{"id":1993,"date":"2026-04-28T08:41:52","date_gmt":"2026-04-28T08:41:52","guid":{"rendered":"https:\/\/move2modern.uk\/?p=1993"},"modified":"2026-04-28T09:40:58","modified_gmt":"2026-04-28T09:40:58","slug":"managing-macos-byod-devices-with-intune-closing-the-mam-gap-for-cyber-essentials","status":"publish","type":"post","link":"https:\/\/move2modern.uk\/index.php\/2026\/04\/28\/managing-macos-byod-devices-with-intune-closing-the-mam-gap-for-cyber-essentials\/","title":{"rendered":"Closing Intune\u2019s macOS MAM Gap: A Cyber Essentials BYOD Guide"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large is-resized is-style-default\"><img decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/Designer-37-1024x683.png\" alt=\"\" class=\"wp-image-2033\" style=\"width:563px;height:auto\" srcset=\"https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/Designer-37-1024x683.png 1024w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/Designer-37-300x200.png 300w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/Designer-37-768x512.png 768w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/Designer-37-120x80.png 120w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/Designer-37.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Part 1 of 2: <\/strong>The background and approach explained.          <strong>Author:<\/strong> Andy Jones | move2modern.co.uk<\/p>\n\n\n\n<p><strong>Tags:<\/strong> Intune, macOS, BYOD, Cyber Essentials, Conditional Access, MAM, Entra ID<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-8b66d4b67bc9bbde83291f082377588e\" style=\"color:#3b6dcb\"><strong>What Is BYOD and Personal Device Management?<\/strong><\/p>\n\n\n\n<p>Bring Your Own Device or BYOD is exactly what it sounds like. Instead of issuing every user in your company a corporate-owned and centrally managed device you might have a common need to allow employees, contractors, or even partners to use their personal devices to access your company data and services. A user&#8217;s personal MacBook for example can connect to Exchange Online, open files in SharePoint, join Teams meetings, and for all practical purposes does the same job a company laptop would.  BUT the device belongs to the user, not the organisation which is the critical point.<\/p>\n\n\n\n\n\n<p>So when managing personal devices using Intune, there are of two legitimate but competing interests. The user wants privacy and control over their own hardware. At the same time your organisation needs &#8211; the confidence that company data is always protected, that access can be revoked when someone leaves, and with some scenarios that the arrangement can satisfy a regulatory requirement like Cyber Essentials or CIS. Getting both sides of that balance right is essentially what BYOD management is actually about.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-33835f206cd5a886a44fa212d9f02c87\" style=\"color:#3b6dcb\"><strong>Why Organisations embrace BYOD<\/strong><\/p>\n\n\n\n<p>For the right reasons and scenarios the benefits to BYOD can be both tangible and commercial:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cost reduction<\/strong>: By not procuring, shipping, configuring, and maintaining a device for every user is a meaningful saving. Where as for organisations with large contractor populations, seasonal workforces, or users who only need occasional access, it can be substantial.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>User satisfaction:<\/strong> Has to be said that people generally prefer their own hardware. They know it, they&#8217;ve set it up to suit how they work, and they&#8217;re not carrying two devices around. This can solve the the friction of &#8220;here&#8217;s a locked-down corporate laptop that behaves nothing like your personal machine&#8221;.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster onboarding:<\/strong> A new contractor with their own device can be granted access in minutes without delays, meaning NO waiting for hardware to arrive, configure, and ship to them.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced device lifecycle management<\/strong>: Refresh cycles, warranty tracking, asset disposal, all of this becomes the user&#8217;s problem rather than IT&#8217;s when the device is personal.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Flexibility for modern working patterns:<\/strong> Freelancers, hybrid workers, SMEs and other small companies with small IT departments often simply don&#8217;t have the overhead to manage a fleet of corporate devices. BYOD then becomes a logical option.