The procurement and deployment of mobile devices often differ from traditional asset management of other IT systems. This is mainly a reflection of the consumer-centric nature of mobile devices. However, the market is now maturing for its B2B customers and a variety of different ownership models (COPE, BYOD, CYOD, for example) have been adopted. These models all sit somewhere on a spectrum from being entirely owned and controlled by the organization, to being owned and controlled by the employee. We will focus on a few of the most widely used models.

Get the guide to incorporating mobile into your IT security systems


The majority of organizations have looked to replicate their traditional IT procurement – buy, provision and maintain ownership of the devices provided to their employees. This model is usually referred to as COPE (Corporate-Owned, Personally Enabled) and is popular among large enterprises.
According to the IDG Mobile Maturity Matrix 2018 survey, COPE device ownership models are more than twice as popular as BYOD. For a long time, issues occurred in attempting to use this model for mobile devices:

  • Consumer-centric purchasing – Manufacturers didn’t support business accounts so businesses weren’t able to buy in bulk directly from the manufacturer. Instead, they would need to purchase via their carrier or ask employees to buy directly from the store and reimburse them.
  • Clunky configuration – Devices were delivered shrink-wrapped and had to be manually configured, so admins would need to rely on employees to accept policies that are pushed to the device.
  • App store accounts required – Devices required an individual account (e.g. Google Play or iCloud) to register the device and download any mandated applications, so again, admins would need to rely on users to log into individual accounts and take the necessary steps to set up work-critical applications

Addressing the challenges of COPE

The above challenges for corporate-owned devices can be mitigated by using Apple’s Device Enrollment Program (DEP). Introduced in 2014, this allows businesses to purchase devices directly from Apple (or an authorized carrier) and for the devices to be shipped in a preconfigured manner.
A supported EMM solution is required for DEP to work, but when used correctly, no staging or provisioning is required as additional services can be pushed to the device upon activation without any user interaction. When used with Apple’s Volume Purchase Plan (VPP), Apple IDs are not required for registration of the device. As an additional benefit, DEP devices come in a “Supervised” state to allow additional controls and restrictions should they be required.
An Android-equivalent for DEP has yet to come about in practice. Android Enterprise (previously Android for Work) aims to offer flexible ownership models but has yet to see mass adoption. Android 8.0 introduced ‘zero-touch’ deployment but this feature is only available from specific vendors and not from Samsung. Samsung has developed their own DEP competitor in Knox Configure but at the time of press of this whitepaper, very few organizations have deployed via Knox Configure. Configure is also an additional charge, unlike DEP. Fragmentation of vendor, hardware, and OS continues to limit Enterprise adoption of Android.


Bring Your Own Device was originally popularized back in the days of BlackBerry usage. Employees were frustrated that their personal devices were easier to use and more powerful than their corporate-issued devices and asked their IT teams to extend email and other services to their own devices.
The initial release of iOS did not support Exchange email and Android devices often had to use a third-party email client (e.g. Touchdown) to utilize a secure container for email. Nowadays, BYOD is often a feasible solution for IT to consider and even if corporate-owned devices are issued, BYOD can still be used to complement this supply. However, it comes with its limitations.

  • Employee dependence – Employees may resist or reject any and all security controls. Even a 4-digit lock PIN may be seen as an overstep by some users. Organizations will do well to highlight BYOD access to its emails and assets as a privilege that can only be extended along with Enterprise-grade security.
  • Platform fragmentation – With no limit to the devices employees can choose to use in a BYOD model, there may be some that can not support the appropriate OS and Apps required for access to your organization’s email and assets. Not standardizing on platforms can complicate security patches and testing of new configurations and services.
  • Device retirement – retiring devices once an employee has left the organization can be difficult to manage in a BYOD model since the device isn’t physically handed back to IT. Employees may leave your organization without deprovisioning devices or may swap their SIM with a family member for example.
  • Liability – organizations can often be held liable for uncontrolled user behavior that leads to data leaks, illegal content being accessed and also the payment of bills including huge data overages.


CYOD is a blended approach that requires employees to choose from a limited range of devices that can be supported by the organization. For example, a company may allow employees to use iPhones and Blackberrys but not Android devices.
CYOD allows businesses to strike a balance by letting employees choose the device they are most comfortable with while being able to configure and provision the devices with the appropriate management and security tools.
A CYOD model can be implemented in a way that is closely aligned to COPE where the company provisions the device chosen by the employee, or closer to a BYOD model where the employee is encouraged to use their own personal device for work so long as it is in the approved list. Implementing a CYOD policy is a good way to deliver the benefits of a BYOD or COPE model while addressing the potential ramifications.
Get the guide to incorporating mobile into your IT security systems

Provisioning recommendations

  • Fold a mobile device policy into your end-user IT policy and have this reviewed by your security team. Have all employees read, sign, and understand the policy and keep it updated on your intranet or applicable document store
  • Gate access to corporate email and assets only to those devices with appropriate mobile security controls
  • Where possible, use DEP to avoid costly staging and provisioning processes
  • Plan for device retirement by ensuring your EMM supports remote wipe
  • Record asset inventory and track spare and loaned devices where applicable
  • Require minimum level hardware and OS version to limit vulnerability exposure
  • If a BYOD model is preferred, consider enforcing a list of device options that can support access to corporate resources

[text-blocks id=”mobile-maturity-matrix”]