Securing the enterprise for mobility (ITSM.80.001)

Introduction

Mobile devices such as smartphones, tablets and laptops are key components for your organization. They contain powerful computing capabilities, as well as the ability to communicate wirelessly. Although mobile devices enable collaboration and boost productivity and efficiency, they can also increase the risk of a compromise to your organization’s sensitive information. Your organization should implement security controls and safeguards before mobile devices are allowed to access the organization’s network.

This publication offers guidance to help your organization understand the security threats and risks associated with mobile devices. It also provides mitigation strategies and mobile management solutions you can implement to minimize the impact on your organization.

Enterprise mobility business drivers

Mobile devices have become an integral part of most organizations' business operations. They offer employees flexibility, help improve productivity, and allow for quicker collaboration for decision-making. Employees require access to the latest technologies to perform their tasks and help them reach their goals. Organizations use mobile devices for the following reasons:

• Ease of use: Mobile devices have user-friendly interfaces that can be customized to meet employee and organization needs
• Anytime, anywhere connectivity: Employees can remotely access business data, enterprise services and applications. This is especially important for employees who travel frequently, work at various sites, or have a patrol or delivery route.
• Customization: Organizations can customize device settings to improve convenience and flexibility for employees
• Cloud computing: Many organizations use cloud-based infrastructures to deliver services
• Cost: Using mobile devices and service providers can lower program costs and reduce technical obsolescence issues

Enterprise mobility overview

Enterprise mobility allows mobile devices such as smartphones, tablets and laptops to access your organization’s networks and services through commercial cellular networks and Wi-Fi. The basic segments of the enterprise mobility architecture consist of mobile devices, wireless communication networks, enterprise infrastructure, and services and applications. If your organization chooses to include mobile devices as part of your enterprise architecture, ensure you understand the related risks.

3.1 Mobile devices

Mobile devices are widely available, cost effective and contain updated features and technology for communications and application functionality. Mobile device features are constantly changing and allow users to:

• connect to wireless networks for voice and data communications
• store information
• access global positioning systems (GPS)
• use digital video cameras

3.2 Wireless communication networks

There are 3 major types of wireless communication networks:

• cellular networks, which are managed by commercial carriers and provide coverage by dividing a large geographical service area into smaller areas
• Wi-Fi networks, which businesses or consumers can establish to provide a networking service within a limited geographic area, such as a home, office or place of business
• other wireless networks, some of which may not conform to the Wi-Fi standard; for example, Bluetooth is often used to connect to nearby devices, such as headsets or keyboards

3.3 Enterprise infrastructure

The enterprise infrastructure provides the hardware, software, network resources and services required to create, operate and manage an enterprise IT environment. This infrastructure enables your organization to deliver IT solutions and services to employees, partners and clients. Your organization’s enterprise infrastructure may also host mobility-specific applications or allow your systems to interact with other mobile devices. The enterprise mobility capability helps secure and manage interactions between your organization’s enterprise services and authorized devices and users, ensuring a seamless and protected experience.

3.4 Service and applications

These are the existing and evolving services provided for all enterprise users, including mobile users. This may include unified communications such as data (for example, email and chat), voice (for example, telephone and teleconferencing), and applications or web interfaces.

4 Mobile device security vulnerabilities

The use of mobile devices, wireless networks, and voice and data services exposes organizations to a range of threats. These threats include deliberate actions by threat actors or accidental actions by authorized users. For example, threat actors might focus on a specific enterprise with the goal of compromising its clients. Organizations must also consider phishing attacks, ransomware incidents, unauthorized data access and network vulnerabilities. These risks must be addressed and sufficiently mitigated to achieve acceptable risk levels. Lastly, loss or theft of mobile devices can also create security risks for your organization, as threat actors can compromise the device and gain access to your systems and data.

There are various mitigation strategies to address these threats, and most of them work together. In particular, the enterprise mobility infrastructure and existing enterprise capabilities can provide strong security features to protect mobile devices and employee communications.

