Securing Mobile Solutions (Domain 4)
In today’s connected world, mobile devices are essential tools for work, communication, and productivity. But with convenience comes risk. As mobile phones, tablets, and laptops become more tightly integrated into business operations, they also become tempting targets for attackers. Mobile devices move between networks, store sensitive information, and run applications that may not be subject to the same scrutiny as traditional software. That makes securing mobile solutions a critical component of any modern cybersecurity strategy. In this episode, we’ll examine mobile device management and explore different deployment models that balance security, usability, and control.
Let’s begin with mobile device management. Mobile device management refers to the centralized administration of mobile endpoints such as smartphones and tablets. Using mobile device management software, organizations can enforce security policies, configure devices, and monitor compliance—all from a single platform. This centralized control is vital when you have a large number of mobile devices connecting to corporate resources. Without it, each device becomes a separate risk that must be manually configured and maintained.
Mobile device management allows administrators to apply consistent security settings across all managed devices. These settings can include enforcing password complexity, requiring encryption, disabling cameras or Bluetooth, and preventing installation of unauthorized apps. Administrators can also remotely lock or wipe devices that are lost, stolen, or compromised. This capability is essential for preventing data loss in the event of a physical breach or insider threat. In some cases, mobile device management systems can also isolate work data from personal data, allowing organizations to protect what matters without invading employee privacy.
An example of effective mobile device management is a healthcare organization that issues tablets to clinicians. These tablets are managed using mobile device management software that enforces full-disk encryption, ensures that only approved applications are installed, and requires multifactor authentication before accessing patient records. If a tablet is reported lost, the administrator can immediately wipe its contents and revoke network access. In this scenario, mobile device management helps protect patient confidentiality and ensures compliance with regulatory requirements.
Another real-world example involves a retail company with a mobile sales force. Employees use smartphones to access inventory systems, place orders, and communicate with headquarters. Using mobile device management, the company configures all devices to connect only through a virtual private network, blocks the use of unapproved social media apps, and enables geofencing to restrict functionality outside designated sales regions. These controls allow the company to support mobility while maintaining visibility and control over its mobile environment.
Now let’s shift to deployment models. These models define who owns the mobile device and how it is managed. The first model is bring your own device. In a bring your own device model, employees use their personal devices to access work resources. This model offers cost savings for the organization and convenience for the user. However, it also introduces significant security risks. Personal devices may not meet security standards, may be shared with family members, or may run outdated software. If the device is lost or infected with malware, sensitive company data could be exposed.
To manage these risks, organizations often apply mobile device management solutions that focus on containerization. This means separating work-related apps and data from the rest of the device. The organization can monitor and control the work container without interfering with the personal side of the phone or tablet. In some cases, the organization may require the user to agree to policies such as installing mobile device management software, using screen locks, and reporting lost or stolen devices promptly. Some users may resist these controls, so it’s important to clearly explain what the organization can and cannot access.
The second model is corporate-owned, personally enabled. In this model, the organization provides the mobile device but allows the employee to use it for personal tasks as well. This strikes a balance between control and flexibility. Since the device is owned by the company, administrators can enforce stricter security policies, including full control over what apps can be installed, how data is encrypted, and how updates are applied. At the same time, users can personalize the device within limits, making it more likely they will use it effectively.
Corporate-owned, personally enabled models offer clear advantages in environments where sensitive data is frequently accessed. For example, a financial institution may provide smartphones to its advisors, preloaded with secure messaging apps and digital portfolio tools. The devices are configured to block certain app stores, monitor for jailbreaking attempts, and restrict access based on geographic location. Because the company owns the device, it can reclaim or reset it when an employee leaves the organization, reducing the risk of data leakage.
Managing this model requires thoughtful policies that respect user privacy while preserving security. Some organizations use dual personas—essentially two separate profiles on the same device. The corporate profile is locked down, while the personal profile has limited access to resources. Regular audits and device health checks ensure that devices remain compliant. And because the organization controls the entire device, it can apply firmware updates and enforce baseline configurations without needing user permission.
The third model is choose your own device. In a choose your own device setup, the organization allows employees to select from a list of approved devices. The devices may be purchased by the company, by the user with a stipend, or through a shared ownership model. This approach gives users some choice in what device they carry, which can improve satisfaction and productivity. At the same time, it gives the organization more confidence that the selected devices support necessary security features.
Security considerations for the choose your own device model include ensuring that all approved devices support encryption, strong authentication, and remote management. Devices must be enrolled in a mobile device management system and configured to meet organizational standards before they can access company resources. Organizations may publish a list of compliant models and maintain separate configurations for different operating systems. If a device falls out of compliance—for example, if a user disables encryption or installs unauthorized apps—its access can be automatically revoked until the issue is resolved.
One example of a successful choose your own device implementation is a university that provides faculty and staff with a stipend to purchase a mobile device from an approved list. Devices must be enrolled in the campus mobile device management platform before they can access the university’s email, calendar, and file storage services. Each device is scanned for security compliance, and users receive automatic reminders to update software and renew their credentials. This approach gives faculty flexibility while maintaining control over data security.
To summarize, securing mobile solutions involves a mix of policy, technology, and user education. Mobile device management tools provide the foundation for centralized control and enforcement. Deployment models—such as bring your own device, corporate-owned personally enabled, and choose your own device—define how devices are selected, managed, and secured. Each model presents its own tradeoffs in terms of cost, control, user privacy, and security posture. Successful mobile security depends on clearly defined expectations, regular monitoring, and the ability to respond quickly to lost, stolen, or compromised devices.
When preparing for the Security Plus exam, make sure you can compare and contrast these deployment models. You may be asked to identify which model is most appropriate in a given scenario or explain how mobile device management helps enforce security policies. Be familiar with terms like containerization, geofencing, and dual personas. And be ready to recognize common mobile threats—such as data leakage, lost devices, or unapproved applications—and know which controls can prevent or mitigate those risks.