<\/li>\n<\/ul>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-b9c5d54549d91fc78a281999f7ad20d8\" style=\"color:#3b6dcb\"><strong>The BYOD Management Challenge<\/strong><\/p>\n\n\n\n\n\n<p>The challenge here is that using &#8220;the user&#8217;s device&#8221; means your company retains no inherent control over it. Things Like: No one has configured the OS. No one knows whether it&#8217;s patched. No one can guarantee a firewall is running. And critically, if the user copies a sensitive file to their desktop, the organisation has no way to retrieve it.<\/p>\n\n\n\n\n\n<p>That&#8217;s where Mobile Application Management (MAM) can step in &#8211; Microsoft&#8217;s answer to this problem on mobile platforms. Rather than managing the entire device, MAM manages the applications. Company data is kept inside a protected container within Office apps ( Outlook, Word , Excel, Teams, OneDrive ) and IT controls what happens to that data at the app layer only. Meaning: Files <strong>CAN&#8217;T<\/strong> be saved outside the managed app, copy and paste is restricted to managed apps and the user&#8217;s personal data sits completely untouched alongside it. PLUS If the user leaves, IT can initiate a selective wipe that removes company protected data from the apps without touching personal files, photos, or anything else on that device.<\/p>\n\n\n\n\n\n<p>So this can work really well and for the right scenario it could be the setup you need. Firstly It respects user privacy, gives the organisation meaningful control over corporate data, and scales well across large BYOD populations. On iOS and Android, this is a well trodden path that works extremely well.<\/p>\n\n\n\n<p><strong>HOWEVER:<\/strong> On macOS, things are different. Some might say it doesn&#8217;t work at all. And that&#8217;s the problem I want to address in this post.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-08cb0cc1f3c9c6a8a2e9334cd8bf876e\" style=\"color:#3b6dcb\"><strong>Unmanaged vs Managed macOS BYOD &#8211; This Design Is Intentional<\/strong><\/p>\n\n\n\n\n\n<p>I recently had a customer requirement using MacBooks wanting to go to cloud native with Intune. The thing is there were a few hurdles to cross preventing a straight forward jump. Which brings us to the natural question: <strong>&gt; <em>Why not just enrol the Mac?<\/em><\/strong><\/p>\n\n\n\n\n\n<p>The short answer is that enrolment (commonly using the Company portal approach) fundamentally changes the security boundary to configure for and particularly in relation to Cyber Essentials, our main target. PLUS it&#8217;s worth stating that this change was deliberate as you&#8217;ll see.<\/p>\n\n\n\n\n\n<p>This post deliberately focuses on <strong>unmanaged macOS BYOD<\/strong>. YES this is not a workaround, it&#8217;s not caused by missing configuration steps. It was a conscious architectural decision based on how macOS integrates with Microsoft Intune today and the approach selected after weighing up the options. Lets look at the reasoning here:<\/p>\n\n\n\n\n\n<p>On both iOS and Android, Microsoft solves the BYOD challenge using MAM alone. App Protection Policies issued through Intune allow company data to live inside application containers as mentioned while the device itself remains unmanaged. macOS unfortunately doesn&#8217;t have an equivalent feature for Office 365 desktop apps. Why, well because there is no Intune MAM SDK available so there&#8217;s no protected app container and no selective wipe mechanism on the unenrolled Mac.<\/p>\n\n\n\n\n\n<p>At this point you are faced with two specific choices:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Manage the device<\/strong> and accept responsibility for endpoint posture, or &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Keep the device out of scope entirely<\/strong> and enforce controls at the identity, session, and service layer.<\/li>\n<\/ul>\n\n\n\n<p>The second architecture described here is the one I deliberately followed.<\/p>\n\n\n\n\n\n<p><strong>You Might say Why?<\/strong><\/p>\n\n\n\n<p>Following this approach means Personal Macs are not enrolled, Company Portal is not installed and access can be enforced using Conditional Access, SharePoint unmanaged device controls, as well as using Defender for Cloud Apps session policies and browser governance.<\/p>\n\n\n\n<p><strong>Result<\/strong>: Corporate data is prevented from landing on the device at all.