Mobile devices are generally at higher risk of exposure than devices that are used only within an organization’s facilities, on an organization’s networks. Therefore, they often need additional protection. You should be aware of the following major security vulnerabilities when using mobile devices:

• lack of physical security controls
• untrusted mobile devices
• untrusted networks
• untrusted applications
• interaction with other systems
• untrusted content
• location services

4.1 How threat actors exploit these vulnerabilities

Some threats are intended to compromise the mobile device itself, while others are intended to ultimately infiltrate and compromise the enterprise. Some of the main threats that threat actors exploit on mobile devices include:

• identifying, targeting and delivering malware to the device
• using the network connections of the device (cellular, Wi-Fi, Bluetooth) for nefarious purposes, such as exploiting flaws to compromise the device or to track its location
• using the device to infiltrate other organizational networks
• accessing the device to track location through GPS and other location services
• activating the microphone or camera to access data
• intercepting voice and data communications to exfiltrate sensitive data
• using third-party software to gain access to device features
• modifying the device, including changing its hardware or software remotely, by physically accessing the device or by intervening in the supply chain process
• exploiting software flaws in operating systems (OS) and applications to exploit

5 Threats and risks to the enterprise

Mobile devices have become integral to business operations. However, this increased dependency on mobile technology comes with a spectrum of challenges that organizations must proactively address, including data breaches, unauthorized access, and the persistent threat of malware and phishing attacks. The following examples illustrate some of these challenges.

5.1 Loss of authentication credentials

The loss of authentication credentials, such as passwords, tokens or private keys for certificates, presents opportunities for unauthorized access to sensitive systems, applications and data. Unauthorized access can lead to data breaches, the compromise of confidential information, and the potential misuse of corporate resources. We recommend you implement phishing-resistant multi-factor authentication (MFA) and educate your users on cyber hygiene principles such as password management.

For more information, read Password managers: Security tips (ITSAP.30.025).

5.2 Improper disposal of old mobile devices with sensitive configurations and data

Access to sensitive configurations by unauthorized individuals can pose a significant risk, including potential unauthorized data access and breaches. Residual data on devices that are not wiped properly poses an ongoing threat, even after the devices have been disposed of. Non-compliance with privacy regulations may result in legal consequences, fines and reputational damage.

For more information, read Sanitization and disposal of electronic devices (ITSP.40.006) and IT media sanitization (ITSP.40.006).

5.3 Improper use of social media applications

Threat actors can exploit security vulnerabilities within social media applications installed on corporate mobile devices. If the applications contain vulnerabilities, most often from poorly written code, threat actors can leverage them to access corporate data storage. Social media applications conduct data mining to understand and predict human behaviour and if installed on corporate devices or networks, they can collect data about your organization, including contact lists or aspects of the corporate network. We recommend implementing corporate control over the applications’ permissions and using mobile device management (MDM) restrictions.

5.4 Exploitation of lost or stolen devices

Threat actors may exploit lost or stolen devices to try and gain entry to the enterprise infrastructure or to pose as an authorized user. Identity masquerading is a significant threat and could lead to the exploitation of enterprise resources, operational disruptions and the compromise of confidential business information.

5.5 Threat actors tracking employee behaviour

Threat actors may observe employee behaviour through compromised devices in order to violate privacy and gather personal information, which can subsequently be used for entrapment or blackmail. This type of intrusion can damage the affected employee’s personal and professional life and contribute to broader consequences for the organization’s reputation and workplace trust.

For more information, read Social engineering (ITSAP.00.166) and Digital footprint (ITSAP.00.133).

5.6 Authorized equipment users attempting to misuse their privileges

If employees fail to adhere to security policies, it can increase vulnerabilities and the potential for data breaches. It may also compromise the integrity of devices rendering them more susceptible to security threats. Employees may misuse their privileges by attempting to access unauthorized services or applications, or by connecting directly to commercial platforms that are not permitted.

