E-Handbook: Advances in enterprise mobile device security management Article 3 of 4

ra2 studio - Fotolia

Ownership scenario should dictate mobile device policies

The policies organizations should deploy for BYOD devices compared to kiosk devices are very different. Learn how organizations should approach these policy decisions.

Enterprise mobile device policies are good measures in any situation, but in some cases the device ownership scenario should dictate the policies.

Organizations should allow their internal practices, company culture, regulations and mobile device use cases to shape their mobile device policies. The mobile device ownership and the allowance or prohibition of using mobile devices for non-work purposes is baked into each of these factors.

Certain policies that work well for corporate-owned devices may not be well suited for BYOD and vice versa. Additionally, the privacy concerns of a kiosk-type device and a personally enabled device are vastly different.

Device ownership scenarios

Mobile devices fall into one of four categories when it comes to ownership and personal use.

These four categories -- BYOD, corporate-owned personally-enabled (COPE), corporate-owned business only (COBO) and corporate-owned single use (COSU), also known as kiosk devices -- each demand different approaches to mobile device policies.

BYOD devices

In a BYOD scenario, organizations have a massive amount of management decisions to make. Each decision must factor in user buy-in, perceived -- and real -- invasions of privacy and the potential security risks that users could cause with their non-work habits. IT must determine, for example, how much access to corporate resources users can have on their personal devices, which security configurations are reasonable to expect and which are too much, how it approaches partitioning off corporate data from users' personal data and whether or not mobile admins can remotely access the devices and run commands such as remote wipes of the device.

Workers with COPE devices may be subject to more intrusive management practices such as device tracking and forcing out app and OS updates.

Organizations should have some basic mobile device policies in place to ensure that workers' personal use of their mobile devices doesn't cause security incidents. IT professionals and executives should communicate this to their users when they explain the need for these slightly intrusive policies such as restricting third-party app stores, blacklisting certain sites and mandating that certain mobile apps are on the device.

In some sectors, it may be impossible to give BYOD devices access to sensitive data such as patient records for healthcare organizations or personally identifiable financial information for banks. For other organizations, however, BYOD may be a way to minimize hardware cost while empowering users to work on the go.

COPE devices

The COPE approach to enterprise mobile devices presents some of the same privacy concerns as BYOD, but the caveat is that organizations have much more control over the devices because they own them. Workers with COPE devices may be subject to more intrusive management practices such as device tracking and forced app and OS updates.

Additionally, many organizations that deploy COPE mobile devices have a choose your own device (CYOD) policy, which allows users to select devices from a preapproved corporate list of models. CYOD provides users with the flexibility to work with the devices they want while ensuring that the organization only deploys devices that it can effectively support and manage.  

COBO devices

A COBO deployment allows for straightforward mobile device policies with less concern about user privacy. This isn't because user privacy doesn't matter; it's more because these devices are exclusively for work purposes. Therefore, workers should only use the device for work purposes and any minor personal tasks, such as a quick Google search of a work-appropriate topic.

For the most part, workers with COBO devices will have personal mobile devices if they need mobile capabilities outside of work, and organizations must explicitly communicate to users that the mobile device they are issued is for business use only. Otherwise, users could take issue with the limits of the device and the potential for a full device audit.

IT professionals can fully manage these devices by forcing app updates, only allowing users to download preapproved apps, wiping and locking the device whenever needed, restricting the use of personal Apple and Google accounts, and blocking USB data transfers to unapproved host machines.

Kiosk or COSU devices

With kiosk -- also known as COSU -- devices, organizations can deploy highly restrictive mobile device policies. These devices will likely run only one or two applications for purposes such as point-of-sale and customer check-in and registration.

Enterprise kiosk devices shouldn't be a constant headache for IT; managing these devices should be simply the initial device configuration, pushing out updates and troubleshooting any issues that come up. During the initial configuration and device provisioning process, which IT should complete right out of the box, IT pros should determine which mobility management method they'll use to set the single-app or multi-app kiosk mode. IT can schedule updates during times when the kiosks will likely be out of use to minimize interruptions of work tasks.

Dig Deeper on Mobile management

Unified Communications