MDM Isn’t Enough: Why You Still Need a Real Security Strategy
You’ve deployed Intune. Devices are enrolling, compliance policies are lighting up green, and someone’s gone full hero mode because Defender says your estate is “secure.”
Sorry to be that guy, but: MDM isn’t the endgame. It’s the start line!
In 2025, modern attackers don’t care about your BitLocker compliance. They’re jumping across cloud sessions, hijacking tokens, exploiting stale service accounts, and laughing at environments that think mobile device management equals a security strategy.
Let’s unpack why MDM on its own is dangerously incomplete — and what a real enterprise security posture should look like.
MDM: Great at Policy, Awful at Visibility
Intune and other MDM platforms (like JAMF, Workspace ONE, or MobileIron) are brilliant for configuration. They enforce device settings, deploy apps, and ensure a certain level of hygiene across your fleet. But what they don’t do is monitor, detect, or respond to threats.
They’re like a bouncer checking IDs at the door, but once someone’s inside, they’re not watching the room.
MDM can:
- Enforce encryption (BitLocker/FileVault)
- Require a PIN or biometric login
- Set compliance policies for OS version, AV, etc.
- Deploy apps and apply device restrictions
MDM can’t:
- Detect lateral movement or token replay
- Analyse cloud sign-ins and behavioural anomalies
- Prevent data exfiltration in real-time
- Intervene during an active attack
- Correlate endpoint and identity risk
If your estate is “secure” because Intune says it’s compliant, you’ve got a false sense of safety. And that’s worse than none at all.
Common MDM-Only Mistakes We Still See
1. Conditional Access with More Holes Than Swiss Cheese
Let’s say you’ve deployed CA policies – brilliant. But then come the exclusions:
-
“We’ll skip MFA for VIPs”
-
“This app doesn’t support modern auth, just allow it”
-
“Printers can’t do Conditional Access, so bypass them”
You’ve just created your own attack surface, piece by piece. Attackers love legacy – they’ll happily sidestep your security by abusing the same gaps you made for “convenience.”
2. Assuming Defender Antivirus Is the Same as Defender for Endpoint
Built-in AV? Great. But where’s your threat intel? Where’s the behavioural analysis? Where’s the 24/7 monitoring?
If you’re not backing MDM with Defender for Endpoint (Plan 2) or an equivalent EDR/XDR stack, you're blind to what’s happening after login.
3. Admins with Too Much Access, For Too Long
Let’s be crystal clear - A Global Admin in Entra ID (Azure AD) isn’t just a Microsoft 365 superuser — they’re a tenant god.
With the right API access, a Global Admin can:
-
Delete users, data, and services
-
Change or remove security policies
-
Modify Conditional Access rules
-
Reset other admins’ credentials
-
Delete your entire Azure subscription
Yes, really. If you’re integrated with Azure and using a CSP or enterprise subscription, GA rights extend across Microsoft 365 and Azure. One compromised GA account can lead to full platform loss, including compute, networking, identity, and storage.
So if you're handing out GA because someone “needs to make a mailbox,” you’re putting your entire estate on the line.
Security tip:
- Adopt a Least Privilege Model – Only assign the minimum permissions needed for the task. Most users don’t need GA. Most IT staff don’t either. Delegate roles like Exchange Admin or Security Reader instead.
- Use Privileged Identity Management (PIM) – Just-in-time access with approval, MFA, timeouts, and justification. No more standing admin rights.
- Separate Admin Accounts – Never allow daily-use accounts to have admin privileges. Admin accounts should be isolated and used only when required.
- Enforce MFA on All Admin Roles – And audit for any exclusions. MFA should be non-negotiable.
- Monitor Admin Sign-Ins – Set alerts on Global Admin activity, especially from new locations or devices.
- Review Access Regularly – Make it part of your quarterly checks. If someone doesn’t need GA anymore, revoke it.
In short: If one compromised login can delete your entire subscription… you don't have a secure environment.
4. Zero Control Over App Updates
Intune can deploy apps, sure. But who’s updating them? Your 500-user estate might be rocking:
-
Chrome v91
-
Java runtimes from 2016
-
12 versions of Zoom
Modern attacks are exploiting apps more than OS. If you’re not automating third-party patching with Intune Suite, Patch My PC, or Chocolatey, you're living on borrowed time.
What You Actually Need: A Layered Security Strategy
Security isn’t one tool. It’s an architecture. A mindset. A set of non-negotiables backed by automation, not best guesses.
Here’s what a real security stack for modern management looks like:
| Layer | Tooling Example | Purpose |
|---|---|---|
| MDM & Compliance | Intune, JAMF | Enforces baseline device hygiene |
| Access Control | Conditional Access, PIM | Ensures right access at the right time |
| Threat Detection | Defender XDR, Sentinel, Splunk | Detects, analyses, and correlates suspicious activity |
| Identity Protection | Entra ID Protection | Flags risky users, impossible travel, sign-in anomalies |
| App Management | Patch My PC, Intune Suite, Chocolatey | Keeps apps secure and updated |
| Data Protection | TLS 1.2/1.3, Purview DLP | Protects data in transit and at rest |
This isn't just "nice to have" anymore. With hybrid work, BYOD, and cloud services everywhere, your devices are exposed all the time.
But What About BitLocker PINs and BIOS Lockdown?
Let’s have the honest conversation: BitLocker PINs sound good on paper, but in practice, they’re a user - hostile security placebo.
Sure, they add an extra hurdle at boot — but let’s be real: most of your threats aren’t sitting in car parks with a crowbar and 30 minutes to brute-force a laptop. And if they are? A six-digit PIN isn't stopping them.
What a BitLocker PIN actually does:
- Slows down boot time and frustrates users (especially in policing, healthcare, or emergency services).
- Adds support overhead when someone forgets it at 5am.
- Gives a false sense of protection against physical threats.
And what it doesn’t do:
- Prevent nation-state or skilled attackers with physical access from getting in.
- Stop firmware-level attacks, bus sniffing, or TPM-side exploits.
- Protect against 99% of real-world threats — like phishing, token theft, or lateral movement.
If you’re relying on a boot PIN for security, you’re fighting yesteryear’s threats. Most data theft today isn’t someone stealing a laptop – it’s someone phishing credentials and logging in with full access.
What Actually Works?
Modern endpoint security is built on layers — not PINs. Here’s what actually protects your users and estate:
- UEFI Secure Boot to block bootkits.
- TPM 2.0 with BitLocker.
- Code Integrity + VBS + HVCI to enforce secure kernel operations.
- Zero trust enforcement via Intune compliance and Conditional Access.
- FIDO2 key-based auth to kill off password-based logins entirely.
- Privileged Access Workstations (PAWs) for admins — no standing access.
- TLS 1.2/1.3 and SSL everywhere for data in transit.
This is what actually holds up under scrutiny — even if your adversary isn't a petty thief, but a nation-state with time, tools, and talent.
Your posture should prevent logical access, not just physical.
Final Thoughts: If Intune Says You're Compliant, Are You Actually Secure?
That green tick might feel good. But it doesn’t mean you’re protected.
- Compliance ≠ Protection
- MDM ≠ Monitoring
- Access ≠ Identity validation
- Config ≠ Threat detection
Real security is layered, automated, and assumed breached until proven otherwise. If you’ve deployed Intune, great. Now back it with Conditional Access, EDR, automated patching, and identity threat detection.
Because when the breach happens — and it will — you don’t want to be the one saying “but we had Intune.”
Further Reading / Sources:
Need help pulling this together in your organisation?
Drop me a line. Or better yet — review your Conditional Access exclusions before someone else does.