5.7 Untrusted app stores

The primary risk posed by applications downloaded from untrusted app stores is the potential compromise of a device’s security and user data caused by malware. Applications can be repackaged to include malware without the user realizing. The user may unknowingly expose themself to harmful activities such as sensitive data exposure ,or unauthorized surveillance. This can lead to identity theft, financial losses, and significant privacy breaches for both the user and the organization.

6 Mitigation strategies

To protect sensitive information and networks, organizations should implement a defence-in-depth strategy. This includes placing multiple layers of security throughout an IT system to provide redundancy if a security control fails or a vulnerability is exploited. A defence-in-depth strategy has 3 layers that focus on 3 key elements: people, technology and operations.

As part of a defence-in-depth strategy, the following section provides additional advice on MDM and mitigation actions your organization can take to better secure mobile devices.

6.1 Implement a mobile device security policy

A mobile device security policy should define what resources can be accessed via mobile devices, the degree of access granted to mobile devices, and what types of mobile devices are permitted to access organization resources (for example, organization-issued devices versus personal devices). The policy should also cover how MDM servers are administered, how policies in MDM servers are updated and all other requirements for MDM technologies. The mobile device security policy should be documented in the departmental security plan.

6.2 Implement a policy and user agreements for bring-your-own-device deployments

The bring-your-own-device (BYOD) policy should clearly define your organization’s authorities granted under legislation, regulation and user agreements to manage, monitor and respond to threats arising from personally owned mobile devices. Key considerations should include:

• addressing the impact of monitoring capabilities on privacy risks
• outlining response strategies based on deployment models
• defining the organization’s authorities in triaging and responding to security incidents on personal devices

The goal is to establish a robust operational framework to effectively mitigate security risks in BYOD environments. Your organization should consider mitigation actions such as segregating guest and BYOD Wi-Fi networks from your corporate Wi-Fi network. To determine if implementing a BYOD deployment model is suitable for your organization, consult the End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003) publication.

6.3 Establish and implement employee training and awareness programs

Information security is the responsibility of everyone in the organization. Your organization should clearly define, communicate and support employee responsibility with effective education and awareness. Opening a single malicious email attachment or accessing just a single malicious website can compromise an entire network. Employee diligence is an important factor for business continuity in the face of today’s cyber threats. It is essential that senior management actively endorse and advance awareness initiatives, integrating them into the organization’s strategic framework.

6.4 Perform threat and risk assessments for mobile device use

Mobile devices often need additional protection because their mobile nature exposes them to more threats than other devices. Before designing and deploying mobile device solutions, organizations should perform threat and risk assessments (TRAs). TRAs assist organizations in determining security requirements and in developing mobile device solutions that incorporate appropriate security controls.

In a TRA, you should:

• identify resources of interest, vulnerabilities and security controls related to these resources
• quantify the most likely threats and their likelihood of a successful attack and their impacts
• analyze this information to determine where security controls should be improved or added

Factors like international travel can impact TRAs. Organizations should consider the risks associated with using mobile devices abroad. Specific risk assessments for individual travel or foreign telework agreements are covered in the Cyber Centre’s publication Device security for travel and telework abroad (ITSAP.00.188). Additionally, Mobile device guidance for high-profile travellers (ITSAP.00.088) outlines common threats and security measures to safeguard mobile devices before, during and after travel.

6.5 Implement the necessary security measures

Organizations should consider the merits of each security measure, determine which controls are needed, and then implement the solutions that provide the necessary security posture. Organizations should consider the following security measures:

• Enforcing departmental security policies on mobile devices, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring, detecting and reporting policy violations
• Supporting strongly encrypted data communications and data storage
• Securely wiping a device before reissuing it and remotely wiping a device if it is lost or stolen
• Requiring device authentication before allowing the mobile device to access departmental resources
• Restricting which third-party applications can be installed on mobile devices
• Determining the permissions assigned to each application and verifying digital signatures on applications
• Detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices

Once an application has collected data, that data is no longer under enterprise control. Users should not trust claims of data “anonymization” by application developers. Relying on app store vetting alone is insufficient to ensure that an app will not compromise data. App stores primarily scan for overt malware and may allow behind-the-scenes data collection activities for advertising or analytics.

