7 mobile device security best practices for businesses
Organizations can't deploy mobile devices without accounting for their security. IT admins should follow these seven best practices to manage mobile device and data security.
It's up to IT admins to enable employees to work from their mobile devices, but IT admins must keep mobile security at the top of their list in addition to end-user experience.
Users are most productive when they have mobile access to their corporate resources, so enabling this access is a critical goal for most organizations -- but mobility is complex. It is not as simple as giving an end user a device and having them log into their preferred email client.
IT admins need to think about getting devices to a securely managed and productive state while ensuring the onboarding process is simple, minimally invasive and streamlined for end users. Further, they need to guarantee that users can perform all necessary productivity tasks in a secure environment.
Mobile administrators should follow these seven mobile device security best practices to ensure they meet these goals.
1. Manage mobile devices with an MDM
Any organization that gives access to corporate data on mobile devices should consider using mobile device management. MDM is an IT admin's first line of defense when it comes to securing mobile devices.
MDM's role is to provide the organization with the ability to enforce security compliance controls on devices (see Figure 1).
Some of the most common profile and compliance settings include the following:
- PIN code and device encryption.
- Certificate-based authentication.
- Email configuration.
- Wi-Fi configuration.
- Device feature permissions and restrictions.
- Blocklist and allowlist applications.
- Single sign-on.
- Enforcement and automation of iOS and Android updates.
- Data loss prevention (DLP) configurations.
- Jailbreak/root detection and remediation.
- Enterprise wipe and complete reset of devices over the air.
An MDM platform can manage various devices, including iOS, Android, Windows, macOS and even Chrome OS devices, in some cases. MDM is a flexible tool that gives admins many controls to ensure devices are secured and properly supported. Additionally, for business-only mobile devices, consider looking into Apple Business Manager and Android Enterprise programs. They integrate with the MDM to give organizations more privileges on a device to enforce higher-level security configurations, including advanced restrictions and settings controls, home screen layout, single app mode, multi-user and shared modes, and zero-touch enrollments.
2. Manage authentication and access
There are plenty of different approaches that IT admins can take to enable mobile authentication, including the following:
PIN code management
The PIN often serves as a password for mobile devices, preventing bad actors from gaining unauthorized access to a device. For the safety and security of end users and the organization, organizations should enforce a PIN code policy. This policy could, for example, require a minimum of eight digits for the PIN. This ensures that devices are always in compliance. IT can best implement this policy from an MDM.
Multifactor authentication
Admins may do their best to ensure mobile device security, but once a device leaves the office building, it is susceptible to numerous attacks. An admin can't always control what network that device will connect to next or the risk conditions the device will enter. Multifactor authentication (MFA) will provide more comprehensive security by confirming that the end user logging on is who they claim to be. It requires two or more authentication methods, which can include PIN or password, SMS verification and biometric factor authentication. An admin can then set parameters for when to require MFA based on the device's trust and risk conditions. MDM can also be a mechanism to push out the requirement to devices, integrating the preferred MFA into the MDM enrollment workflow and allowing the MDM to serve as the central hub for all device security and enrollment configurations.
3. Enable data loss prevention policies
Users require numerous applications on their mobile devices to get their jobs done, so IT admins must ensure any corporate data is not copied and accessed in an unmanaged or untrusted application. Organizations can use app protection and DLP policies to prevent company data from being saved locally to the device. IT admins can also restrict data transfer -- or the "open in" option -- to other apps that are not approved or managed, limiting specific capabilities, such as copying and pasting (see Figure 2).
Platforms such as Microsoft Endpoint Manager will even allow app protection policies on Microsoft apps without requiring admins to enroll devices in an MDM. For devices enrolled in an organization's MDM, the MDM is the mechanism to create and enforce these security restrictions to ensure data loss protection.
4. Set corporate and BYOD remote lock, device wipe policies
What happens if an employee loses a device or leaves the company? Every business should develop a corporate-owned and BYOD policy for handling device loss and data wipes.
Under this type of policy, whenever a mobile device is lost or stolen, the organization can take actions to secure data, including a data wipe, reset or device lock.
This type of policy gets messy with BYOD environments; not every user likes the idea of allowing IT this type of control over their devices. However, both Google and Apple have addressed this issue with updates to their platforms. In iOS 13, Apple introduced User Enrollment, which significantly restricts how much an MDM platform can do on a personal BYOD iPhone -- including removing the ability to perform a factory reset of a device. For Android devices, Google's Android Enterprise work profile feature enables users to keep distinct work and personal apps and data. Each profile is entirely separate; the organization manages the work apps and data, while the end user's apps, data and usage remain untouched. This restricts invasive management tasks, such as factory resets.
5. Keep BYOD and corporate devices updated
Keeping devices updated is not an easy task, but it is extremely important. Mobile devices are a growing target for malware and other attacks, and one of the best ways to fight against that is to ensure that all managed devices are fully up to date.
There are plenty of different approaches IT admins can take to keep devices updated in a timely manner. Asking users to implement updates is a simple approach but not always a successful one. One of the best ways to encourage end users to update is to enforce controls via the MDM. For devices enrolled with an MDM platform, an IT admin can schedule a mobile OS update for all users -- ideally in a low-use time, such as the middle of the night. On corporate-only devices, IT can take that a step further, and the MDM can schedule, download and auto-install the updates.
With BYOD environments, it can be a bit trickier. Mobile IT admins can schedule a prompt for the user to download and install the update, but it is still up to the end user to trigger the process. However, there are mechanisms IT admins can put in place via MDM; one such mechanism is a compliance policy. A compliance policy would allow an admin to create an "if this, then that" automation for devices.
An example of this would be a compliance policy that targets devices with a specific version of iOS. An admin can create an action that would send a notification to a user to update; then, after two days, if that device hasn't updated, an admin can take steps such as quarantine or removal of corporate email and access from the device. These restrictions would remain in place until the user updates the device OS.
These compliance policies help keep corporate data safe while also encouraging end users to stay up to date. While this example targeted iOS, the same types of policies can apply to Android devices.
6. Monitor device compliance and automate with mobile threat defense
MDM is a management tool with device-level security controls, but it can lack the ability to detect and prevent attacks from malicious applications, networks and phishing. There has recently been an increase in phishing attacks against mobile devices.
Mobile devices, like desktops, are still endpoints and IT needs to secure them. Mobile threat defense (MTD) platforms detect man-in-the-middle attacks over Wi-Fi, identify suspicious behavior on a device, and proactively search for malware, harmful applications and mobile phishing attacks. It can then remediate issues with various methods, including killing the device's Wi-Fi or cellular connection to prevent further data leakage or working in tandem with an MDM to quarantine a device. At a high level, an MTD platform can perform these functions:
- Monitor a device's activity to detect cyberattacks in real time.
- Monitor device applications for suspicious behavior that may leak user data to untrusted sources.
- Monitor for OS vulnerabilities and kernel exploits.
- Monitor device networking activity for man-in-the-middle, Secure Sockets Layer (SSL) stripping and SSL decryption attempts.
Together, MTD and MDM platforms provide stronger security for mobile devices and users.
7. Keep your end users informed
IT admins can put as much technology as they want toward fixing a problem, but end users hold the keys to success. It is vital to train end users and keep them informed on current threats and vulnerabilities.
Helping end users understand the importance of updates -- and how they can affect corporate data -- should help them make the right decisions related to device security.
Editor's note: This article was originally published in 2021 and was updated in 2024 to improve the reader experience.
Michael Goad is a freelance writer and solutions architect with experience handling mobility in an enterprise setting.