<\/p>\n\n\n\n<p><strong>Why:<\/strong> From a security perspective, this allows you to easily constrain company risk. From a Cyber Essentials perspective, it means endpoint hygiene is explicitly out of scope all because there is no corporate data on the endpoint to protect.<\/p>\n\n\n\n\n\n<p>Granted this is definitely not the only option out there and it does introduce 1 key drawback &#8211; The end user doesn&#8217;t get to install and access data using native Office 365 apps on their desktop. BUT where security and compliance comes first (as it should) for many organisations, particularly those early in their security maturity or pursuing initial Cyber Essentials certification, this is not a compromise. It  then becomes a valid and correct starting point.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-daef377535c22c40a460e9abf5c8e56f\" style=\"color:#3b6dcb\"><strong>The macOS MAM Gap &#8211; What It Is and Why It Exists<\/strong><\/p>\n\n\n\n<p>If you&#8217;ve read guidance suggesting you can apply an App Protection Policy to macOS BYOD devices in Intune, OR that assigning an iOS policy to macOS users triggers MAM-mode in the Office desktop apps (&#8220;hard-coded&#8221; MAM controls like block Save As, block copy\/paste, block print, encrypt app data, selective wipe), I&#8217;d encourage you to do some more research and get testing first. macOS BYOD isn&#8217;t a common topic written about too much. Microsoft learn articles do set the scene but until you get into the weeds of configuring and testing this it isn&#8217;t always clear what you can and cant do. AND controls described in some other available guidance are incorrectly described.<\/p>\n\n\n\n\n\n<p>So here&#8217;s why.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-4ec1e6b38d725009b417005971cfcf9d\" style=\"color:#3b6dcb\"><strong>How MAM Actually Works on iOS and Android<\/strong><\/p>\n\n\n\n<p>Intune MAM on iOS and Android works because the Office apps on those platforms include the <strong>Intune MAM SDK<\/strong> (<a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\/developer\/app-sdk\/\" title=\"\">Microsoft reference- Overview<\/a>). This is a Microsoft developed code library embedded in the apps themselves. When a user signs into their Outlook on an iPhone with a work account, the MAM SDK registers that session with the Intune MAM service in the background. Intune then delivers the App Protection Policy to the SDK, and the SDK enforces it at the app layer.<\/p>\n\n\n\n\n\n<p>Critically, when you add a Conditional Access policy that includes the grant control <strong>&#8220;Require app protection policy&#8221;<\/strong>, Entra evaluates that condition by checking whether the Intune MAM service has received a registration from the SDK for that session. If the SDK has registered ? access is granted and if not access is blocked.<\/p>\n\n\n\n\n\n<p><strong>NOTE<\/strong>: This is a server-side check against a client-side registration. Both sides of that exchange have to exist.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-cf5b374ae01dfeaf3e8cbf979a043ef7\" style=\"color:#3b6dcb\"><strong>Why macOS office apps can&#8217;t satisfy this<\/strong><\/p>\n\n\n\n<p><strong>Here&#8217;s the Crux<\/strong>: The Office desktop apps on macOS such as Outlook Teams, OneDrive, Word, Excel, PowerPoint etc, do not include the Intune MAM SDK as mentioned. Instead they use MSAL (Microsoft Authentication Library) for authentication, which is why conditional access policies work at sign-in time. But MSAL is an authentication library, not a MAM library so therefore does not register sessions with the Intune MAM service. It also doesn&#8217;t enforce app protection policy settings or create a protected data container that makes selective wipe for example possible. The consequence of this <strong>means<\/strong>:<\/p>\n\n\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creating an App Protection Policy in Intune with platform set to macOS is not supported &#8211; that option does not exist in the console<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Assigning an iOS App Protection Policy to a user does nothing on their Mac \u2014 the policy is for iOS apps using the iOS MAM SDK, and macOS apps don&#8217;t have that SDK<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The CA grant control &#8220;Require app protection policy&#8221; will never be satisfied on an unmanaged Mac, because the app never makes the SDK