Nmedia - Fotolia
Know when to allow mobile device backup
Mobile devices enrolled in MDM platforms should only be backed up in certain situations. Here's a rundown of what IT should allow in COPE, BYOD and COBO scenarios.
It's not always clear whether IT should allow backups of devices that are enrolled in mobile device management.
It's easy to make a hard-and-fast rule about all devices, but the answer depends on a variety of factors, including how the devices are used and the expectations of users.
Here's a general guideline IT can follow to create corporate policies for mobile device backup.
Should IT allow mobile device backup for COBO scenarios?
Corporate-owned, business-operated (COBO) devices, as well as dedicated or kiosk devices that are locked down to one or a few applications, should never be backed up. There's no reason to store corporate data on these devices permanently, and there is certainly no data that a user would want to keep backed up to a personal account or device.
IT should restrict the use of personal Google and Apple accounts on these devices and render cloud-based backups impossible. IT should also prohibit the use of USB transfer on Google Android devices and the pairing of Apple iOS devices to non-configurator hosts, which is a standard best practice to prevent users from transferring corporate data to a personally owned device through a USB cable.
Should IT allow mobile device backup for COPE scenarios?
For corporate-owned, personally-enabled (COPE) devices, IT can typically enable backups -- particularly cloud backups -- but IT should continue to restrict the connection of these devices to untrusted endpoints, including personal computers.
Unlike dedicated devices, however, IT should manage these devices differently. For Apple iOS devices, IT should prevent managed apps from backing up data to iCloud and should also prevent users from opening corporate documents in unmanaged apps
Modern Android Enterprise-enabled devices, which use the unified management APIs introduced with Android 5.0 Lollipop, isolate corporate data to the work profile on fully managed devices so users cannot back up corporate data to personal Google accounts by default. Combined with other restrictions that prevent users from sharing corporate data with personal applications, this can help prevent data leakage.
IT should treat legacy Android devices, including those that use the soon-deprecated Device Administration API, with caution. IT could use a container via an enterprise mobility management (EMM) tool, such as MobileIron AppConnect or VMware AirWatch Container with these devices. Otherwise, there is the possibility that corporate data could find its way into a cloud backup and be available to restore on an unmanaged device. For that reason, IT should prevent backups whenever possible -- and question why Android Enterprise isn't in place.
Should IT allow mobile device backup for BYOD scenarios?
IT shouldn't handle backups for COPE and BYOD iOS devices too differently. IT should keep in mind, however, that heavy restrictions likely won't be well-received by end users because these are personal, noncorporate devices.
Organizations shouldn't prevent users from connecting these devices to personal computers via cable, either. The same applies to legacy Android devices.
For Android Enterprise deployments in which only a work profile is deployed to an otherwise unmanaged device, the organization has limited control over the whole device or the parent profile. So, IT wouldn't be able to prevent device backups when personal use is permitted.
In these cases, IT would have downloaded the EMM agent from Google Play after device setup, rather than provisioning the devices from new as fully managed. Within the work profile, the backup service would be disabled by default so users can't add personal Google accounts. IT should keep these default settings to prevent data leakage.