United Kingdom<\/strong><\/p>\n\n\n\nIn the UK, most employee monitoring involves processing personal data, which triggers the UK GDPR and Data Protection Act 2018. Organisations must identify a lawful basis, be transparent with staff through clear notices and policies, and for higher-risk or large-scale monitoring, carry out a Data Protection Impact Assessment.<\/p>\n\n\n\n
For BYOD specifically, employees should sign to show they understand and accept the BYOD terms, and this should never be hidden in fine print. A ToU enforced via Conditional Access gives you a documented, timestamped record of that acceptance per user, per device type. This is precisely what you need if the ICO ever comes knocking.<\/p>\n\n\n\n
Europe<\/strong><\/p>\n\n\n\nAcross the EU, the same GDPR framework applies, but enforcement culture and the presence of Works Councils in many member states add an additional layer of complexity. In Germany, France, the Netherlands, and several other countries, Works Councils have co-determination rights over the introduction of technical systems that monitor employee behaviour. Deploying MDM on personal devices without Works Council agreement is a significant legal exposure. A MAM-specific ToU (clearly scoped to app-level management with no device-wide monitoring) is often a prerequisite for getting Works Council sign-off on a BYOD programme at all. The distinction between what MAM does and what MDM does is not just a technical detail in those environments; it is a legal boundary.<\/p>\n\n\n\n
United States<\/strong><\/p>\n\n\n\nIn the US, there is no single federal equivalent to GDPR, but the principle of transparency around BYOD still carries legal weight. Organisations typically rely on acceptable use policies and BYOD agreements to establish consent for data access and remote wipe capabilities. The key distinction matters here too: a MAM ToU should explicitly state that the organisation manages only corporate data within specific apps and has no visibility into personal content on the device. An MDM ToU, by contrast, covers broader device management rights including full device wipe. Conflating the two (or presenting a single generic document regardless of device type) creates ambiguity that could complicate both employment disputes and e-discovery situations.<\/p>\n\n\n\n
\n\n\n\nImportant Details<\/h2>\n\n\n\n
<\/p>\n\n\n\n
There are a few operational points worth keeping in mind before you switch the policies from Report-only to On:<\/p>\n\n\n\n
\n- Dynamic group evaluation latency.<\/strong> Dynamic group membership in Entra ID is not instantaneous. When a device is newly enrolled in MDM, there is a window (typically a few minutes, but occasionally longer) before the device appears in the dynamic group and the exclusion takes effect. During that window, a freshly enrolled MDM device could still be prompted for the MAM ToU. In most production deployments this is acceptable, but it is worth communicating to your helpdesk so they are not surprised by reports of MDM users seeing the MAM document immediately after enrolment.<\/li>\n\n\n\n
- Validate in Report-only first.<\/strong> Use the What If tool in Entra Conditional Access with a known MDM-enrolled device and a known BYOD device to confirm the routing is correct before enabling the policies.<\/li>\n\n\n\n
- PDF rendering on mobile.<\/strong> The ToU document must render correctly in a mobile browser. Microsoft recommends a minimum font size of 24pt for mobile-targeted PDFs. A document that fails to render on iOS or Android will result in users dismissing the prompt without reading it, which defeats the purpose entirely.<\/li>\n\n\n\n
- Acceptance logs.<\/strong> Entra ID logs each ToU acceptance under Identity Governance, Terms of Use. You can view acceptances per document and revoke individual user acceptances when needed, useful both for re-testing and for cases where the ToU document is updated and re-acceptance is required.<\/li>\n\n\n\n
- The 40 ToU limit.<\/strong> Entra ID supports a maximum of 40 Terms of Use documents per tenant. For most organisations this is not a constraint, but worth noting in large or multi-entity environments.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nConclusion<\/h2>\n\n\n\n
<\/p>\n\n\n\n
The device filter in Conditional Access is a useful tool, but it has a hard boundary: it only works when the device has an object in Entra ID. For MAM scenarios, that is never the case, and any CA policy that relies on a device filter to target or exclude unmanaged devices will behave unexpectedly.<\/p>\n\n\n\n
The dynamic MDM device group as an exclusion is the most reliable approach available today. It works with the architecture rather than against it, requires no changes to your user group structure, and handles the case where APP is deployed to both MAM and MDM devices, which rules out the APP-as-differentiator pattern for many real-world deployments.<\/p>\n\n\n\n
Getting the ToU routing right is not just a technical exercise. Whether you are operating under UK GDPR, EU data protection law, or a US BYOD policy framework, users need to accept terms that accurately reflect what the organisation can actually do on their device. Presenting the wrong document is not a minor configuration detail; it undermines the legal basis for the acceptance record itself.<\/p>\n\n\n\n
I hope this helps if you are working through the same configuration.<\/p>\n","protected":false},"excerpt":{"rendered":"
A clear breakdown of why Microsoft Entra Conditional Access cannot reliably distinguish MAM from MDM devices using device filters and how a dynamic device group based on managementType = MDM provides a consistent, architecture\u2011aligned solution. This post explains why separate Terms of Use are legally and operationally necessary, why unmanaged BYOD devices never match device filters, and how excluding managed devices ensures the correct ToU is shown every time.<\/p>\n","protected":false},"author":1,"featured_media":3269,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[850,753,867,869],"tags":[11,1071,354,1081,1084,1078,1085,1073,1076,1075,1086,952,1079,1083,768,1074,1077,12,855,1068,759,995,1072,848,1069,1070,1080,1082],"class_list":["post-3267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-850","category-microsoft365","category-microsoft-entra","category-microsoft-intune","tag-android","tag-app-protection-policy","tag-byod","tag-byod-policy","tag-conditional-access-policy","tag-data-protection-act-2018","tag-device-compliance","tag-device-filter","tag-dyconditional-access","tag-dynamic-groups","tag-entra-id-p1","tag-gdpr","tag-ico","tag-identity-governance","tag-intune","tag-intune-mam","tag-intune-mdm","tag-ios","tag-mam","tag-mdm","tag-microsoft-365","tag-microsoft-entra-id","tag-mobile-device-management","tag-mobile-security","tag-terms-of-use","tag-uk-gdpr","tag-works-council","tag-zero-trust"],"_links":{"self":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3267"}],"version-history":[{"count":4,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3267\/revisions"}],"predecessor-version":[{"id":3278,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/3267\/revisions\/3278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/media\/3269"}],"wp:attachment":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2026\/06\/ToU1-1.jpg\")
<\/a><\/figure>\n\n\n\n