotely wipe the device because it was never enrolled in any management system.

A sales coordinator is using a personal Android device that stopped receiving OS updates eighteen months ago. The device is running a version of Android with several publicly known, unpatched vulnerabilities. A threat actor exploiting one of those vulnerabilities could access data on the device, including work applications and files.

A staff member installs a third-party app from an unofficial app store on the personal side of their BYOD device. The app contains malware that is designed to harvest credentials stored on the device. Even though the malware was installed on the "personal" side of the device, depending on how work data is stored, it may be able to access credentials or session tokens used for work systems.

An employee resigns. They hand over their company access badge and company laptop, but nobody thinks to remove their personal phone from the email system. Three months later, that personal device — now potentially in someone else's hands after the former employee upgraded their phone — still has an active connection to the company's Microsoft 365 environment.

A staff member reuses the same password across their personal accounts and their work Microsoft 365 account. Their personal email is breached in a credential stuffing attack. The attacker uses the harvested credentials to log in to the company's Microsoft 365 environment from an unmanaged device in another country.

A staff member routinely saves client files from SharePoint to the local storage on their personal phone to review offline. Those files are automatically backed up by iCloud to the employee's personal cloud account. The business now has client data sitting in a personal cloud service it does not control, with no visibility and no audit trail. Depending on the nature of the data, this may constitute a breach of the Privacy Act 1988.

These are not edge cases. They are the predictable consequences of allowing personal devices to access corporate systems without appropriate controls.

Building a BYOD Policy — What It Must Cover

Technology alone is not enough. MDM enforcement only works when it is underpinned by a written policy that employees have read, understood, and agreed to. Without a BYOD policy, you may face resistance to enrolment, confusion about what the business can and cannot see on personal devices, and legal exposure if you attempt to take action (such as a remote wipe) without prior consent.

A BYOD policy for an Australian SMB should cover all of the following.

Acceptable use. Define what business applications and data can be accessed from personal devices, and what is expressly prohibited. Common prohibitions include saving client data to local device storage, accessing work systems from public WiFi without a VPN, and using personal cloud storage (Dropbox, personal Google Drive) to store work documents.

Security requirements. Specify the minimum security standards a personal device must meet before it is permitted to access work systems. This should include a minimum OS version (for example, iOS 16 or later, Android 12 or later), a mandatory screen lock with a minimum PIN or passphrase length, and device encryption (which is on by default for modern iOS and Android devices, but worth specifying). These requirements should be enforced technically via MDM compliance policies — not just stated in a document.

Enrolment requirement. State clearly that any personal device used to access company email, Microsoft 365, the company CRM, or any other business system must be enrolled in the company's MDM platform. Devices that are not enrolled should be automatically blocked by Conditional Access policy. This removes the loophole of employees accessing work systems via a web browser on an unmanaged device.

Remote wipe consent. This is a legal and operational necessity. Employees must formally consent — in writing, as part of signing the BYOD policy — to the business remotely wiping work data from their personal device if the device is lost, stolen, or if the employee's employment ends. Make clear that a selective wipe removes only work data and applications, not personal content.

Personal data protection. Address the most common employee concern directly: MDM does not access personal photos, messages, contacts, browsing history, or personal applications. The work profile is a separate, managed container. IT administrators cannot see personal activity on the device. Being specific and transparent about this reduces resistance to enrolment significantly.

Approved applications. List the applications approved for use with work data. Typically this includes Microsoft Outlook, Microsoft Teams, Microsoft Authenticator, and any line-of-business applications your organisation uses. Employees should be directed to install the work versions of these apps via a managed app store or the Intune Company Portal, not personal accounts.

Reporting obligations. Employees must report a lost or stolen device to IT immediately — not after the weekend, not after they have had time to check if it turns up. The faster the business can act (blocking access, initiating a remote wipe), the smaller the exposure window.

Exit provisions. When an employee leaves the business — whether voluntarily or otherwise — work data will be remotely removed from their enrolled personal device. This should be clearly communicated at the time of policy sign-off so there are no surprises during offboarding.

MDM Enrolment and Compliance Policies — Practical Setup

Understanding the policy requirements is one thing. Implementing them technically is another. Here is how the practical setup works for a Microsoft 365 environment using Intune.

Conditional Access. Conditional Access policies in Microsoft Entra ID are the enforcement gate. You can configure a policy that says, in effect, "only allow access to Microsoft 365 if the device is Intune-enrolled and marked as compliant." Any device that does not meet this requirement — whether it is an unmanaged personal device attempting access via a web browser or an enrolled device that has fallen out of compliance — is blocked from accessing company resources. Pair this with multi-factor authentication to ensure that even if a credential is compromised, access to your Microsoft 365 environment requires both a valid password and an approved, enrolled device.

