Mobile Device Security for UK Businesses
Smartphones and tablets access business email, Teams, cloud files, and corporate applications — often without the security controls applied to managed laptops. Lost or unmanaged mobile devices are a common source of data breaches, and mobile-targeted attacks are growing rapidly.
Overview
Mobile devices access business data with fewer controls than managed PCs. A lost unencrypted device with business email access may constitute a notifiable GDPR breach. MDM tools like Microsoft Intune enforce screen lock, encryption, and remote wipe centrally. Kaspersky blocked approximately 33 million mobile malware incidents in 2024.
Learn about mobile device managementWhy Mobile Device Security Matters for UK Businesses
Mobile devices — smartphones and tablets — are used by most employees to access business email, Microsoft Teams, cloud-stored files, and business applications. Unlike managed laptops, which are typically enrolled in endpoint management and subject to security policies, mobile devices often operate outside formal security controls. Staff may use personal devices with no screen lock, no encryption, and no way for the business to remotely wipe data if the device is lost or compromised.
The threat landscape for mobile devices is growing. Kaspersky blocked approximately 33 million mobile malware incidents in 2024. Phishing via SMS (smishing) and messaging platforms targets mobile users specifically. Banking trojans, credential-stealing apps distributed through unofficial app stores, and malicious configuration profiles are all established mobile attack vectors. Additionally, a compromised mobile device with access to corporate email or cloud storage can serve as an entry point to a broader network compromise.
The Data Breach Risk
A lost or stolen mobile device that had unencrypted access to business email containing personal data is a potential reportable breach under UK GDPR. The ICO expects businesses to have technical controls in place to mitigate this risk — specifically encryption and remote wipe capability. A business that cannot demonstrate these controls were in place when a device is lost faces a more difficult ICO notification assessment than one with documented MDM controls and a remote wipe record.
The good news is that modern iOS and Android devices encrypt storage by default when a screen lock is set. Enforcing screen lock via MDM therefore addresses both the encryption and access control requirements simultaneously.
Mobile Device Management (MDM)
MDM provides centralised management of mobile devices — enforcing security policies, managing applications, and providing remote control capability including device wipe. Microsoft Intune, included in Microsoft 365 Business Premium, is the primary MDM platform AMVIA deploys for UK SMEs.
For company-owned devices, Intune can fully manage the device — controlling installed apps, enforcing configuration settings, and providing complete remote wipe capability. For personal BYOD devices, Mobile Application Management (MAM) policies apply controls to specific business applications (Outlook, Teams, OneDrive) without managing the personal device itself. MAM prevents copying business data from Outlook to personal apps or cloud storage, enforces application-level PINs, and allows selective wipe of business data only when a device is lost or an employee leaves.
Conditional Access and Mobile Devices
Conditional Access policies in Microsoft Entra ID can be configured to require mobile devices to be enrolled in Intune and compliant with MDM policies before accessing Microsoft 365. This means a non-compliant or unmanaged device — one without a screen lock or that is running an outdated OS version — is blocked from accessing corporate email and files until it meets requirements.
This compliance-based access control is significantly more robust than simply trusting any device that presents valid credentials. It ensures that every device accessing your business data meets minimum security requirements.
Key Considerations for UK SMEs
- Identify all devices that access business email, Teams, or cloud files — including personal BYOD devices
- Implement MDM for company-owned devices and MAM policies for BYOD
- Configure Conditional Access to block non-enrolled or non-compliant devices from accessing M365
- Establish a remote wipe procedure — staff should know who to contact if a device is lost, and the wipe should happen within hours, not days
- Communicate clearly to staff what MDM can and cannot see on personal devices — transparency reduces resistance to enrolment
How AMVIA Can Help
AMVIA configures and manages Microsoft Intune MDM and MAM as part of its managed IT service. We set up enrolment processes for company-owned and BYOD devices, configure security policies, and handle remote wipe requests when devices are lost. Monthly reports confirm enrolled device counts and compliance status. AMVIA provides staff-facing enrolment instructions for iOS and Android devices to support rollout. Contact AMVIA on 0333 733 8050 to discuss mobile device security for your business.
Key Points
What UK businesses need to know about mobile device security.
Growing Mobile Threat
Kaspersky blocked approximately 33 million mobile malware incidents in 2024. Mobile-targeted phishing via SMS (smishing) and messaging apps is increasing.
MDM Provides Centralised Control
Microsoft Intune (included in M365 Business Premium) enforces security policies on iOS, Android, and Windows Mobile devices from a single management console.
BYOD Needs Careful Handling
Personal devices require Mobile Application Management (MAM) policies — controlling business app data without managing the personal device itself.
Lost Device = Potential Breach
A lost mobile device accessing business email without encryption or remote wipe capability may constitute a notifiable GDPR data breach.
Mobile Device Security Checklist
All devices accessing business data identified — including BYOD
MDM or MAM policies deployed — Intune enrolled for company devices, MAM for personal
Screen lock enforced on all enrolled devices
Device storage encrypted — enforced via MDM policy
Conditional Access blocks non-compliant devices from M365
Remote wipe procedure documented and staff know who to call if device is lost
Frequently Asked Questions
Yes. If personal devices access business email or other corporate data, some level of mobile security control is needed. For BYOD scenarios, Mobile Application Management (MAM) policies in Microsoft Intune can enforce controls on the business apps (Outlook, Teams) without managing the personal device itself — a proportionate approach that protects business data while respecting personal privacy.
No. On personal BYOD devices enrolled via MAM, Intune can only see information about the business applications it manages — not personal app data, photos, messages, or browsing history. On company-owned devices enrolled in full MDM, Intune sees device hardware details, installed applications, and compliance status, but not personal content or app data. AMVIA provides a clear privacy policy document explaining this to staff.
AMVIA's leaver process includes a selective wipe of business data from enrolled personal devices as part of the offboarding procedure. A selective wipe removes the company's managed applications and their data from the device — Outlook, Teams, OneDrive, and any managed business apps — without affecting personal content. This should be performed on the final day of employment as part of a documented leaver procedure.
Secure Your Business Mobile Fleet
AMVIA deploys and manages mobile device security for UK businesses — enforcing screen lock, encryption, and remote wipe across all devices accessing corporate data.
Related Resources
Mobile Device Management (MDM)
AMVIA's managed MDM service using Microsoft Intune for company-owned and BYOD devices.
Managed Desktop Services
Extend consistent device management to Windows laptops and desktops alongside mobile.
The Complete Cybersecurity Guide
How mobile security fits within a complete cybersecurity strategy for UK SMEs.