registration call that the check evaluates<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>There is no &#8220;MAM mode&#8221; on macOS &#8211; this concept doesn&#8217;t correspond to any product feature on the platform<\/li>\n<\/ul>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-5d444e6372036686e1517f09e1ff0b58\" style=\"color:#3b6dcb\"><strong>What macOS Office Apps Do Honour<\/strong> <strong>on Unenrolled macOS<\/strong><\/p>\n\n\n\n<p>To balance this discussion, macOS Office apps are not entirely unmanaged on an unenrolled (BYOD) device. There are still key Microsoft controls that <em>are<\/em> enforced:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">MSAL\u2011based Conditional Access at sign\u2011in<\/h4>\n\n\n\n<p>Authentication\u2011time Conditional Access is always evaluated. What this means is, MFA requirements, authentication strength, and sign\u2011in frequency controls are enforced consistently regardless of device enrolment state.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Note:<\/strong> Microsoft retired the <em>Require approved client app<\/em> Conditional Access grant control (enforcement ending June 2026). This control has been superseded by <em>Require app protection policy<\/em> or <em>Require compliant device<\/em> grants.<\/p>\n\n\n\n<p>On unenrolled macOS devices, neither app protection policies nor device compliance are available. As a result, Conditional Access on macOS BYOD is limited to identity\u2011based checks at authentication time.<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">Microsoft Purview Sensitivity Labels and Rights Management<\/h4>\n\n\n\n<p>If you have or plan to deploy Microsoft Purview Information Protection, sensitivity labels applied within macOS Office apps continue to exist with the document. These labels can enforce encryption and usage restrictions such as blocking print, copy, or offline access. This does provide a strong data\u2011centric control, independent of device enrolment, but lets be clear it does require appropriate Purview licensing.<\/p>\n\n\n\n<p>SO for the purposes of this blog and approach, Conditional Access at authentication establishes the baseline trust decision, while Purview provides persistent data protection where the access is granted. The remaining control gaps are addressed later through browser\u2011level enforcement.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-291baecbdf87e47469b7202f9c6af156\" style=\"color:#3b6dcb\"><strong>Edge for Business &#8211; The Browser as the New Management Layer<\/strong><\/p>\n\n\n\n\n\n<p>Before getting into the actual CE configuration steps, we can&#8217;t avoid the more recent importance of Microsoft Edge for Business, specifically because it&#8217;s increasingly positioned as the answer to the macOS MAM gap. <strong>PLUS <\/strong>the picture here has changed significantly in early 2026. Understanding what Edge for Business can and can&#8217;t do on an unmanaged Mac, and how it differs from the management approach on other platforms, is important before you configure anything.<\/p>\n\n\n\n\n\n<p><strong>What Edge for Business Is<\/strong><\/p>\n\n\n\n\n\n<p>Let&#8217;s be clear, Edge for Business isn&#8217;t a different browser. It&#8217;s still the Microsoft Edge browser with adds a dedicated work profile that separates your company data work from personal browsing. It will maintain different favourites, different cookies, different cache, different session storage. When a user signs in with their work account in Edge, the work profile activates automatically with distinct visual branding so it&#8217;s clear which context they&#8217;re in. From my perspective this is a great step forward and meaningful: work data processed in the work profile doesn&#8217;t bleed into the personal profile enforcing security.<\/p>\n\n\n\n\n\n<p>More importantly for our macOS BYOD discussion, the work profile is the hook through which Microsoft can deliver management policies to an unenrolled device and the user doesn&#8217;t enrol the device. They simply sign into Edge with their work credentials, and Edge polls home for policy.<\/p>\n\n\n\n\n\n<p><strong>The Three Ways to Configure Edge &#8211; and Which Applies Where<\/strong><\/p>\n\n\n\n\n\n<p>This is where most of the confusion comes from. There are three distinct mechanisms for managing Edge for Business, and they apply to different scenarios. Using the wrong one for your situation results in policies that either don&#8217;t reach the device at all, or only partially apply.