MDM alone won’t protect BYOD

On March 11, 2026 a destructive campaign tied to the Iran-linked group Handala reportedly erased more than 200,000 corporate and BYOD endpoints across 79 countries during a global outage at Stryker. (ordr.net) Investigators say attackers gained administrative control of Stryker’s Microsoft Intune tenant and used the management console to issue remote wipe commands at scale, turning the UEM into the attack vector. (labs.cloudsecurityalliance.org) Employee reports and incident analyses indicate personal phones enrolled in Stryker’s BYOD program were factory-reset, removing photos, eSIMs and authenticator apps and creating secondary account recovery problems. (lumos.com) Microsoft Intune supports App Protection Policies (MAM) that can be applied to apps without enrolling a device in MDM, enabling app-level encryption, copy/paste controls and conditional launch for Microsoft 365 apps. (learn.microsoft.com) Intune also offers a selective-wipe capability that removes only corporate app data rather than performing a full device wipe, but selective wipe requires App Protection Policies to be deployed and enforced. (learn.microsoft.com) For Android BYOD scenarios, Android Enterprise work profiles create a sandboxed “work” container that keeps corporate apps and policies separate from personal data, reducing the need for full-device controls. (learn.microsoft.com) Post-incident advisories emphasize hardening the management plane with role-based access control, just-in-time admin access via Azure AD Privileged Identity Management, Multi-Admin Approval for destructive actions, and phishing-resistant MFA as primary mitigations. (learn.microsoft.com) Microsoft’s small‑business bundle, Microsoft 365 Business Premium, includes Intune capabilities (Plan 1) and Defender for Business, and Intune app protection still requires an assigned Intune license for users targeted by App Protection Policies. (learn.microsoft.com)