BYOD Security Architecture — System Configuration

Document Number: ISMS-CONF-BYOD-01

Classification: System Configuration

Version: 0.1.0

Effective Date: March 3, 2026

Author: Lucas Shin — Security Director

Parent Policy: BYOD Security Policy (ISMS-POL-BYOD-01)

1. Purpose & Scope

This System Configuration document provides the detailed platform architecture, technical control implementations, and data protection mechanisms for the BYOD security programme governed by BYOD Security Policy (ISMS-POL-BYOD-01).

Document positioning:

• ISMS 관리체계 내 시스템 구성 문서 — ISMS-CONF-* 접두어, ISMS Document Register에 등록
• 정책서 보완 문서 — ISMS-POL-BYOD-01이 What/Why를 정의하고, 이 문서가 How/구현 상세를 기술

2. Platform Architecture

2.1 macOS BYOD — ADUE Architecture

macOS provides OS-level data isolation through Account-Driven User Enrollment (ADUE), which creates a dedicated APFS Managed Volume for all managed app data. This is a fundamentally different protection model from Windows BYOD (§2.2).

What is provided:

• Native M365 app access — Teams, Outlook, Edge, Office deployed via VPP (Volume Purchase Program) to the Managed Volume
• Managed Volume — separate APFS volume isolating all managed app I/O at the OS level
• Compliance Policy — OS version, encryption, passcode monitoring; non-compliant devices blocked via CA
• Selective Wipe — removes the entire Managed Volume; personal data is preserved

What is NOT available (platform limitations):

• App Protection Policy (APP) — macOS is not a supported platform; copy/paste blocking, save-as restriction, and download prevention are not enforced within managed apps
• Edge APP (DLP) — VPP-deployed Edge on macOS does not have APP; unlike Windows Managed Edge (§2.2), copy/paste blocking and save-as restriction do not function. macOS Edge serves only as an authentication gateway for non-M365 SSO login (§4.1 item 2) — it does not provide outbound data controls.
• Managed Open-In / Managed Pasteboard — not functional on macOS desktop apps (supported on iOS/iPadOS only)

Accepted residual risk: Users can copy/paste data from managed apps to personal apps via the OS clipboard. This is accepted as residual risk — clipboard copying is a manual, per-item action that is inefficient for bulk data exfiltration. Compensating controls: user education, acceptable use obligations (ISMS-POL-BYOD-01 §5), NDA, and M365 audit logging.

Data protection model: Managed Volume isolation (file-level containment) + Conditional Access (auth-time device compliance) + Purview DLP (server-side content inspection). Unlike Windows Edge APP (§2.2), macOS has no app-level outbound data controls.

Design rationale: macOS provides stronger storage isolation (APFS Managed Volume) than any Windows BYOD option, and permits native M365 app access. The trade-off is the absence of app-level DLP. This asymmetry reflects the OS design philosophy difference: Apple optimises for BYOD data isolation; Microsoft optimises for corporate-owned device control. Cross-reference: M365 Workspace & Access Policy (ISMS-POL-M365-01) §6.1–§6.3 for the 3-policy CA architecture (CA-Require-AllApps-CompliantOrAPP, CA-Restrict-SPO-Unmanaged, CA-Permit-Guest-MFA).

2.2 Windows BYOD — Platform-Specific Restrictions

Windows lacks an OS-level data isolation mechanism equivalent to Apple's ADUE Managed Volume (WIP is deprecated with no replacement). As a result, Windows BYOD operates under the following constraints:

What is permitted:

• M365 access via Managed Edge browser only (outlook.office.com, teams.microsoft.com, etc.)
• Edge APP enforcement summary:
  • Download to local: Blocked (no OS-level storage isolation)
  • Save-as to unmanaged storage: Blocked (no OS-level storage isolation)
  • Copy/paste to unmanaged apps: Allowed — risk accepted (macOS parity; clipboard is per-instance manual copy with low exfiltration efficiency; screenshot channel open on both platforms regardless). Pending CISO approval.
  • Print: Blocked (alternative: export to PDF → send via Outlook)
• Device registers as Entra Registered (Entra ID Free feature — no MDM enrolment)

What is blocked:

• Office desktop apps (Teams desktop, Outlook desktop, Word, Excel, PowerPoint) — Windows MAM only supports Edge; CA policy "Require App Protection Policy" blocks all other apps that cannot satisfy this requirement
• Business Basic users: blocked at licence level (no desktop app licence)
• Business Premium users: blocked at CA level — CA-Require-AllApps-CompliantOrAPP requires Compliant Device OR APP; desktop apps on Windows BYOD satisfy neither grant

For users who require Office desktop app access on Windows, the BYOD Full MDM Exception Path (§2.3) is available. Cross-reference: M365 Workspace & Access Policy (ISMS-POL-M365-01) §6.1–§6.3 for the 3-policy CA architecture and platform-specific grant conditions.

