This control plane turns mobile app-protection assignments into a buyer-readable surface for platform, security, endpoint, and Microsoft 365 teams: missing policy coverage, risky exceptions, outdated baselines, rooted-device exposure, and the enforcement packet needed before BYOD growth outruns governance.
| App | Owner | Status | Platform | Findings | Next action |
|---|---|---|---|---|---|
| Outlook Mobile Executive collaboration Board and leadership communications |
Workplace Messaging | protected | iOS | 1 | Keep BYOD scope current and preserve managed-browser continuity. Healthy lane with no blocking findings. |
| Teams Mobile Frontline coordination Regional manager mobile collaboration |
Frontline Operations | warning | Android | 5 | Advance policy v5 and close the managed-browser gap before wider Android expansion. Stale sync and policy drift are starting to stack. |
| Salesforce Contractor access boundary CRM access for external sellers |
Revenue Systems | exception | iOS | 9 | Remove the exception lane or isolate it behind stricter launch controls immediately. This is the riskiest route in the current sample. |
| Workday BYOD HR apps Employee self-service on personal devices |
People Systems | missing | Android | 8 | Attach the Android app to the approved policy envelope before broader publish. Missing assignment and weak enforcement stack together. |
| OneDrive Finance document lane Sensitive document access on managed devices |
Endpoint Platform | limited | iOS | 1 | Shorten offline grace to the target wipe window and keep finance documents in the protected lane. Mostly healthy but still outside the preferred offline threshold. |