6.6 Before deploying a mobile device solution

Before establishing a mobile device solution organizations should evaluate the following security aspects of the environment accounting for each type of mobile device that the organization intends to use:

• connectivity
• protection
• authentication
• application functionality
• solution management
• logging
• performance

All components of the system should be updated with the latest patches and configured in accordance with sound security practices. Secure organization-issued mobile devices before allowing user access.

Ensuring that every device is fully secured prior to granting user access establishes a foundational level of trust in the device before it encounters potential security threats. Any previously deployed organization-issued mobile devices with unknown security profiles should be fully secured to a known good state using MDM technologies. Organizations should also deploy supplemental security controls, such as anti-virus software and data-loss prevention (DLP) technologies.

6.7 Maintain mobile device security

Organizations should implement the following processes for maintaining mobile device security:

• Regularly installing upgrades and patches to enhance device protection
• Adjusting access control settings as needed to maintain security standards
• Maintaining an up-to-date inventory detailing each mobile device, its assigned user and installed applications
• Revoking access to or deleting applications that have been assessed as too risky
• Safeguarding sensitive data by sanitizing mobile devices before issuing them for reuse
• Implementing an incident response plan that details how to address high-risk and compromised devices

Organizations should perform audits periodically to ensure that their mobile device policies, processes and procedures are being followed properly.

Organizations with more mature IT infrastructure and business processes should choose a mobility management solution that enables enhanced business features, such as mobile access to corporate email, calendars, contact lists and other corporate applications, to integrate seamlessly with corporate authentication mechanisms. The mobility management solution should also maintain the security of the mobility enterprise. There are different mobile management solutions with distinct capabilities. In industry, these solutions are referred to as MDM, enterprise mobility management (EMM) and unified endpoint management (UEM).

6.8 Manage the lifecycle of mobile devices

Your organization should ensure you have a process for identifying mobile device vendors that provide procedures and solutions to manage end-of-life (EoL) devices. For laptops, this can also include EoL for operating systems. You should also ensure that your vendors adhere to supply chain integrity (SCI) risk assessments, which should be conducted prior to procuring devices.

Ensure you have procedures in place to lifecycle of EoL devices, to properly sanitize the device once recovered from the user, and to dispose of the device in a secure manner. For more information on device sanitization and destruction, read Sanitization and disposal of electronic devices (ITSAP.40.006).

7 Mobility management solutions

Mobile devices have become essential for many organizations, enabling more efficient execution of business activities. With greater amounts of sensitive data now passing through endpoints and being exchanged between mobile devices, information sharing has reached unprecedented levels. If mobile devices are not managed properly, they can put your organization's data and network security at risk. Proactively managing these devices across all business operations and implementing a strong mobility management solution is critical to protect your organization from potential data breaches.

Managing mobile devices is a unified approach that encompasses various categories of mobile management solutions, referred to in industry as MDM, EMM, and UEM. Mobile management solutions apply software, processes and security policies to mobile devices in their usage. Understanding the different features offered by various mobile management solutions will help you choose the best solution for your organization.

There is little difference between MDM and EMM, and the 2 terms are often used interchangeably. MDM focuses on fundamental tasks such as:

• enrolling and configuring devices
• managing credentials
• enforcing password and functionality restrictions
• managing BYOD profiles
• facilitating device management and support functions, such as inventory audits, password resets and remote wipes

EMM encompasses all MDM functionalities, with additional advanced features such as:

• more sophisticated containerization
• management of corporate credentials and authentication mechanisms
• advanced mobile application management
• integration with other enterprise platforms

EMM also extends MDM capabilities through features like mobile application management and mobile threat response applications.