Compliance policies. Within Intune, compliance policies define the minimum requirements a device must meet to be marked as "compliant." You set the rules — minimum OS version, screen lock required, device not jailbroken or rooted, antivirus active — and Intune assesses each enrolled device against them. Non-compliant devices are flagged and, if Conditional Access is configured correctly, blocked from accessing company resources until they are remediated.

iOS devices. For personal iPhones and iPads, the recommended approach for BYOD is MAM without full device enrolment. Microsoft Outlook and Teams for iOS can be managed via Intune app protection policies without requiring full device enrolment. The Microsoft Authenticator app handles multi-factor authentication. This approach manages only the work apps and the data within them — Microsoft Outlook cannot copy content to a personal app, and work data cannot be backed up to a personal iCloud account — without requiring IT to take full management control of the device.

Android devices. Android Enterprise Work Profile is the BYOD solution for Android. When a device is enrolled in a Work Profile configuration, Android creates a separate, managed container on the device. Work apps appear in the Work Profile (visually marked with a briefcase icon); personal apps are in the standard profile. IT manages the Work Profile and nothing else. Work data cannot be copied out of the Work Profile to personal apps, and the personal profile is invisible to Intune.

Laptops. Intune can manage both Windows 10/11 and macOS devices. For new company-owned Windows devices, Windows Autopilot automates the enrolment process. For personal Windows or Mac laptops accessing work systems, manual enrolment through the Company Portal app or Settings is straightforward. Laptop compliance policies typically enforce disk encryption (BitLocker for Windows, FileVault for macOS), OS version currency, and antivirus status.

The overall flow — enrolment, compliance check, Conditional Access enforcement — creates an automated gate between personal devices and company data. Once it is configured, it runs without manual intervention.

Remote Work Network Security — Beyond the Device

Managing the device is essential, but the device is only one part of the hybrid work security equation. The network the device connects to matters as well.

When a staff member works from home, they are connecting over a residential broadband connection that the business does not control, does not monitor, and has not hardened. There is no corporate firewall filtering outbound traffic. There is no DNS security layer blocking access to known malicious domains. If the home router is running outdated firmware — which many residential routers do, because owners never update them — it may have exploitable vulnerabilities.

DNS filtering at the device level addresses part of this problem. Rather than relying on network-level filtering, DNS filtering applied to the device itself (via a DNS security profile pushed through Intune, or through Microsoft Defender SmartScreen) blocks access to known malicious domains and phishing sites regardless of what network the device is connected to. Dedicated DNS filtering solutions like Cisco Umbrella or Cloudflare Gateway provide more granular control and visibility. This is particularly relevant for devices that travel between home, the office, client sites, and public spaces.

VPN versus zero trust network access (ZTNA). For access to on-premises resources — a file server, a legacy application running locally rather than in the cloud — remote workers traditionally connected via VPN. VPN remains a viable option for many Australian SMBs, but it carries risks: a compromised device connected to the VPN has broad access to everything on the corporate network. Zero trust network access takes a different approach, granting access only to the specific application or resource the user needs, verifying both identity and device posture at each connection rather than trusting everything inside a VPN perimeter. ZTNA is increasingly the recommended model for hybrid workforces, particularly as applications move to the cloud.

Public WiFi remains a risk even with device management in place. A device enrolled in Intune and fully compliant with all security policies is still vulnerable to network-level attacks when connected to an open public WiFi network in an airport or café. Staff using public WiFi for work should either use mobile data (from the device's cellular connection) or connect via a VPN before accessing any work systems. This should be a documented requirement in the BYOD policy.

When a Staff Member Leaves — The Offboarding Process

Offboarding is one of the most consistently neglected aspects of BYOD management in Australian SMBs. The instinct — particularly in small businesses where departing employees are often friends or trusted long-term colleagues — is to handle the exit informally. Equipment is handed back, a farewell morning tea is held, and access revocation is thought about several days later, if at all.

This is a significant security risk. A former employee retaining access to company email, SharePoint, and Teams after their departure is an access control failure. It does not require malicious intent for damage to occur — a former employee inadvertently sharing files, accessing confidential information, or having their still-active account compromised by a threat actor can all cause serious harm.

A documented, systematic offboarding process for BYOD environments should include the following steps, executed on the employee's last day of access, not whenever it is convenient.

Disable the Microsoft 365 account. This is the single most important step. Disabling the account in Microsoft Entra ID immediately blocks access to email, SharePoint, Teams, OneDrive, and all connected Microsoft 365 applications. It also invalidates any active sessions — meaning the employee is logged out of all devices simultaneously, including their personal phone.

Remote wipe the work profile. Via Intune, initiate a selective wipe of the work profile on any enrolled personal devices. For iOS MAM-managed devices, this retires the managed apps and removes work data. For Android Work Profile devices, it deletes the Work Profile container entirely. Personal data is unaffected. The former employee retains all their personal content; the business removes all of its data.

Revoke active sessions. In Microsoft Entra ID, revoke all active refresh tokens for the departing user. This terminates any sessions that may have persisted beyond the account disable. It ensures that even if a device was not connected to the internet at the moment of the account disable, the session will fail as soon as connectivity is restored.

