News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Mobile device management
Guidance

Mobile device management

The intent of this control is to make sure organisations can manage and monitor the security of authorised mobile devices.

Introduction

A mobile device is any portable device that can access and store your organisation’s data. These devices need to be secured – just like any other device that connects to your network.

Using mobile devices for work is increasingly common. Your staff may:

  • use a laptop to work remotely, or
  • travel regularly and work from their mobile phones.

This flexibility can benefit your staff and your organisation. But before allowing these devices to access your systems, there are some key security considerations to think about.

  • Physical security – Mobile devices are easy to carry, which also means they’re easy to lose or steal.
  • Network security – Mobile devices often connect to networks outside your control, like hotel or home Wi-Fi. These networks don’t provide your usual protections, such as web proxies or network monitoring. They may also expose sensitive data, as others are managing the routing equipment.
  • Device security – If your organisation has a bring-your-own-device (BYOD) policy, you may not manage these devices directly. This means your staff are responsible for keeping software and apps updated, as well as managing what is installed on their devices.

Devices are more likely to be compromised when they’re not patched or allow any app or executable file to run.

What is mobile device management

Mobile device management is the process of securing, monitoring and managing mobile devices that access your organisation’s systems and data. It allows you to enforce security settings, install required software, and monitor compliance – whether the device is owned by the organisation or the staff member.

A mobile device management system helps ensure that only authorised, properly configured devices can access sensitive organisational information, supporting both security and operational needs.

How to implement mobile device management

Mobile devices may not be updated as regularly as other devices on your network. This is especially true for BYOD setups, where:

  • staff are responsible for patching their own devices, or
  • devices only receive updates when they connect to your organisation’s network or the internet.

More organisations are allowing staff to use their personal devices for work. If you do, it’s important to create a secure environment for those devices to operate in.

1. Know what devices are in use

Understand what devices are used in your organisation – and who owns them. Add all organisation-owned devices to your asset inventory.

If staff use personal devices, you need a BYOD policy. This should set out:

  • what kinds of devices staff can use, and
  • how they can use them while protecting your systems and information.

Your organisation should also have a mobile device policy. This helps staff:

  • understand how to keep their devices secure, and
  • follow clear guidelines for using them at work.

Staff may use a mix of devices, with different operating systems and software. It’s important to know what devices they have, so you can check if they’re compatible with your mobile device management systems.

If staff need mobile devices to do their jobs, your organisation may need to:

  • review your current policies, and
  • consider providing supported devices directly.

2. Understand how staff access your systems

Know how staff access your organisation’s systems and data from their authorised mobile devices. Common systems include:

  • email,
  • document storage,
  • internet-facing platforms, and
  • internal network systems.

Accessing these systems may require specific software or meet certain conditions. For example, to access:

  • email on a mobile phone, staff may need to install a mobile device management app,
  • internal network apps, they may need VPN software on their laptop,
  • an internet-facing system, they may need to install a digital certificate on their device.

Knowing what’s needed for each system helps you support staff and keep your information secure.

3. Set up and manage a mobile device management system

Use a mobile device management system to monitor how mobile devices are used in your organisation. A well-configured mobile device management system can show you:

  • what operating system the device runs and its version,
  • the type of authentication used (like passwords, PINs, or fingerprints),
  • whether device encryption is turned on,
  • what software is installed, and
  • what data is stored on the device – such as messages, photos, or browsing history.

A mobile device management system can also give your organisation some control over devices. For example, the system administrator may be able to:

  • prevent staff from turning off security settings like PINs, or
  • remotely wipe a device if it’s lost or stolen.

Make sure you:

  • have clear processes for how to use the mobile device management system, and
  • follow the principle of least privilege – only give access to people who need it.

If staff use personal devices for work, it must be clear what your mobile device management system can see and do. Using a personal device is a privacy and security trade-off – staff need to allow some access to protect the organisation’s information.

If staff don’t want to use their own devices, and their role requires one, your organisation should provide a work device instead.

Staff should also avoid accessing personal accounts on organisation-owned devices. These devices are monitored, and data about their use can be collected. To reduce privacy concerns, it’s best to keep personal and work activities on separate devices.

4. Update your incident and change processes

Review and update your processes so your team knows how to handle reports about mobile devices. These may include:

  • lost or stolen devices,
  • devices behaving unexpectedly, or showing signs of suspicious software or apps, and
  • devices unable to access essential systems.

Your team should also be prepared for reports involving BYOD devices. These may include unfamiliar device models or operating systems.

System administrators need to know when it’s appropriate to take significant actions – such as locking or remotely wiping a device. These actions can disrupt a staff member’s ability to work, especially if the device is wiped by mistake and needs to be replaced or restored.

If your BYOD or mobile device policy changes, inform your staff. Using a personal device for work is an individual choice, and some staff may decide to stop using their own devices under the new policy.

How to measure success

For mobile device management to work effectively, your organisation needs to have the following in place.

  • The ability to identify all mobile devices that can store or access organisational data. This includes both organisation-owned devices and personal devices used under a BYOD policy. All of these are considered ‘authorised mobile devices’.
  • A central system to manage all authorised mobile devices. This lets you track security settings and installed software on each device.
  • Rules and policies in the central system to control access to organisational systems and data. These rules should be based on the device’s security – such as its operating system or whether it uses a PIN to unlock.
  • The right software installed on authorised devices to enable secure access. This could include VPNs or digital certificates.

Key takeaways

  • Mobile device management helps you control which devices access your internal systems.
  • Cloud-based systems are becoming more common. Because they can be accessed from anywhere on the internet – regardless of the device used – it’s important to put additional protections in place. If your organisation uses cloud-based systems, consider using extra security controls such as:
    • a centralised identity management system, and
    • multi-factor authentication.

Topics

Risk management Device security