Secure access and app protection for work devices
Overview
This guide explains how Ciellos protects company data on:
- Computers/laptops (Windows, macOS)
- Mobile devices (iOS/iPadOS, Android)
Ciellos uses Microsoft Defender, Microsoft Intune, and Microsoft 365 controls.
Ciellos user process is based on:
- Microsoft Entra device identity (registration first)
- Conditional Access policy enforcement
- Intune app protection for work apps and work data
Scope and policy
Ciellos policy for this guide
Ciellos does not use Intune device enrollment (MDM) in this user workflow. Ciellos requires Microsoft Entra device registration (not join) for user devices. Internal policy reference: Device Management Security Policy.
Supported Platforms
| Platform | Supported |
|---|---|
| 🪟 Windows 10 / 11 | ✅ Yes |
| 🍎 macOS | ✅ Yes |
| 📱 iOS / iPadOS | ✅ Yes |
| 🤖 Android | ✅ Yes |
Microsoft terminology vs Ciellos practice
Microsoft Learn documentation includes both:
Ciellos practice in this guide is:
- Use registration + app protection + Conditional Access
- Do not ask end users to complete Intune MDM enrollment steps
Device identity (Registered vs Joined)
Ciellos baseline for user devices is Microsoft Entra Registered. Some company-managed Windows devices can be Microsoft Entra Joined.
Entra Registered (primary)
Default user model at Ciellos. User keeps local/personal device sign-in and uses work account for Microsoft 365 resources.
Entra Joined (some company devices)
Used for selected company-managed Windows endpoints. Some users might join their device by mistake or for other reasons. User signs in to Windows using work account.
Comparison table
| Identity type | Typical ownership | Sign-in model | Ciellos usage |
|---|---|---|---|
| Microsoft Entra Registered | Personal/BYOD, cross-platform user devices | Local/personal sign-in to device + work account sign-in to resources | Primary model |
| Microsoft Entra Joined | Company-managed Windows devices | Work account sign-in to Windows | Used for selected corporate endpoints |
References:
- Microsoft Learn - What is device identity in Microsoft Entra ID?
- Microsoft Learn - Microsoft Entra registered devices
- Microsoft Learn - Microsoft Entra joined devices
How Ciellos protects access
Computers/laptops (Windows and macOS)
- Device is registered in Microsoft Entra ID (required)
- User signs in with work account to Microsoft 365 resources
- Conditional Access policies evaluate access requirements
- Work data protection is enforced at app/session level by policy
- Practical setup guidance: Work vs Personal Separation on Your Computer
- Windows disk encryption how-to: Enable BitLocker
Mobile devices (iOS/iPadOS and Android)
- User signs in to approved work apps with work account
- Intune app protection policies protect work data in supported apps
- Conditional Access policies enforce access requirements
Reference: Microsoft Learn - Conditional Access grant controls
What Ciellos can and cannot access
- Enforce Conditional Access for Microsoft 365 resources
- Apply app protection requirements to supported work apps
- Use Defender and identity/risk signals for access decisions
- Read personal email/SMS content
- Read personal photos, personal files, or personal passwords
- Intentionally use your device as a remote proxy to control your home network or IoT devices
Defender discovery visibility
Microsoft Defender for Endpoint can automatically discover unmanaged devices that communicate on networks seen by onboarded endpoints, and list them in Defender device inventory. This discovery visibility does not mean those devices are joined or registered in Microsoft Entra ID. See: Microsoft Learn - Defender for Endpoint device discovery overview
About enrolled-device visibility docs
Microsoft also publishes visibility details for organizations that use Intune device enrollment. Ciellos does not use that enrollment flow in this user process, but the official reference is kept here for terminology clarity.
Reference: Microsoft Learn - What information can my organization see when I enroll my device
Microsoft Defender + Intune + Microsoft 365 at Ciellos
Ciellos standard stack:
- Microsoft Defender for endpoint threat/risk telemetry
- Microsoft Intune for app/data protection and policy integration
- Microsoft Entra Conditional Access for Microsoft 365 access control
References:
- Microsoft Learn - Configure Defender for Endpoint with Intune
- Microsoft Learn - Mobile Threat Defense integration with Intune
FAQ
Do I need Intune MDM enrollment to work at Ciellos?
No. In this guide's workflow, Ciellos does not use Intune MDM enrollment for end users.
What is required on my device?
Your device must be registered in Microsoft Entra ID, and you must use approved work apps and access policies.
Is this guide only for phones?
No. It applies to both computers/laptops and mobile devices.
Can Ciellos read my personal data?
No. Ciellos does not get access to your personal messages, photos, passwords, or personal files through this workflow.
Can I use non-Microsoft security tools instead of Defender?
Ciellos standard security stack is Microsoft Defender. Approved tooling is defined by Ciellos security policy.
References
- Antivirus (Intune configuration policy)
- Ciellos - User Guides Security (main page)
- Microsoft Learn - What is device identity in Microsoft Entra ID?
- Microsoft Learn - Microsoft Entra registered devices
- Microsoft Learn - Microsoft Entra joined devices
- Microsoft Learn - Protect apps with Microsoft Intune
- Microsoft Learn - Conditional Access grant controls
- Microsoft Learn - Configure Defender for Endpoint with Intune
- Microsoft Learn - Mobile Threat Defense integration with Intune
- Microsoft Learn - What information can my organization see when I enroll my device