Organizations with any mobile devices in their environment SHALL have an established Mobility Management Strategy that is strictly adhered to.

Once upon a time, business networks were made up of large desktop computers physically connected to an office LAN and used by employees strictly within the business facility. Over the past decade, there has been a rapidly accelerating move towards business networks using mobile devices, usually laptops or surface tablets, rather than anchored desktop systems. The COVID-19 Pandemic and the associated adoption of remote working methods helped accelerate this move. Many businesses have implemented hybrid mobile/desktop setups where employees are given a company laptop, a docking station, monitors, and peripherals. This allows employees to work from a comfortable desktop setting on-premises and then simply unplug their laptop to take home.

It can be more complex to figure out how to manage the use of mobile devices as opposed to desktop systems. Since laptops are taken on the road and can be used in unsecured locations and networks, businesses take on an increased level of risk by using them. Businesses also need to decide how mobile devices will be organized under company network management. Traditional workstations and Active Directory domains can't keep their grip on endpoints when they leave the local network. Many businesses have embraced a bring your own device (BYOD) strategy for their workplaces. This allows employees to use their own personal devices on-premises for daily workflows. Businesses need to be aware that they still need to have a method of asserting some governance over employees' personal devices. If company data is used on devices outside the scope of organizational cybersecurity governance, there are opportunities for data leakage stemming from potentially unstable employee systems.

Besides BYOD, several other enterprise mobility management strategies may be embraced. Each one has its upsides and downsides, and may not be appropriate for every environment. Businesses that want to embrace a mobile device-centric network should carefully assess each strategy, preferably performing a risk assessment on each one. Once a strategy has been chosen, proper plans and procedures must be produced to facilitate a smooth embrace of the mobility management strategy.

  • Bring Your Own Device (BYOD): This strategy allows employees to bring their personally owned devices and use them for company work. The employee is in charge of paying for the device and keeping it in good condition. They are also in charge of the underlying operating system. However, in this strategy, the organization will allow access to company resources under conditions acceptable to them. The organization may require employees to enroll the device in Mobile Device Management (MDM) and utilize a separate profile for work use. This strategy has the advantage of providing greater comfort and convenience for employees. However, a badly implemented BYOD solution can create security risks for the organization due to company data being mixed in with non-company devices. If a business decides to embrace BYOD, they need to produce a corresponding strategy for keeping company resources under company IT governance.
  • Corporate Owned Personally Enabled (COPE): This strategy involves the organization purchasing the devices, then providing them to employees for them to use in both workplace and personal capacities. Like BYOD, the organization will usually set standards for the device to ensure security. Employees have near full reign over the use of the device, but the organization can and will step in when a security or severe misconduct issue arises.
  • Corporate Owned Business Only (COBO): This strategy involves devices issued by the organization to employees to be used for strictly business purposes. These devices can be taken home by employees, but policies will be in place to prevent any personal use. This approach grants employees the convenience of being able to take their devices on the move while also safeguarding sensitive company data.
  • Choose Your Own Device (CYOD): This strategy involves the organization allowing employees to pick their own devices. This can be beneficial in environments where different jobs require varying levels of power. The organization may set a ceiling on device price to keep it within budget. When the devices arrive, the organization will usually combine them with any of the above strategies to dictate employee use.