Access Control & Data Protection Procedure

Version: 0.1.3

Parent Policy: BYOD Security Policy (ISMS-POL-BYOD-01)

Author: Lucas Shin — Security Director

Last Modified: March 1, 2026

Document Control

Version	Date	Author	Changes
0.1.0	2026-02-18	Lucas Shin	Initial release — platform-specific access pathways, MAM controls, CA architecture, data protection procedures
0.1.1	2026-02-20	Lucas Shin	Updated CA architecture: added SPO site permissions as primary access scope limiter. Added Windows BYOD copy/paste parity decision (risk accepted). Clarified ADUE data protection model (APP not supported on macOS).
0.1.2	2026-03-01	Lucas Shin	Phase 2-5 ISMS mapping: CA architecture restructured to 3-policy model (Error #37 correction). SPO/ODB access control clarified (site permissions + Session Control). Cross-references to ISMS-POL-M365-01 §6.3 added.
0.1.3	2026-03-01	Lucas Shin	Added CA 3-Policy Evaluation Flow Mermaid diagram to §2.3 (detailed flowchart: Assignment → Grant → Session Control). GuestOK label corrected to "M365 접근 허용 (MFA 필수, 네이티브 앱 포함)".

1. Purpose

This procedure defines:

How access to corporate SaaS applications and M365 services is controlled across BYOD platforms
How corporate data is protected through Conditional Access (CA), Mobile Application Management (MAM), and platform-specific data isolation
Platform-specific access pathways, data access architecture, and their technical enforcement

2. Access Control

2.1 Platform-Specific Access Pathways

Platform	M365 Access	Non-M365 SaaS	Technical Basis
macOS (ADUE)	Native apps (Teams, Outlook, Word, etc.) + Managed Edge	Managed Edge	ADUE (Account-Driven User Enrollment) Managed Volume + VPP. APP not supported on macOS — data protection via volume isolation, not app-level DLP.
iOS / Android	Managed apps (Teams, Outlook, etc.) + Managed Edge	Managed Edge	MAM (App Protection Policy)
Windows BYOD (Default)	Managed Edge → M365 web apps only	Managed Edge	MAM (Edge-only) + CA
Windows BYOD (Exception)	Native desktop apps + Managed Edge	Managed Edge	Entra Join + Full MDM (see Section 2.4)

⚠️ Windows BYOD limitation: Windows MAM only covers Managed Edge. Office desktop apps (Teams, Outlook, Word, etc.) cannot receive MAM protection. The default pathway therefore restricts M365 access to web apps via Managed Edge only.

2.2 Managed Edge Controls

Control	Enforcement	Technical Mechanism
Dedicated Browser	All SaaS access must go through Managed Microsoft Edge	Intune App Configuration Policy (macOS/iOS: VPP (Volume Purchase Program) deployment; Windows/Android: Intune app deployment)
Unmanaged Browser Block	Corporate SaaS access via Safari, Chrome, Firefox, etc. is blocked	Conditional Access — Require App Protection Policy
Browser Data Protection	All activities within Edge are governed by App Protection Policy	Intune App Protection Policy

2.3 Conditional Access (CA) Architecture

CA 3-Policy Evaluation Flow

The following diagram illustrates how Conditional Access policies evaluate user access requests to M365 services. The evaluation order is: Assignment (who is the user?) → Grant (device/app compliance) → Session Control (SPO/ODB restrictions).

flowchart TD
    Start["🔐 사용자가 M365 접근 시도"] --> Assignment{"📋 Assignment 평가<br>(누구인가?)"}
    Assignment -->|"Break-glass 계정"| BG["✅ 모든 정책 Exclude<br>→ 무제한 접근"]
    Assignment -->|"Guest (#EXT#)"| GuestPolicy{"정책 2<br>CA-Permit-Guest-MFA<br>MFA 충족?"}
    GuestPolicy -->|"Yes"| GuestOK["✅ M365 접근 허용<br>(MFA 필수, 네이티브 앱 포함)"]
    GuestPolicy -->|"No"| GuestBlock["❌ 차단"]
    Assignment -->|"내부 사용자"| P1{"정책 1<br>CA-Require-AllApps-CompliantOrAPP<br>Grant 평가"}
    P1 --> OR{"Compliant Device<br>**OR**<br>App Protection Policy?"}
    OR -->|"macOS ADUE<br>→ Compliant ✅"| Pass["✅ Grant 통과"]
    OR -->|"Windows MAM Edge<br>→ APP ✅"| Pass
    OR -->|"Windows Full MDM<br>→ Compliant ✅"| Pass
    OR -->|"미충족"| Block["❌ 차단<br>(별도 Block 정책 불필요)"]
    Pass --> SPO{"SPO / ODB<br>접근인가?"}
    SPO -->|"아니오"| Done["✅ 접근 허용"]
    SPO -->|"예"| P3{"정책 3<br>CA-Restrict-SPO-Unmanaged<br>Session Control 평가"}
    P3 --> Managed{"디바이스 상태?"}
    Managed -->|"Managed<br>(macOS ADUE,<br>Windows Full MDM)"| Full["✅ 전체 기능<br>download/print 허용"]
    Managed -->|"Unmanaged<br>(Windows MAM Edge)"| Restricted["⚠️ 제한 접근<br>download/print 차단"]
    style Block fill:#ff6b6b,color:#fff
    style GuestBlock fill:#ff6b6b,color:#fff
    style BG fill:#51cf66,color:#fff
    style Done fill:#51cf66,color:#fff
    style Full fill:#51cf66,color:#fff
    style GuestOK fill:#74c0fc,color:#fff
    style Restricted fill:#ffd43b,color:#333