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"has-text-color has-link-color wp-elements-c4e30eab806428e571561aa015910e9a\" style=\"color:#3b6dcb\"><strong>Approach 1 &#8211;  Edge Management Service (M365 Admin Centre)<\/strong><\/li>\n<\/ul>\n\n\n\n<p>This is the cloud-native, non enrolled configuration path. Policies are delivered to any user who signs into an Edge work profile with corporate credentials, regardless of whether the device is enrolled in anything. The device calls out to Microsoft&#8217;s Edge management cloud service and pulls down the policy automatically. Importantly, until late 2025 this only worked on Windows. As of the Edge update (January 2026 GA), macOS, iOS, and Android are now supported alongside Windows. So this is perfect and a great option for macOS BYOD.<\/p>\n\n\n\n\n\n<p><strong>Where is it configured:<\/strong> <em>&gt;M365 Admin Centre (admin.microsoft.com) \u2192 Settings \u2192 Microsoft Edge<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"524\" src=\"https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/image-14-1024x524.png\" alt=\"\" class=\"wp-image-2005\" srcset=\"https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/image-14-1024x524.png 1024w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/image-14-300x153.png 300w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/image-14-768x393.png 768w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/04\/image-14.png 1509w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n\n\n<p><strong>What properties \/ features can it configure:<\/strong><\/p>\n\n\n\n\n\n<p>&#8211; It will force the Edge work profile to be active and signed in<\/p>\n\n\n\n<p>&#8211; Can block or allow specific browser extensions<\/p>\n\n\n\n<p>&#8211; Set the default homepage and new tab page experience<\/p>\n\n\n\n<p>&#8211; Control Edge Sync (prevent corporate favourites, passwords, history syncing to personal devices)<\/p>\n\n\n\n<p>&#8211; Allow for Edge for Business branding in the work profile<\/p>\n\n\n\n<p>&#8211; Set&#8217;s the default search engine<\/p>\n\n\n\n<p>&#8211; Block access to browser settings the user shouldn&#8217;t change<\/p>\n\n\n\n<p>&#8211; Enable or disable specific Edge features (Collections, Copilot in Edge, etc.)<\/p>\n\n\n\n\n\n<p><strong>The things it can&#8217;t configure:<\/strong><\/p>\n\n\n\n<p>&#8211; It won&#8217;t let you configure copy\/paste controls between Edge and unmanaged apps<\/p>\n\n\n\n<p>&#8211; Block Printing <\/p>\n\n\n\n<p>&#8211; Blocking for file downloads<\/p>\n\n\n\n<p>&#8211; App PIN or biometric requirements to open Edge<\/p>\n\n\n\n<p>&#8211; Selective wipe of the Edge work profile<\/p>\n\n\n\n<p>&#8211; The MAM-registered session state that the CA &#8220;Require app protection policy&#8221; grant checks<\/p>\n\n\n\n\n\n<p>It&#8217;s clear then that this is essentially browser administration, not data loss prevention. So totally useful and worth deploying, but not a substitute for the CA and SharePoint controls described later in this post, but you might have a different point of view with this ?<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-f7f1ea31a2904bfce677f482ff509f18\" style=\"color:#3b6dcb\"><strong>Approach 2 &#8211; Intune App Protection Policies Targeting Edge<\/strong><\/p>\n\n\n\n<p><em>(For: Windows (unmanaged BYOD), iOS, Android \u2014 but not macOS<\/em>)<\/p>\n\n\n\n\n\n<p>This is where the real MAM SDK-level controls sit for Edge. When you create an App Protection Policy targeting Microsoft Edge in Intune, the Edge app on supported platforms registers with the Intune MAM service and enforces the policy at the app layer.<\/p>\n\n\n\n\n\n<p><strong>Supported platforms:<\/strong>Windows 10\/11, iOS, Android.<\/p>\n\n\n\n<p><strong>Unsupported platforms:<\/strong> macOS. The same MAM SDK gap that affects Outlook and Teams on macOS applies to Edge on macOS.<\/p>\n\n\n\n<p><strong>Where to configure:<\/strong> <em>&gt;Intune admin centre \u2192 Apps \u2192 App protection policies \u2192 Create policy \u2192 Windows \/ iOS \/ Android (not macOS)<\/em><\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-00cf8ed5cc03601bd1b80a182ce9bce7\" style=\"color:#3b6dcb\"><strong>Approach 3 &#8211; Intune App Configuration Policies<\/strong><\/p>\n\n\n\n<p><em>*For: Enrolled (MDM-managed) devices only*<\/em><\/p>\n\n\n\n<p>If a Mac is enrolled in Intune via MDM, you can push deeper browser configuration via an App Configuration Policy targeting Edge. This uses property list (plist) files to configure advanced browser flags that aren&#8217;t available through the Edge Management Service. This requires full device enrollment and has nothing to offer a BYOD scenario.