[Home | M365 Maps](https://m365maps.com/) # Securing Microsoft 365 - [[Microsoft Entra Conditional Access|Conditional Access]] policy requiring compliant managed device - [[Microsoft Intune App Protection Policies]] for mobile devices. > Ultimately a client decision if they want to restrict to registered and require even BYOD mobile to be enrolled vs an IT technical decision. But if not (and most don’t unless super duper compliance stuff is involved) MAM is a great solution > It looks like you'd have a CAP setup covering desktop OS, then use MAM to protect data on mobile apps. Mobile app malicious sign-ins are not being blocked by anything besides risky user or impossible travel if you're running P2 > If you want to use CAP you'd have to use Managed Apple IDs and stuff like that > Not necessarily, MAM/CAP/risk detections are all different components that can talk to each other. From a purely device management perspective, you can have a CAP for office application access that requires a compliant enrolled device targeted to Windows/Mac/unknown devices with iOS and Android devices excluded, then another one with the opposite targeting and requiring MAM app protection policies for the mobile devices. Then if you also had Entra ID P2 and wanted to also take advantage of risky sign in actions you can have additional catch-all policies for the actions to take on those sign ins across all device types > Important to note that user agent based detections are not always perfect nor accurate and anyone can put anything they want in the user agent headers. Falling back to the enrolled and compliant policy if the user agent doesn’t match iOS/android comes in there > And if someone spoofs to be iOS/android then they’d still need app protection policies ## Security Baselines https://github.com/cisagov/ScubaGear / https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project https://github.com/cisagov/ScubaGear https://www.cloudcapsule.io/home