2.3 BYOD Full MDM Exception Path — Mandatory Technical Controls

Upon enrolment in the Full MDM Exception Path (eligibility and approval: ISMS-POL-BYOD-01 §3.3.1), the following controls are applied via Intune:

2.4 iOS/iPadOS & Android BYOD — Mobile Platform Architecture

Mobile platforms provide both app-level and OS-level data protection — the only platform combination where this is fully available.

What is provided:

• Native M365 app access — Teams, Outlook, Edge, Office deployed as managed apps
• App Protection Policy (APP) — copy/paste blocking ✅, save-as restriction ✅, download prevention ✅, screenshot/screen recording blocking ✅
• OS-level data isolation:
  • iOS/iPadOS: ADUE (Account-Driven User Enrollment) creates a Managed Volume, identical model to macOS (§2.1) — managed app data is stored on a separate APFS volume
  • Android: Work Profile provides container-level separation between work and personal apps/data
• Managed Open-In / Managed Pasteboard — prevents data sharing between managed and unmanaged apps (iOS/iPadOS); Android Work Profile enforces equivalent isolation at the container level
• Compliance Policy — OS version, encryption, jailbreak/root detection; non-compliant devices blocked via CA
• Selective Wipe — removes managed apps and work data only; personal data is preserved

Data protection model: APP (app-level outbound DLP) + ADUE/Work Profile (OS-level storage isolation) + Conditional Access (auth-time device compliance) + Purview DLP (server-side content inspection).

No residual clipboard risk — unlike macOS (§2.1), APP enforces copy/paste blocking within managed apps on mobile platforms. No exception path is required. Cross-reference: M365 Workspace & Access Policy (ISMS-POL-M365-01) §6.1–§6.3 for the 3-policy CA architecture and platform-specific grant conditions.

2.5 System Architecture Overview

graph TD
    User["Employee Personal Device"]

    subgraph "macOS BYOD — ADUE (§2.1)"
        UE_mac["ADUE User Enrollment"] -->|"Managed Volume"| Apps_mac["Native M365 Apps (VPP)"]
        Comp_mac["Compliance Policy"] -->|"Monitoring"| OS_mac["OS/App Version Check"]
    end

    subgraph "Windows BYOD — Default Path (§2.2)"
        ER["Entra Registered + MAM"] -->|"Edge Only"| EdgeOnly["Managed Edge — M365 Web Apps"]
    end

    subgraph "Windows BYOD — Full MDM Exception (§2.3)"
        EJ["Entra Join + Full MDM"] -->|"Opt-in + Approval"| FullCtrl["Desktop Apps Permitted"]
        FullCtrl --> Controls["BitLocker + KFM + Standard User"]
    end

    subgraph "iOS/Android BYOD — APP + ADUE/Work Profile (§2.4)"
        UE_mobile["ADUE / Work Profile"] -->|"Logical Isolation"| Apps_mobile["Managed M365 Apps"]
        APP_mobile["App Protection Policy"] -->|"Full DLP"| Apps_mobile
        Comp_mobile["Compliance Policy"] -->|"Monitoring"| OS_mobile["OS/App Version Check"]
    end

    subgraph "Access Control — Entra ID"
        CA["Conditional Access"] -->|"Compliance Check"| Decision{"Compliant?"}
        Decision -->|"Yes"| Access["M365 and SaaS Access Granted"]
        Decision -->|"No"| Block["Access Blocked and Patch Prompted"]
    end

    subgraph "Self-Hygiene"
        Updatest["Updatest App"] -->|"User Action"| Manual["Personal App Update"]
        Log["Evidence Records"] -->|"Weekly Submission"| Admin["Security Audit Evidence"]
    end

    User --> UE_mac
    User --> ER
    User --> EJ
    User --> UE_mobile
    Apps_mac --> OS_mac
    OS_mac --> CA
    EdgeOnly --> CA
    Controls --> CA
    Apps_mobile --> OS_mobile
    OS_mobile --> CA

3. Data Protection Mechanisms

3.1 Data Ownership vs Management Jurisdiction

The ADUE Managed Volume and MAM policies define the company's technical management boundary — they do not define data ownership.