UEM is a unified holistic mobile management solution that encompasses MDM, EMM and other mobile management capabilities to address security concerns related to managing corporate data while increasing connectivity and productivity. While MDM and EMM solutions are dedicated to managing mobile devices, UEM allows organizations to distribute, manage, control and track other endpoint devices in the workplace, such as personal computers, tablets, Internet of Things (IoT) devices, printers and wearables.

We encourage organizations to conduct a security threat assessment using a framework like Cyber security and privacy risk management series: A lifecycle approach (ITSP.10.033) to determine their security requirements and acceptable level of risk, rather than focusing on terms. A threat assessment will also help identify the technical security controls required to address these threat areas, which will help organizations choose a mobility management solution.

Identifying and implementing a narrower set of technical controls, along with other security controls and policies as per Cyber security and privacy risk management: A lifecycle approach, can help organizations mitigate risks while balancing the user experience, flexibility and functionality promised by mobile devices. Once implemented, test and adjust the controls periodically to ensure that they are functional and providing adequate security.

7.1 Benefits of mobile management tools

Mobile management tools can secure, monitor, manage and support mobile devices such as smartphones and tablets that run on multiple platforms and are deployed within a network. These tools control and protect data and configuration settings. With these tools, your IT administrator can configure devices according to employee job requirements and install the applications needed for work purposes.

A wide range of mobile management tools are available, from basic solutions that control a mobile device’s security settings to more advanced solutions that extend and enforce a mobile device’s security policies and controls and provide seamless integration with your organization’s systems and services.

An optimal mobile management solution must consider the product’s capabilities and the mobile device platforms, as well as security feature capabilities and support. Consider the type of mobile devices your organization uses before choosing a mobile management solution.

Do not rely on an MDM solution to make up for poor mobile device security. MDM tools cannot add missing security features to a platform or device; they can only use the security features and controls that a mobile device platform supports natively.

Your organization should choose the solution that best suits its business and security needs by considering the following:

• level of control needed depending on the sensitivity of the data being handled
• budget available for specific deployment models (for example, hardware supply or IT support)
• best balance between business and personal use

It is important for your organization to train employees on privacy and security best practices to ensure devices are used safely with the deployment model your organization selects.

In addition to the mitigation strategies provided in this publication, you can reference the Mobile Device Cybersecurity Checklist for Organizations (PDF) developed by the Cybersecurity and Infrastructure Security Agency (CISA). This checklist provides best practices to help organizations protect their mobile enterprise by mitigating security vulnerabilities and ensuring secure mobile access to enterprise resources.

7.2 Common mobile device management and enterprise mobility management features

MDM and EMM solutions offer many features to address mobile device security, compliance and operational efficiency. Some common features include:

• mobile device management
  • deploy and enroll
  • provision devices—device settings, restrictions, credentials
  • control devices—audit devices, reset passwords, remote wipe
  • manage applications—control what applications can be loaded and used
  • track inventory
• mobile device security
  • enforce security policies, real-time monitoring and reporting
  • enforce strong passwords for mobile device access
  • prevent unauthorized device access using a remote lock
  • perform remote wiping if device is stolen or lost
  • protect device from unsecured Wi-Fi and Bluetooth connections
• facilitation of corporate data security
  • mandate data encryption for both data-in-transit and data-at-rest
  • enforce the use of virtual private network (VPN) connection between the mobile device and the organization’s server
  • automatically back up essential data from the device to the main server
• messaging and email integration—fully integrate and support all major features (calendar, contacts, support for all major platforms)
• enterprise enablers—provide support, access and control for intranet and corporate web services and applications

7.3 Additional mobile management solution capabilities

Larger organizations that have complex mobile device infrastructures and require a more comprehensive solution can consider some of the following additional capabilities that certain mobile management tools offer.

7.3.1 Mobile application management

Mobile application management (MAM) involves deploying, managing and controlling specific business applications on BYOD and company-owned/personally enabled (COPE) devices. MAM allows organizations to segregate personal and business applications, and to create a personalized enterprise application store. With MAM, administrators can push, install, patch and update mobile business applications as required, and configure the applications to comply with specific policies. MAM also supports inventory management, application lifecycle management and software licensing management.

