Last month, one of our clients had a scare. An employee left the company on a Friday. By Monday morning, that ex-employee had downloaded a full copy of the company’s client list from their personal phone. No malicious intent, they said.
Here’s the thing: nobody at the company even knew that phone could access corporate data.
This happens more often than you think. And it’s not just about ex-employees. Every single person in your organization who checks email on their phone. The Office of the Privacy Commissioner of Canada holds businesses responsible for personal data accessed on any device — including employee-owned phones, accesses Teams on a tablet, or logs into SharePoint from a home computer is a potential entry point for a data breach.
The question isn’t whether your people are doing this. They are. The question is whether you have any visibility or control over it.
Most business owners I talk to have invested in firewalls, antivirus, maybe even some form of email filtering. Good. But when I ask them what happens when an employee logs into Microsoft 365 from an unmanaged personal device, I usually get a blank stare.
That blank stare is your security blind spot.
Think about it. Your employees probably access company email, files, and chat from their personal phones every single day. Those phones might have outdated operating systems, no screen locks, sketchy apps installed, or could be shared with family members. You have zero control over any of that.
And yet those devices have full access to your business data.
Mobile Device Management isn’t about spying on your employees’ phones. Let’s get that out of the way immediately. It’s about creating rules for how company data can be accessed on any device.
Here’s what MDM gives you:
Device compliance requirements. You set the rules. Devices must have a screen lock, must be running a supported OS version, must have encryption enabled. If a device doesn’t meet the requirements, it doesn’t get access. Simple.
Separation of personal and business data. MDM creates a container on the device. Company data stays in that container. Personal data stays outside it. If an employee leaves, you wipe the container. Their vacation photos stay untouched.
Remote wipe capability. Lost phone? Stolen laptop? You can remotely wipe company data from that device in minutes, not days.
App management. You control which apps can access company data. No more company emails being forwarded to personal Gmail accounts.
If MDM is the ID check, Conditional Access is the bouncer who decides whether you get through the door based on a whole set of criteria.
Conditional Access policies in Microsoft 365 evaluate every login attempt against a set of conditions you define. Where is this person logging in from? What device are they using? Is the device compliant? What are they trying to access? How risky does this login look?
Based on those answers, the system makes a decision: allow access, block access, or require additional verification like multi-factor authentication.
This is not optional anymore.
Here’s a real scenario. An employee tries to log into your financial system from a coffee shop in another city on an unmanaged device. Without Conditional Access, they get right in. With Conditional Access, the system flags the unusual location, checks the device compliance status, and either blocks access entirely or forces an MFA challenge.
That’s the difference between hoping nothing bad happens and actually having a system that prevents it.
MDM and Conditional Access are powerful on their own. Together, they create a security framework that actually makes sense for how people work today.
MDM ensures devices meet your security standards. Conditional Access ensures that only those compliant devices can access your data under the right conditions. One without the other leaves gaps.
Think of it this way: MDM makes sure every car on the road has brakes, headlights, and insurance. Conditional Access is the traffic system that controls who can drive where, and when.
You need both.
I hear this constantly. “My team won’t want management software on their phones.”
Fair concern. Here’s the reality: modern MDM solutions like Microsoft Intune don’t give you access to personal data. You can’t see their texts, photos, browsing history, or personal apps. The management profile only controls company data.
Most employees, once they understand this, are fine with it. The ones who aren’t fine with it probably shouldn’t have company data on their personal devices in the first place.
And here’s the alternative: you can provide company-owned devices with full management. That eliminates the personal device question entirely, though it costs more upfront.
When we deploy MDM and Conditional Access for our managed IT clients, here’s the typical setup:
First, we audit every device that currently accesses company data. This usually surprises people. The number is always higher than expected.
Then we define compliance policies. What’s the minimum OS version? Is encryption required? Do devices need a PIN?
Next, we build Conditional Access policies. We start with the basics: requiring MFA for all external access, blocking legacy authentication protocols, and requiring device compliance for access to sensitive applications.
Finally, we roll it out in stages. Monitor mode first, so we can see what would be blocked without actually blocking it. Then enforcement, with clear communication to the team about what’s changing and why.
The whole process takes a few weeks, not months. And the security improvement is immediate.
The average cost of a data breach in Canada is over $6 million. For small and mid-size businesses, even a fraction of that can be devastating.
But it’s not just about breach costs. It’s about the daily risk of operating with zero visibility into how your data is being accessed. It’s about the compliance requirements that increasingly demand device management. It’s about the peace of mind that comes from knowing you have actual controls in place.
Every day without MDM and Conditional Access is a day you’re relying on luck instead of policy. Luck is not a security strategy.
If you’re running Microsoft 365 Business Premium or any Enterprise plan, you already have the tools. Intune for MDM and Conditional Access are included in your licensing. You’re paying for this capability right now.
The question is whether you’re using it.
If you’re not sure where to start, or if you know you need this but don’t have the internal expertise to deploy it properly, that’s exactly the kind of thing we help businesses with every day at Keeran Networks.
What is mobile device management (MDM)?
MDM is software that lets your IT team manage, secure, and monitor all devices that access company data — including employee-owned phones and tablets. It can enforce security policies, remotely wipe lost devices, and ensure only compliant devices access your systems.
What is conditional access in Microsoft 365?
Conditional access creates rules that evaluate the context of every login attempt: which device, which location, which app, what time. Based on these conditions, it can allow access, require MFA, or block the login entirely. It’s the “bouncer at the door” that treats a login from your office differently than a login from an unknown country.
Will MDM let my company see my personal data?
No. Modern MDM solutions (like Microsoft Intune) only manage the company data container on the device. Your IT team can see whether the device meets security requirements, but they cannot see personal photos, messages, browsing history, or personal apps. Company data and personal data stay completely separate.
Do I need both MDM and conditional access?
Yes. MDM ensures devices meet your security standards. Conditional access ensures only those compliant devices can access company data. MDM without conditional access means you know your devices are secure but can’t enforce it. Conditional access without MDM means you’re blocking access without giving people a way to become compliant. They work together.
Related: Learn more about endpoint management, 24/7 network monitoring, and how Meraki switches transform network operations.
We’re here for you every step of the way, ready to guide, connect, and protect your IT ecosystem. Get in touch with us today, and let us help you thrive in the digital landscape.