<\/p>\n\n\n\n\n\n<p><strong>Where to configure:<\/strong> Intune admin centre \u2192 Apps \u2192 App configuration policies \u2192 Managed devices \u2192 Platform: macOS \u2192 App: Microsoft Edge<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>Platform Comparison \u2014 What You Get Where<\/strong><\/p>\n\n\n\n<p>This table captures the honest state of Edge for Business management across platforms as of April 2026:<\/p>\n\n\n\n<figure class=\"wp-block-table has-small-font-size\"><table class=\"has-fixed-layout\"><tbody><tr><td>Capability <\/td><td>macOS BYOD (Edge Mgmt Service)<\/td><td>Windows BYOD (Edge APP)<\/td><td>iOS BYOD (Edge APP)<\/td><td>Android BYOD (Edge APP) <\/td><td>macOS Enrolled (App Config)<\/td><\/tr><tr><td>No device enrollment required<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u274c<\/td><\/tr><tr><td>Browser policy settings<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><tr><td>Block print<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><tr><td>Block file downloads<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><tr><td>Block copy\/paste to personal apps<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><\/tr><tr><td>Require PIN\/biometric <\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u274c<\/td><\/tr><tr><td>Satisfies CA &#8220;Require app protection policy&#8221;<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u274c<\/td><\/tr><tr><td>Selective wipe<\/td><td>\u274c<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u2705<\/td><td>\u274c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>macOS BYOD gets profile separation and browser policy control. But unfortunately doesn&#8217;t get the data loss prevention layer that the other platforms get via the MAM SDK.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>So Is Edge for Business the Future MAM Approach for macOS?<\/strong><\/p>\n\n\n\n<p>Directionally, yes. Microsoft&#8217;s investment in Edge for Business as the BYOD control layer is clear, and the path points toward the browser becoming the primary management surface for unmanaged devices possibly for all device types. Two developments signal where this is heading:<\/p>\n\n\n\n\n\n<p><strong>Purview inline DLP in Edge (Now GA, E5 required)<\/strong> Microsoft is bringing Purview Data Loss Prevention controls directly into the Edge browser session for unmanaged devices, including macOS. This means copy\/paste blocking of sensitive content, upload blocking, and prompt auditing for AI tools are enforced at the browser layer without device enrolment or the MAM SDK. As of June 2025 this was announced as GA for unmanaged macOS, was included in licenses: Microsoft 365 E5, E5 Compliance, and E5 Information Protection &amp; Governance. BUT unfortunately not yet available at the Business Premium licensing level.<\/p>\n\n\n\n\n\n<p><strong>Cross-tenant MAM in Edge (preview)<\/strong> The latest Edge releases include Intune MAM policy delivery to Edge work profiles even on devices managed by another tenant and covers clipboard controls, watermarking, and download redirection to OneDrive for Business. This therefore extends the MAM surface area toward the browser rather than the OS. It&#8217;s a sign Microsoft are stepping toward closing the macOS gap without requiring the native app SDK.<\/p>\n\n\n\n\n\n<p><strong>What this means for macOS configuration today<\/strong> Deploying Edge Management Service policies for macOS BYOD now is GA, AND it&#8217;s free within Business Premium which gives you meaningful browser governance. By adding CA and SharePoint controls into the config: The CA and SharePoint architecture remains the CE compliance backbone because it enforces at the server side and doesn&#8217;t depend on the user choosing Edge. Edge for Business adds depth within the browser session. If and when the Purview inline DLP capabilities reach Business Premium licensing and GA status on macOS, they will become add-ons and not a replacement for it.