| Model | Description |
|---|
| BYOD | Bring Your Own Device — employee uses personal device to access org resources |
| COPE | Corporate-Owned, Personally Enabled — company device used as personal |
| CYOD | Choose Your Own Device — employee picks from a limited set of company-approved devices |
MDM (Mobile Device Management) — centralized management and monitoring platform for all mobile device security. Required at scale.
- Strong authentication + MFA
- Security patching and OS updates
- Device encryption
- Block jailbroken and rooted devices
- Containerization / sandboxing for corporate data
- Attribute-based or conditional access controls
- Generally more secure than public Wi-Fi
- Satellite cellular adds an additional layer
- Avoid public hotspots — use VPN if required
- Disable auto-connect to open networks
- Verify connections are to trusted networks only
- Disable when not in use
- Can be exploited via bluejacking, bluesnarfing, MITM attacks
- Range: 1–4 cm
- Used for payments and small data transfers
- Disable when not in use
| Protocol | Notes |
|---|
| PPTP | Legacy, weak encryption — avoid |
| SSTP | Windows-focused, uses port 443 (firewall-friendly) |
| L2TP/IPsec | Widely adopted, strong encryption |
| IKEv2 | Best for mobile — handles unstable connections, fast reconnects |
Enforce screen lock / PIN policy
Remote wipe capability
Certificate-based device authentication
App whitelist / blacklist enforcement
VPN enforcement for corporate access
Geofencing and location controls
Jailbreak / root detection
Separate corporate container from personal data