Device & App Control

Policy	Condition	Result
Require App Protection Policy	Access attempt via unmanaged app or browser	Access blocked — forces managed app/browser (Managed Edge)
Require MFA	All sign-ins	MFA prompt

Data Access Control (SharePoint / OneDrive)

Corporate data is protected by two layers: (1) SPO site permissions = Teams membership — users can only access SharePoint sites for teams they belong to, even via direct URL; (2) CA policies enforce device/app compliance and restrict actions on unmanaged devices.

Policy	Target	Grant / Session	Result
`CA-Require-AllApps-CompliantOrAPP`	All users, all cloud apps	Require Compliant Device OR Require APP	macOS: ADUE compliant ✅ / Windows Edge: APP ✅ / Unmanaged: blocked
`CA-Restrict-SPO-Unmanaged`	All users, SPO + ODB	Session: "Use app enforced restrictions"	Unmanaged devices: download/sync/print blocked (browser-only view)
`CA-Permit-Guest-MFA`	External Guests (#EXT#)	Require MFA	Guest access with MFA; scope limited to channel membership

Level 2 users (Business Basic + Entra ID P1): SPO access is scoped to Teams membership. Session Control blocks download/sync/print on unmanaged devices. Access is restricted to browser-only viewing within the membership scope.
External Guests: CA-Permit-Guest-MFA requires MFA. Access scoped to teams/channels where Guest is a member. Native app access permitted (Teams, Outlook).
Why P1 is mandatory for Basic users: CA policies require Entra ID P1 to operate. Without P1: (1) Session Control cannot restrict download/sync/print on unmanaged devices, (2) Windows BYOD Teams Desktop app login is not blocked → bypasses Edge-only restriction. See M365 Workspace & Access Policy (ISMS-POL-M365-01) §6.3 for full architecture.

2.4 Windows BYOD — Default Path vs Exception Path

Path	Enrollment	M365 Access	Eligibility
Default	Entra Registered + MAM	Managed Edge → M365 web apps only	All Windows BYOD users
Exception (Full MDM)	Entra Joined + Intune Full MDM	Office desktop apps allowed	User request (Opt-in) + Security Director approval

Exception Path — Required Technical Controls:

BitLocker + Key Escrow — Full disk encryption; recovery key stored in Entra ID. Provides the organisation with final authority over storage, enabling lock/wipe at offboarding.
OneDrive KFM (Known Folder Move) — Desktop, Documents, and Pictures folders redirected to corporate OneDrive. ⚠️ KFM is cloud sync for specific folders, not OS-level volume isolation like macOS ADUE.
Standard User Enforcement — Local admin rights removed. Prevents tampering with security policies (BitLocker, KFM, Intune).

Exception Path — Prerequisite:

BYOD Full MDM Consent Form must be signed before enrollment (covers storage control delegation, Full Wipe possibility, personal data loss liability).

3. Data Protection

3.1 MAM (Mobile Application Management) Controls by Platform

Control	Description	macOS (ADUE)	iOS / Android	Windows BYOD
Cut/Copy/Paste Block	Prevents copying corporate data from managed apps into personal apps	❌ Not supported — APP not available on macOS; Managed Pasteboard not supported on macOS desktop apps	✅ All managed apps	❌ Allowed — Risk accepted (macOS parity: clipboard is per-instance manual copy with low exfiltration efficiency; screenshot channel remains open on both platforms regardless). Pending CISO approval.
Screenshot Block	Blocks screen capture within managed apps	⚠️ Limited	✅ Android (enforced) / ⚠️ iOS (watermark only)	❌ Not supported
Save-As Restriction	Corporate files can only be saved to managed storage (OneDrive / SharePoint)	❌ No app-level enforcement — APP not supported on macOS. Managed Volume provides storage isolation only (not active save-as policy).	✅ All managed apps	✅ Edge only — Blocked (no OS-level storage isolation)
Download to Local	Prevents downloading corporate files to local storage	✅ Allowed — downloads go to Managed Volume (APFS isolation)	✅ Blocked within managed apps (save to OneDrive/SharePoint only)	✅ Edge only — Blocked (no OS-level storage isolation; local download = personal area)
Print	Prevents printing corporate content from managed apps	❌ Not enforceable — APP not supported on macOS	✅ Configurable per APP	✅ Edge only — Blocked (alternative: export to PDF → send via Outlook)
Biometric Authentication	Face ID / Fingerprint required to launch managed work apps	✅	✅	—
Offline Access Timeout	Re-authentication required after period without connectivity	✅	✅	✅ Edge only