7.3.2 Mobile content management

Mobile content management (MCM) is a security tool that manages content access on mobile devices. It allows employees to access, distribute and store work-related files, information and data without compromising security or the end-user experience. It offers ease of collaboration across secured networks and MDM-registered devices. MCM enables the administrator to restrict access rights to each employee and to allows only approved applications to access and distribute data.

7.3.3 Mobile identity and access management

This process manages and defines roles and privileges for each user to ensure that access to organizational resources is restricted to those with access rights. It relies on MFA, biometrics, certificates, code signatures or device-specific information to control how employees use the organization’s applications and data.

7.3.4 Mobile threat management

Mobile threat management (MTM) is a mobile security product that helps organizations reduce the risk posed by mobile devices. The premise of MTM is that although device manufacturers are improving the security posture of their devices with every release, vulnerabilities remain, and new ones are continually discovered.

MTM attempts to help organizations manage risk by implementing functions such as:

• integration with MDM/EMM functions, such as enrollment, security policy and restrictions, and audit/logging
• application and OS version and patch management
• enforcement and automation of domain name system (DNS) filtering and VPN use
• installed application inventory, malware detection, and allow list and deny list
• mobile incident response—this pairs well with UEM platforms, where compliance-based controls are often used for automated responses to mobile security incidents

7.3.5 Mobile expense management

Mobile expense management (MEM) allows organizations to track and control expenses across their entire mobility infrastructure. It also allows organizations to set limits for data and application usage.

7.3.6 Containerization

Containerization is a data segregation solution for devices that store both work and personal data such as BYOD and COPE. It isolates your organization’s data from everything else on the device, in separate encrypted containers.

8 Cyber Centre’s mobility suite

To help mitigate the threats posed by mobile devices, the Cyber Centre has created a suite of mobile security publications that can help organizations significantly reduce their threat surface with respect to mobile devices. In addition to the publications mentioned earlier in this publication, the following resources may also be of value to your organization:

• Using your mobile device securely (ITSAP.00.001)
• Security considerations for mobile device deployments (ITSAP.70.002)
• Mobile devices and business travellers (ITSAP.00.087)
• How updates secure your device (ITSAP.10.096)
• Cyber security considerations for 5G networks (ITSAP.80.116)

Summary

Mobile devices are convenient, flexible and allow employees to work anywhere and at any time. However, their complex design and enhanced functionality can pose a threat to your organization’s information, assets and networks. Since mobile devices can contain, or provide access to, vast amounts of sensitive corporate and personal information, they are attractive targets that can provide unique opportunities for threat actors intent on gathering information.

The threats posed by mobile device use are numerous and must be clearly understood and mitigated to protect the confidentiality, availability and integrity of your organization’s information. Enterprise mobility should use commercially available protections and compensate for device limitations within the overall enterprise mobility architecture, leverage the organization’s risk-management framework, and develop security policies specifically for mobile devices.

Where necessary, you can further harden commercial mobile devices to improve integrity and reduce risks. Your organization should conduct a threat and risk assessment to determine the security controls for its enterprise mobility solutions. Security controls need to be implemented and verified for the organization’s complete information system, from mobile devices to the network services that support business processes and information assets.

The Cyber Centre encourages organizations with more mature IT infrastructures and business processes to implement a mobility management solution that enables enhanced business and security features, as well as improved capabilities to secure, manage, audit and support mobile devices in the workplace.

Effective date

This publication takes effect on May 4, 2026.

This is an unclassified publication issued under the authority of the Head of the Cyber Centre.

This document supersedes:

• Securing the enterprise for mobility (ITSM.80.001), July 2016
• Mobile device management (MDM) solutions - guidance for the Government of Canada (ITSB-64), July 2013
• Mobile security - Securing the Government of Canada (ITSE.80.001), June 2016

Revision history

1. First release: July, 2016
2. Second release: May, 2026