Ownership Determination:

• Data created or accessed via a corporate account → company-owned, regardless of where it is stored
• Data created or accessed via a personal account → personally-owned, even if cached in the Managed Volume
• Data created via a personal account but containing corporate confidential information → subject to information asset policy review

3.2 MAM Control Scope

MAM (Mobile Application Management) is designed to prevent corporate data from leaving the managed boundary. It does not prevent personal data from entering the managed boundary.

3.3 Selective Wipe and Personal Data Notice

If a user accesses personal SaaS services through Managed Edge, locally cached data from those sessions may reside within the Managed Volume. Upon Selective Wipe:

• All data within the Managed Volume is deleted, regardless of ownership
• The company is not responsible for loss of personal data that was stored within the Managed Volume
• Users are recommended (not required) to access personal SaaS services through personal browsers (Safari, Chrome, etc.) to avoid this risk

This notice must be included in the BYOD User Consent Form referenced in ISMS-POL-BYOD-01 §5.3.

4. Non-M365 App Security — Technical Controls

Scope: Technical control implementations for non-M365 apps that fall outside the direct control scope of APP (App Protection Policy) on BYOD devices. The core objective is to extend the gateway control principle (corporate information asset access through managed apps/browsers) to non-M365 apps. Per-app account operation policies, data context isolation, AI data sovereignty are defined in Application & Data Governance Policy (ISMS-POL-ADG-01).

4.1 Control Principles

1. Enterprise App Registration and SSO: Non-M365 apps that process corporate information assets shall prioritise products that support SSO. When SSO is applied, the administrator (Security Director) registers the app as an Entra Enterprise App and grants Admin Consent. This routes user authentication through Entra ID, enabling authentication-time controls via Conditional Access.
2. Managed Edge Routing Principle (Web Access): Extends the gateway control principle to non-M365 apps. When accessing the web version of a non-M365 app with a Corporate account, access shall be routed through Managed Edge. For SSO-enabled apps (item 1), CA enforces Managed Edge use at authentication time, blocking authentication from unmanaged browsers. For non-SSO apps, CA enforcement is not possible; Managed Edge usage is required by policy only.
   • Windows: Edge APP is applied, enabling outbound DLP (download blocking, save-as restriction, print blocking). Copy/paste is intentionally allowed (macOS parity — see §2.2).
   • macOS: VPP-deployed Edge serves as an authentication gateway only. APP is not supported; DLP is not applied — accepted as residual risk (see §2.1).
   • Mobile (iOS/Android): Edge APP is applied, enabling DLP (see §2.4).
3. Native App Access Restrictions: When logging into a non-M365 native (desktop) app via SSO, authentication availability depends on the app's authentication popup implementation method.
   • System broker (WAM) integration: If the app processes login through the OS authentication broker, SSO authentication is possible via the active Managed Edge session.
   • Embedded Webview method: If the app processes login through its own built-in webview, it does not route through Managed Edge; authentication is blocked by CA → web version access only.
   • ⚠️ Even Category B (SSO-supported) apps may be unable to authenticate via native app depending on the authentication implementation. App-specific compatibility shall be verified at onboarding.
   • Native apps on computers do not have APP applied (except Windows Managed Edge), placing them outside app-level DLP scope. Compensated by §4.2 compensating controls.
4. Account Separation Principle: Apps that hold corporate information assets must use separate Corporate and Personal accounts. Detailed account operation policies are defined in Application & Data Governance Policy (ISMS-POL-ADG-01).
5. Information Asset Classification Linkage: Based on the sensitivity of data held by the app, apply the SaaS assessment criteria in §3 of Supplier & Third-Party Security Policy (ISMS-POL-STP-01) to perform High / Standard risk classification.

4.2 Compensating Controls

The following compensating controls are applied to areas where MAM technical controls are not in effect:

Cross-reference: For detailed per-app account operation policies, data context isolation, and AI data sovereignty, refer to Application & Data Governance Policy (ISMS-POL-ADG-01).

5. Document Control

Review Schedule

• Annually: Full review as part of ISMS management review cycle
• Ad-hoc: Upon platform changes, licensing changes, or security incidents

[End of System Configuration]