Enterprise Mobility and Security Blog


Something I have come to really appreciate as we’ve built Intune and watched its usage scale to millions of devices is the unbelievably broad and diverse types of hardware our customers have to manage.

To put this challenge in perspective, check out the chart below.

In this chart, you can see the diversity of devices facing an Intune customer.  Each box represents a specific device model (iPhone 6, Galaxy 6, etc.), and the size of the box indicates the percentage of that device in the overall population.

The customer (who will remain anonymous) shown in this example is managing more than 40k devices with Intune and they have a very open/broad BYOD policy.   It’s also interesting to note that they are currently using many of the Enterprise Mobility + Security capabilities in conjunction with Office 365 and the Office mobile apps on their devices.

The thing that I find most amazing about this graphic is the sheer amount of diversity in this single network.  In particular, look at the long tail (all those tiny boxes!) of Android devices being used by employees!

The scale of this diversity is not at all uncommon for multi-national organizations with very liberal BYOD policies.  As you might expect, these customers often struggle with questions like, “How many of my Android devices can support device encryption?”  If you are dealing with a similar challenge, then you understand the immense challenge that’s presented by lower-cost Android devices that do not support hardware encryption.

So what can you do?

The first question to ask is whether or not you can enforce a policy wherein only specific devices are supported for BYOD.  If your organization looks anything like the graphic above, then you probably already have devices in your network that are carrying corporate data but cannot be easily encrypted at the device level.  That’s the bad news.

Here’s the good news:

To address this problem, add an Application Protection Policy to require data encryption for your mobile apps.  You can easily set up this policy so that it will apply to all enrolled (MDM) and non-enrolled devices.  This solution will enable a level of encryption via Intune Application Protection – even on devices that can’t support device (MDM) encryption or aren’t MDM enrolled.

To read more about Application Protection Policies, check out this great resource: https://docs.microsoft.com/en-us/intune/app-protection-policies