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-9df89449e478bd9efeb1a319c7c3b4e4\" style=\"color:#3b6dcb\"><strong>Building Cyber Essentials Compliance for macOS BYOD &#8211; The Correct Approach<\/strong><\/p>\n\n\n\n<p>Without MAM, the strategy shifts from managing the app to managing the access path. The principle is the same: Corporate data should be protected and controllable. The mechanism is different: instead of a protected container in the app, you use Conditional Access to control where data can go, with SharePoint\/OneDrive server-side policies controlling what users can do with it when they get there, and Edge for Business to add governance within the browser session itself.<\/p>\n\n\n\n<p><strong>The overall architecture then:<\/strong> (Policy configuration, settings and related descriptions available in part 2 of this blog ) <\/p>\n\n\n\n<p>1. Block legacy authentication with CA &#8211; close off non-modern auth protocols entirely<\/p>\n\n\n\n<p>2. Enforce MFA on all sign-ins &#8211; which satisfies the CE user authentication requirement<\/p>\n\n\n\n<p>3. Block native Office desktop apps on unmanaged Macs &#8211; forcing access through the browser<\/p>\n\n\n\n<p>4. Apply SharePoint unmanaged device policy &#8211; preventing file downloads to the device in the browser<\/p>\n\n\n\n<p>5. Add session controls via Defender for Cloud Apps &#8211; including real-time in-session protection and audit trail<\/p>\n\n\n\n<p>6. Configure the sign-in frequency and session lifetime &#8211; and satisfy the CE access revocation requirement<\/p>\n\n\n\n<p>7. Deploy Edge for Business via Edge Management Service &#8211; and add browser-layer governance and work profile separation<\/p>\n\n\n\n\n\n<p>When configured correctly, corporate data never lands on the Mac. It lives in Microsoft 365, accessed via a browser that is itself managed at the policy layer. The Mac is therefore out of scope for CE technical controls because there&#8217;s nothing on it to control (reducing the scope for compliance).<\/p>\n\n\n\n<p>I have to add, the order of these steps matters. In episode 2 I&#8217;ve structured these sequentially to help with setting this up, and please don&#8217;t jump ahead, particularly around MFA enforcement.<\/p>\n\n\n\n\n\n<p><strong>Firstly, What Changes When the Mac Is Enrolled as Fully Managed<\/strong><\/p>\n\n\n\n<p>It is equally important to be explicit about the other side of the decision.<\/p>\n\n\n\n\n\n<p><strong>Yes enrolling a personal Mac into Intune as managed BYOD does genuinely improve security.<\/strong> &nbsp;<\/p>\n\n\n\n<p>But it does so for a very specific reason: as responsibility increases at the same time.<\/p>\n\n\n\n\n\n<p>Once a Mac is enrolled, the device itself becomes part of the security boundary. That unlocks controls that simply do not exist in an unmanaged model:<\/p>\n\n\n\n<p>&#8211; minimum macOS version enforcement &nbsp;<\/p>\n\n\n\n<p>&#8211; patch and update posture visibility &nbsp;<\/p>\n\n\n\n<p>&#8211; FileVault disk encryption and key escrow &nbsp;<\/p>\n\n\n\n<p>&#8211; firewall and network posture expectations &nbsp;<\/p>\n\n\n\n<p>&#8211; malware protection validation &nbsp;<\/p>\n\n\n\n<p>&#8211; secure configuration baselines and drift detection &nbsp;<\/p>\n\n\n\n\n\n<p>From a data protection perspective, enrolment also enables a different operating model:<\/p>\n\n\n\n<p>&#8211; Native Office desktop applications can be permitted and governed &nbsp;<\/p>\n\n\n\n<p>&#8211; Offline access can be controlled rather than blocked outright &nbsp;<\/p>\n\n\n\n<p>&#8211; Selective or conditional wipe becomes possible &nbsp;<\/p>\n\n\n\n<p>&#8211; Conditional Access decisions can incorporate device health rather than identity alone &nbsp;<\/p>\n\n\n\n\n\n<p>This improvement is real. But it comes with an explicit cost.<\/p>\n\n\n\n\n\n<p>The moment a personal Mac is enrolled, endpoint hygiene moves into scope. For Cyber Essentials and CE Plus, assessors can reasonably expect evidence of patching, malware protection, and secure configuration. Security improves not because the device is enrolled, but because the organisation explicitly accepts responsibility for managing it.<\/p>\n\n\n\n\n\n<p>For that reason, the unmanaged model described in this post should be viewed as <strong>an early Phase\u202f1 approach <\/strong>and not an end state.<\/p>\n\n\n\n\n\n<p class=\"has-text-color has-link-color wp-elements-edc467ccc7f24e9ad022194f27377a1e\" style=\"color:#3b6dcb\"><strong>Into the Config<\/strong>&#8230;..