Manage mobile operating system updates with Intune 4 factors that should shape a BYOD mobile policy

COPE (corporate-owned, personally enabled)

What is COPE (Corporate-Owned, Personally Enabled)?

COPE (corporate-owned personally enabled) is a business model in which an organization provides its employees with mobile computing devicesand allows the employees to use them as if they were personally owned notebook computers, tablets or smartphones.

What are the benefits of COPE?

Because a corporation can often get IT products at wholesale or bulk prices, the COPE business model can be a cost-effective option for both the organization and the employee. Although the business technically owns the devices and is responsible for monthly usage costs, employees are free to use them off the job.

The COPE model can facilitate an organization's mobile device management (MDM) and mobile application management (MAM) initiatives and provide the organization with greater power to protect the organization's data both technically and legally. Because the organization owns the COPE devices and the line of service, it also has the power to select which vendors to work with and which device models and data plans to provide. Both the BYOD and COPE models reflect an ongoing trend toward more fluid boundaries between personal and work-related use of technologies.

COPE can also simplify technical support, since the organization is only supporting specific device types and operating systems. In contrast, users in a BYOD environment could be using almost any type of device. Another advantage of COPE is that the organization can mandate that devices run specific operating system versions and device configurations. This can go a long way toward helping to keep the devices secure and addressing any vulnerabilities.

What are common challenges of the COPE model?

One of the biggest challenges associated with the COPE model is that the organization is responsible for applying updates to the devices and supporting those devices. This may place an additional burden on the organization's IT staff. It also means the organization will need to invest in enterprise mobility management (EMM) software, if it has not already.

Another challenge associated with COPE adoption is that some users may prefer to continue using their personal devices. It can be difficult to support both COPE and BYOD at the same time. The helpdesk may lack the staffing resources to support both, or the EMM product might limit IT to using either BYOD or COPE but not both.

How does COPE compare to BYOD and other ownership models?

The COPE approach can be contrasted with both the BYOD model, in which employees purchase their own mobile devices and use them for work tasks, and the traditional IT provisioning model, in which organizations assign employees computing devices that remain permanently located in the workplace.

In the COPE model, the organization owns and provisions the devices before assigning them to the end user. As such, the organization is able to ensure the device is configured in a way that minimizes risks while also adhering to the organization's mobile device security policy.

Similarly, because the organization owns the device, work-related applications take priority. In a BYOD environment, it is relatively common for a user's device to contain so many personal applications and data that there isn't enough space left over to accommodate work-related applications. With the COPE model, however, work applications are installed first, leaving the user to make do with whatever storage is leftover on the device.

Some organizations also find the COPE model preferable to the BYOD model because it makes it far easier to enforce an acceptable use policy. Although most organizations do have an acceptable use policy for BYOD devices as well, those policies can be difficult to enforce considering the organization does not actually own the device. A COPE policy can help to reduce both legal risks and data security risks by limiting the types of applications users are allowed to install on devices. Some organizations will also limit the types of content users are allowed to access online.

How does a COPE policy work?

A COPE policy usually states that the organization will supply the end user with a device, pay for the mobile network service and support the device, while also making the device available to the user for personal use. However, the organization should make it clear to the end user that the device is primarily intended to support business operations, and business-related functions always come first.

As such, the organization determines how the device should be configured and what applications the device has installed. The organization may also limit the ways in which the user is allowed to use the device. For example, an organization might prohibit the use of certain applications that could prevent security risks.

Implementing a COPE policy

Implementing a COPE policy involves much more than just issuing devices to end users. One of the first steps in creating such a policy is to create an acceptable use policy for the end users. Even though users are allowed to perform personal tasks with the device, they should not have free reign over the device. IT administrators will likely need to put policies in place that prohibit users from changing configuration settings, removing software that has been put in place by the organization or accessing objectionable content.

Another thing IT administrators must do when creating a COPE policy is to define the terms of service for the device. In other words, IT will need to create a formal policy outlining what a user can realistically expect as they use the device. For example, if your policy is to run a remote wipe on devices that have been misplaced, users will need to know they may suffer data loss if they store personal data on the device.

A good COPE policy should also address the issue of technical support. Since the organization owns and configures the device, the IT department will presumably be responsible for supporting the device. Even so, it is important to set limits as to what the IT department will support. Otherwise, the help desk may start receiving support calls related to users' personal apps.

Finally, a COPE policy should address the issue of end-user privacy. End users who are using a COPE device to access their personal social media accounts, for example, may question whether the organization is spying on them. A well-written privacy policy serves to set end-user expectations, while also setting boundaries for the organization as well.

This was last updated in May 2021

Continue Reading About COPE (corporate-owned, personally enabled)

Dig Deeper on Mobile management

Unified Communications