VIVID TECHNICAL
CMMC

CMMC BYOD: Yes, Personal Devices Can Pass a Level 2 Assessment

One of the most common misconceptions in the CMMC community is that Bring Your Own Device (BYOD) is a non-starter. You’ll hear it in forums, from other consultants, even from some assessors: “Personal devices can’t pass CMMC Level 2. Don’t even try.”

That’s flat out wrong.

Dozens of defense contractors have passed CMMC Level 2 assessments with personal mobile devices in their environment. The key isn’t whether you allow BYOD — it’s how you manage it.

The Real Question: How Is CUI Protected on That Device?

CMMC doesn’t care who owns the hardware. It cares that Controlled Unclassified Information (CUI) is protected wherever it lives. When an assessor looks at personal devices in your environment, they’re asking one question: if CUI can reach this device, how are you protecting it?

There are really only three answers:

  1. Keep the device out of scope entirely by blocking it from accessing any systems that process CUI
  2. Bring the device into scope with full MDM enrollment and all the controls that entails
  3. Use application-level protection that creates a managed, encrypted container on the device without taking over the whole phone

Option 3 is where most successful BYOD implementations land.

Intune Mobile Application Management: The Proven Approach

Microsoft Intune Mobile Application Management (MAM) with app protection policies is the approach that has passed the most assessments by far. Here’s why it works.

MAM doesn’t require full device enrollment. Instead, it wraps the Microsoft apps (Outlook, Teams, SharePoint, OneDrive) in an encrypted container on the employee’s personal phone. When configured correctly, this container enforces:

  • Encryption of data at rest using FIPS-validated cryptographic modules (wolfcrypt SSL)
  • No copy/paste from managed apps to personal apps
  • No saving company data to personal storage (iCloud, Google Drive, local gallery)
  • No printing from managed apps
  • No screenshots (Android — iOS has limited enforcement here)
  • Remote wipe of the container without touching personal data
  • Conditional access so only compliant, managed app instances can connect

The personal phone functions as a thin client accessing a remote service. The CUI lives inside the encrypted container, not on the device itself. Your organization can revoke access to that data in real time.

And Intune itself is FedRAMP Moderate authorized, which checks the box for using a cloud service that meets federal security standards.

What This Looks Like in Practice

A typical compliant BYOD mobile setup looks like this:

Technical controls:

  • Intune app protection policies enforcing encryption, DLP, and conditional access
  • Device compliance policies requiring passcodes, OS currency (within one major version of current), and encryption
  • Allowed device list (e.g., iPhone, Pixel, Galaxy only)
  • Conditional Access blocking native mail apps — only managed Outlook allowed
  • Remote wipe capability for the work container

Administrative controls:

  • BYOD acceptable use policy signed by every employee
  • Device inventory maintained and reviewed
  • Incident response procedures covering lost/stolen personal devices
  • Employee training on CUI handling and device responsibilities

Both technical and administrative controls matter. Organizations that have passed Joint Surveillance Voluntary Assessments (JSVA) and C3PAO assessments implemented both.

CMMC BYOD: Mobile Phones vs. Workstations

Here’s where the line gets drawn. Personal phones with MAM policies? That’s well-trodden ground with a long track record of passing assessments.

Personal laptops and workstations? That’s a different story entirely. The controls required to bring a personal computer into a CMMC scope are so invasive that you’re effectively taking over the device. At that point, you’ve defeated the purpose of BYOD, and you’re better off issuing a company-owned machine.

If you must allow personal workstations, isolated browser technology or virtual desktop infrastructure (VDI) through something like Azure Virtual Desktop in a GCC High environment can create logical separation. But for most small and mid-size manufacturers, the simpler answer is: BYOD for phones, company-owned for workstations.

The Android Advantage

Android devices have a feature that makes BYOD particularly clean: work profiles. When enrolled through Intune, Android creates a completely separate work profile with its own app instances, storage, and policies. Users see a clear division between personal and work apps, and IT can lock down the work profile without touching anything in the personal side.

You can block users from installing or accessing the same apps in both profiles, preventing any data crossover. For CMMC purposes, this logical separation is a strong control.

iOS handles this differently. App protection policies work well, but the separation isn’t as visually or technically clean as Android’s work profile model. Both can pass assessments, but Android’s approach tends to be easier to explain to assessors.

When CMMC BYOD Isn’t Worth It

BYOD isn’t always the right call. Consider company-owned devices instead if:

  • Your team handles CUI constantly and needs full device-level controls
  • You’re on-prem only without Microsoft 365 or Intune licensing
  • Your employees travel to high-risk countries where foreign border security could access the device
  • You want simpler documentation — company-owned devices are easier to document in your System Security Plan
  • Your budget allows it — a few corporate phones are cheaper than the complexity of a BYOD program

Some organizations take the cleanest approach: no mobile devices in the CUI boundary at all. If your workflows don’t require mobile access to CUI, blocking mobile devices from CUI systems entirely keeps them out of scope and out of your SSP.

The Bottom Line

BYOD can absolutely work within CMMC Level 2. The path is well-established: Intune MAM app protection policies with proper conditional access, encryption enforcement, and data loss prevention per NIST SP 800-171 requirements. This approach has been accepted by DIBCAC and C3PAOs across dozens of assessments.

The mistake isn’t allowing personal devices. The mistake is allowing them without the controls to protect CUI on them.

If you’re figuring out how to handle personal devices in your CMMC environment, or you’re not sure whether your current MAM configuration is assessment-ready, reach out for a consultation. We help small defense contractors navigate CMMC assessments and implement NIST 800-171 controls that hold up to scrutiny.