<\/p>\n\n\n\n<p><strong>Pre-Flight: Do These Before Touching Any Policies<\/strong><\/p>\n\n\n\n<p>To make all this happen in the next section you will need to configure your tenant with the various policies. These are mandatory steps and will save you from the dreaded tenant lockout. <\/p>\n\n\n\n\n\n<p><strong>Step 1 &#8211; Is a must, create break-glass emergency accounts<\/strong><\/p>\n\n\n\n<p>Ideally you need two cloud-only admin accounts that are permanently excluded from every Conditional Access policy you create. If you accidentally lock yourself out, these become your recovery route.<\/p>\n\n\n\n<p>I won&#8217;t show how to set this up as it&#8217;s standard practice but I will add that you don&#8217;t need to assign M365 licenses and they should contain strong random passwords stored in a secure location. It&#8217;s also worth configuring FIDO2 hardware keys if possible or at least save MFA backup codes for these accounts. You should not rely on phone-based MFA today which you might not have access to in an emergency.<\/p>\n\n\n\n\n\n<p><strong>Non-negotiable<\/strong>  The purpose to these is that you assign these accounts as an exclusion on every single Conditional Access policy you create. Every one. Without exception.<\/p>\n\n\n\n\n\n<p><strong>Step 2 &#8211; Confirm security defaults are disabled<\/strong><\/p>\n\n\n\n<p>Put simply, security defaults and conditional access conflict. So If they&#8217;re on, your CA policies will behave unpredictably.<\/p>\n\n\n\n<p>Entra admin centre \u2192 Overview \u2192 Properties \u2192 Manage security defaults \u2192 Set to <strong>Disabled<\/strong> \u2192 Save.<\/p>\n\n\n\n<p><strong>IMPORTANT<\/strong>: Only do this if you are replacing security defaults with CA policies as described by this guide.<\/p>\n\n\n\n\n\n<p><strong>Step 3 &#8211; Create a Pilot Group<\/strong><\/p>\n\n\n\n<p>Add 2\u20133 users to a Mac specific user group. You&#8217;ll be assiging policies to this group during testing before rolling to all users.<\/p>\n\n\n\n\n\n<p><strong>Step 4 &#8211; Audit MFA registration<\/strong><\/p>\n\n\n\n<p>Before you enforce MFA, you need to know who isn&#8217;t registered.<\/p>\n\n\n\n<p>Entra admin centre \u2192 Authentication methods \u2192 User registration details<\/p>\n\n\n\n<p>Export the list and filter for users with no MFA method registered. Every user must have registered MFA before you can move from report-only to enforce.<\/p>\n\n\n\n\n\n<p><strong>Step 5 &#8211; Audit Legacy Authentication Usage<\/strong><\/p>\n\n\n\n<p>Entra admin centre \u2192 Sign-in logs \u2192 Add filter: Client app \u2192 select Exchange ActiveSync clients <strong>and<\/strong> Other clients \u2192 Run<\/p>\n\n\n\n<p>Identify any service accounts, shared mailboxes, printers, scanners, or older mail clients using Basic auth or legacy protocols. These will break when Phase 2 enforces. It&#8217;s important therefore to plan migrations before you proceed.<\/p>\n\n\n\n<p>With these setup within your own tenant you can now move to setting up the associated policies needed to deploy this approach. Take a look at part 2 of this blog where I go through these along with the related settings to complete this Unmanaged macOS BYOD Approach.<\/p>\n\n\n\n<p><strong>Final Thoughts<\/strong><\/p>\n\n\n\n<p>macOS BYOD management is genuinely more limited than iOS or Android BYOD management right now. The MAM SDK gap is real, and the neat app-level data protection that makes mobile BYOD so elegant isn&#8217;t available on the macOS desktop so when accessing apps like Outlook, Teams, OneDrive, or Edge a different approach is needed. BUT what is available works albeit there are some trade-offs. thes result though provides a workable and Cyber essentials ready solution.<\/p>\n\n\n\n<p>Give it a try and let me know your thoughts. Thanks. <\/p>\n\n\n\n<p>Part 2 &#8211; Configuring macOS BYOD for unmanaged devices<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>Part 1 of 2: The background and approach explained. Author: Andy Jones | move2modern.co.uk Tags: Intune, macOS, BYOD, Cyber Essentials,<\/p>\n","protected":false},"author":1,"featured_media":2052,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1993","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-intune"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/1993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1993"}],"version-history":[{"count":44,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/1993\/revisions"}],"predecessor-version":[{"id":2056,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/1993\/revisions\/2056"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/media\/2052"}],"wp:attachment":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}