⚠️ MAM Common Limitations (all platforms):

- No inbound control: Cannot prevent personal data from entering the managed area

- No account filtering: Cannot inspect or block which SaaS account a user logs into within Managed Edge

- No personal browser blocking: Personal browser use (Safari, Chrome, Edge personal profile) is permitted by BYOD design — corporate SaaS access is blocked by CA, not by device-level browser restrictions

3.2 macOS Data Protection (ADUE)

ADUE (Account-Driven User Enrollment) creates a separate APFS Managed Volume for work data
Work data is isolated in the Managed Volume; personal data remains untouched
Intune APP (App Protection Policy) is not supported on macOS. Data protection relies on Managed Volume isolation (storage-level), not app-level DLP (copy/paste, save-as controls are unavailable). See §3.1 table.
Native desktop app use is fully supported via VPP deployment into the Managed Volume (Teams, Outlook, Edge, OneDrive, Word, Excel, etc.).
Residual gap: Clipboard copy/paste from managed apps to personal apps cannot be blocked on macOS (no APP, no Managed Pasteboard for macOS desktop apps). Accepted as residual risk — see BYOD Security Policy §6 and Domain Context §3.6.
Note: Windows BYOD also intentionally allows copy/paste (same risk rationale — see §3.3). Both platforms accept clipboard as residual risk; screenshot channel is open on both regardless.
Selective Wipe: Removes the entire Managed Volume only (personal area preserved)

3.3 Windows BYOD Data Protection

Default Path (Managed Edge Only):

No OS-level data isolation mechanism (WIP deprecated, no replacement)
Corporate data exists only within Managed Edge browser sessions
APP enforcement summary (Managed Edge):
Selective Wipe: Removes organisational data from Edge only

Exception Path (Full MDM):

BitLocker + Key Escrow: Full disk encryption with recovery key in Entra ID — provides organisational final authority over storage
OneDrive KFM (Known Folder Move): Core folders redirected to corporate OneDrive for cloud-based data recovery
Standard User: Prevents policy tampering by removing local admin rights
Offboarding sequence: Selective Wipe first → if unsuccessful, BitLocker key-based Full Wipe → device deregistration from Entra ID + key disposal
⚠️ This is an approximate equivalent of macOS ADUE’s data isolation, not identical — KFM is folder-level cloud sync, not volume-level OS isolation

3.4 iOS / Android Data Protection

MAM (App Protection Policy) controls data movement between managed and unmanaged apps
Corporate data within managed apps cannot be copied, saved, or shared to personal apps
Selective Wipe: Removes corporate data from managed apps only (personal apps and data preserved)

4. Exception App Approval

Note: For Windows BYOD users requiring Office desktop app access, see Section 2.4 (Exception Path — Full MDM). This section covers exceptions for third-party SaaS tools not available through the managed Edge pathway.

When a user requires access to a SaaS tool not covered by the managed Edge pathway:

Step	Action	Owner
1	User submits request specifying the app, business justification, and data types accessed	End User
2	Security Director evaluates risk: Does the app handle corporate data? Can it be managed via MAM?	Lucas
3	If approved, Security Director configures the app as a managed app (if possible) or documents compensating controls	Lucas
4	Exception recorded per parent policy Section 7 (Exception Handling)	Lucas

5. Operational Routine

Frequency	Action	Owner
Daily	Review CA sign-in logs for blocked/failed access attempts — investigate anomalies	Lucas
Weekly	Review App Protection Policy status — confirm all managed apps are policy-compliant	Lucas
Quarterly	Audit SaaS application inventory — verify no shadow IT access outside managed pathways	Lucas

6. Evidence Retention

Evidence Type	Retention Period	Storage Location
Conditional Access sign-in logs	Default 30 days in Entra ID; exported quarterly	SharePoint
App Protection Policy reports	Minimum 12 months (exported quarterly)	SharePoint
Exception approvals	Duration of exception + 12 months	SharePoint

7. Periodic Review

Quarterly: Review CA policy effectiveness, blocked access trends, shadow IT risk
Annually: Review MAM policy adequacy, assess need for additional app controls, management review input

[End of Procedure]