Audit shared and service accounts. Use privileged access management practices to check whether the departing employee had access to any shared accounts, service accounts, or third-party applications with credentials they knew. Change the credentials for any such accounts immediately. If the employee had administrative access to any systems, audit the access logs for the period leading up to their departure.

Document and confirm. The offboarding steps should be recorded in a checklist, and each completed step signed off by whoever executed it. This creates an audit trail and ensures nothing is missed in the process.

For businesses that do not currently have a formal offboarding checklist, building one is a straightforward task that pays dividends immediately — not just for BYOD management, but for all access revocation.

How Pickle Manages MDM and BYOD for Australian SMBs

Most Australian SMBs do not have a dedicated IT team with the time or expertise to design and implement MDM from scratch. Configuring Intune, writing Conditional Access policies, creating a legally sound BYOD policy, and ensuring ongoing compliance monitoring requires knowledge that most small business owners and office managers simply do not have — and should not need to develop.

Pickle's managed IT services for Australian SMBs include end-to-end Microsoft Intune deployment, BYOD policy development tailored to Australian legal requirements, Conditional Access configuration, device compliance management, and ongoing monitoring. We work with businesses across the country — office-based, hybrid, and fully distributed — to implement mobile device management that is proportionate to the size and risk profile of the organisation.

If your business has staff accessing Microsoft 365, your CRM, or any other cloud application on personal devices without any formal MDM or BYOD policy in place, you are operating with an uncontrolled endpoint risk. It is a problem that is straightforward to address — and one that Pickle has helped many Australian SMBs solve without disrupting the way their teams work.

The Essential Eight framework from the Australian Cyber Security Centre includes patching operating systems and restricting administrative privileges — both of which MDM directly supports. Implementing MDM is a meaningful step toward Essential Eight alignment for any SMB working with managed devices.

To discuss MDM implementation and BYOD policy for your business, call Pickle on 1300 688 588 or email [email protected].

Frequently Asked Questions

Q: Can my employer see my personal data if they enrol my phone in MDM?

A: No — not if BYOD enrolment is configured correctly using a work profile or MAM-only approach. On Android devices enrolled with a Work Profile, Intune manages only the Work Profile container. Your personal photos, messages, apps, contacts, and browsing history in the personal profile are not visible to IT administrators and are not reported to Intune. On iOS devices managed via app protection policies (MAM without device enrolment), Intune manages only the data within specific managed apps, such as Outlook and Teams. It cannot access your personal iCloud data, photos, or any apps outside the managed set. Your employer should provide written documentation of what Intune can and cannot see — a transparent BYOD policy makes this clear.

Q: What happens to work data on my personal phone if I leave the company?

A: When your employment ends, your employer can initiate a selective remote wipe through Intune. This removes the Work Profile (on Android) or the managed apps and their data (on iOS), deleting work email, company files, and any other managed content. Your personal photos, apps, contacts, and messages are not affected. This process is standard practice and should be documented in your BYOD policy before you enrol your device, so there are no surprises at the end of your employment.

Q: Is MDM the same as spyware?

A: No. Spyware is software installed covertly to monitor a user's activity without their knowledge. MDM is software that is installed transparently, with the user's knowledge and consent, specifically to manage the work components of a device. Unlike spyware, MDM does not capture keystrokes, record screens, or monitor personal activity. In a properly implemented BYOD configuration, Intune reports device compliance status (is the device encrypted, is the OS up to date, is the screen lock active) but does not monitor what you do on the device. You should receive a clear explanation of what MDM can and cannot see before you agree to enrol your device.

Q: Do we need an MDM solution if we only use Microsoft 365 cloud apps?

A: Yes. The fact that your applications are cloud-based does not eliminate device risk — it changes its shape. A cloud-based Microsoft 365 environment accessed from an unmanaged device is still exposed to the same risks: a lost device with no screen lock, a compromised personal device with malware, a former employee retaining access because their device was never unenrolled. Conditional Access and Intune work specifically with Microsoft 365 cloud apps, blocking access from unmanaged or non-compliant devices. If anything, a cloud-first environment makes MDM easier to implement, because you do not need to manage on-premises infrastructure — you just need to manage the devices that connect to your cloud services.

Q: What is the minimum security requirement for a personal device used for work?

A: At a minimum, a personal device used for work should have a screen lock enabled (PIN, passphrase, or biometric), disk encryption active (on by default in modern iOS and Android), an up-to-date operating system (within one major version of current), and no evidence of jailbreaking or rooting. These minimum requirements should be defined in your BYOD policy and enforced technically via MDM compliance policies. Devices that do not meet minimum requirements should be blocked from accessing business systems via Conditional Access until the issue is remediated. In practice, most modern smartphones meet these requirements out of the box — the challenge is enforcing them consistently across a mixed fleet of devices rather than relying on employees to self-certify.