Mobile Device Management: enforcing security on iPhones and Androids

Mobile Device Management (MDM) and the broader Unified Endpoint Management (UEM) category enforce security policy on phones, tablets, and laptops. Microsoft Intune (Microsoft Endpoint Manager), Jamf (Mac/iOS specialist), VMware Workspace ONE, Kandji, MobileIron / Ivanti Neurons, and SimpleMDM for smaller environments are the main options. The capabilities are similar; pick based on your existing identity stack and the platform mix in your fleet.

For corporate-owned devices, full MDM enrollment lets you enforce disk encryption (FileVault on macOS, BitLocker on Windows, native encryption on iOS and modern Android), passcode and biometric requirements, OS update compliance, app installation restrictions, and remote wipe. Apple's Automated Device Enrollment and Apple Business Manager streamline iOS and macOS provisioning so devices arrive at the user already enrolled. Android Enterprise with fully managed mode achieves the same on Samsung Knox or Google-certified devices.

For BYOD — bring your own device — the model is App Protection Policy or Mobile Application Management (MAM) without enrollment. Microsoft Intune App Protection Policies wrap Microsoft 365 apps (Outlook, Teams, OneDrive) on the user's personal phone with their own encryption, copy-paste restrictions to corporate apps only, and selective wipe of corporate data without touching personal data. The user's iCloud photos and personal apps remain untouched. This is the right model for contractors, partners, and personal phones in countries with strict privacy expectations.

Compliance posture feeds zero trust. The MDM reports per-device compliance state (encrypted, OS version current, no jailbreak detected) to your identity provider via the device platform's attestation. Conditional Access policies (Entra Conditional Access, Okta Device Trust) gate access to corporate apps on compliant device only. Without MDM compliance, the user authenticates but cannot reach Salesforce, the file server, or your SaaS. This is how zero trust closes the loop on lost or stolen devices: the moment the device falls out of compliance — uninstalled MDM, jailbreak, missed update past tolerance — apps stop working until restored.