Alternate format: Security considerations for mobile device deployments (ITSAP.70.002) (PDF, 732 KB)
When selecting an approach to deploy mobile devices in your organization, you can choose from different deployment models, each of which comes with its own benefits and risks. With mobile devices, managing risk depends partly on employee cooperation (i.e. willingness to allow use restrictions, monitoring, and security access by the organization) and partly on the inherent risks and vulnerabilities in the types of devices included. To select a deployment model that best balances these elements for your organization, consider user experience, privacy, and security requirements.
Corporately owned, business only (COBO): Your organization owns the device, and it can only be used for business purposes.
Corporately owned, personally enabled (COPE): Your organization owns, controls, and monitors the devices. With this model, your organization can enforce stricter security policies. Employees can use their devices for personal purposes, and you might let them choose the type of device used.
Bring your own device (BYOD): Employees use their own devices for business purposes, and you may choose to cover some of the costs associated with the devices. However, because your organization does not own the device, it has little control over the security controls implemented on the device.
Benefits and risks
There are benefits and risks associated with each of these different deployment models. The two tables below list some examples of benefits and risks to consider and whether they apply (✔) or don’t apply (x) to the deployment model.
However, these benefits and risks may vary based on your organization’s security needs and requirements, as well as your users. When considering the benefits and risks of a deployment model, you should also consider which deployment model will enable your organization to balance functionality, user experience, and security.
|Examples of benefits||COBO||COPE||BYOD|
|Improve workplace satisfaction||✔ apply||✔ apply||✔ apply|
|Promote job efficiency and flexibility (e.g. remote work)||✔ apply||✔ apply||✔ apply|
|Offer device for business and personal use||x don't apply||✔ apply||✔ apply|
|Decrease hardware costs||x don't apply||x don't apply||✔ apply|
|Control device updates||✔ apply||✔ apply||x don't apply|
|Providing the option to work remotely||✔ apply||✔ apply||✔ apply|
|Examples of risks||COBO||COPE||BYOD|
|Lack management control (e.g. little control over software updates and downloads)||x don't apply||x don't apply||✔ apply|
|Download malicious applications (e.g. hackers gaining access to corporate data)||✔ apply||✔ apply||✔ apply|
|Use devices insecurely (e.g. access information on public Wi-Fi or letting other people use the device)||✔ apply||✔ apply||✔ apply|
|Tamper with security features (e.g. jailbreaking a device might unlock configuration restrictions)||x don't apply||x don't apply||✔ apply|
|Lose data (e.g. mixing personal and business data can open opportunity for content leakage)||x don't apply||✔ apply||✔ apply|
There are many ways to reduce the risks that mobile devices introduce to your organization. Some deployment models allow more room for mitigations than other models.
Most risks for BYOD are uncontrollable because the device is personally owned. With corporately owned devices, you can better manage the risks. In a COBO model, the device is used solely for business purposes, and your organization has complete control over the data on the device and the security policies used. A COPE model offers some of the positives of both BYOD and COBO models; employees can use devices for personal use, but your organization controls the security measures implemented.
The table below lists example mitigations and which deployment model they apply to (✔) or don’t apply to (x don't apply).
|Examples of risk mitigation||COBO||COPE||BYOD|
|Enforce the use of strong passwords and authentication mechanisms for devices||✔ apply||✔ apply||x don't apply|
|Ensure security controls are established (e.g. unified endpoint management [UEM])||✔ apply||✔ apply||x don't apply|
|Limit the information shared between devices||✔ apply||✔ apply||x don't apply|
|Offer IT support for devices||✔ apply||✔ apply||x don't apply|
|Use software developed or specifically associated by the organization||✔ apply||✔ apply||x don't apply|
|Access work-related applications using the corporate network infrastructure||✔ apply||✔ apply||✔ apply|
|Establish an employee exit plan (i.e. devices and data are managed when an employee leaves)||✔ apply||✔ apply||x don't apply|
Unified endpoint management (UEM)
Your organization can use UEM to maintain the security of mobile devices. If you support BYOD, you can use UEM, but your ability to manage the devices is minimal because the devices are owned by the employees. In a COPE or COBO model, you can use UEM because you maintain full control of monitoring and securing the devices.
UEM is a strategy to distribute, manage, and control endpoint devices (e.g. desktop and mobile) in the workplace. UEM combines features from mobile device management and enterprise mobility management processes to address security concerns related to managing corporate data while increasing connectivity and productivity. UEM includes features that help keep company information and employee data secure:
- Monitoring devices consistently (e.g. in-office or remotely)
- Separating application platforms (e.g. sandboxing)
- Enforcing strong authentication credentials (e.g. using different keys between personal devices and desktops)
- Incorporating email and messaging services
- Configuring devices for set-up and enrollment
- Encrypting data at rest and in transit
- Performing remote tracking, locking, and wiping
- Detecting jailbroken or rooted devices
- Updating security patches and anti-malware software automatically
- Whitelisting and blacklisting applications
Considerations for your organization
Your organization should choose the deployment model that best suits business needs through considering the following:
- Level of control needed depending on the sensitivity of the data being handled.
- Budget available for specific deployment models (e.g. hardware supply, IT support).
- Best balance between business and personal life.
It is important that your organization trains employees on best privacy and security practices to ensure safe use with the deployment model your organization uses.