Mobile Device Security at Work — Module 4 (Premium)

📱 Mobile Device Security at Work — Module 4

Premium Theory + Real Example + 18-Question Quiz Scope: iOS • Android • BYOD & COPE

1) Theory — Mobile is the new primary endpoint

Most business data now flows through phones and tablets: email, chat, approvals, files, authenticator prompts. Attackers follow the data — abusing weak screen locks, outdated OS versions, risky app permissions, malicious Wi-Fi, sideloaded apps, and SIM-swap/social engineering. Strong mobile security blends MDM/EMM controls, identity policy, and safe user behavior, without breaking productivity.

Get up to 70% off NordPass Premium
Affiliate link — helps keep our training free.
Key points (at a glance):
  • Ownership models: BYOD (user-owned), COPE (company-owned, personally enabled). Pick policy per risk.
  • Work/personal separation: Android Work Profile, iOS Managed Open-In & Managed Apps.
  • Baseline: screen lock + biometrics, device encryption, current OS/patch level, auto-lock, remote wipe.
  • Network safety: avoid open Wi-Fi; prefer cellular or per-app VPN; block unknown hotspots.
  • App governance: managed app store, restrict sideloading, review permissions, govern OAuth tokens.

1.1 Risk themes & attacker techniques

  • Smishing/Vishing: SMS or voice lures to steal MFA codes or trick finance actions.
  • Malicious profiles/APKs: sideloaded apps, rogue configuration profiles, root/jailbreak for persistence.
  • Wi-Fi traps: evil-twin hotspots, captive portals injecting malicious content.
  • Token theft: session/token sync across devices, consent to risky mobile apps.
  • Data bleed: copy/paste/share from corporate apps to personal space; uncontrolled backups.

1.2 Controls that actually reduce risk

  • MDM/EMM enrollment: enforce passcode, biometrics, encryption, OS version, and auto-lock.
  • Work containerization: Android Work Profile, iOS Managed Apps; block “open in” to personal apps.
  • Per-app VPN & DNS filtering: tunnel only corporate apps; block malicious domains.
  • App store control: managed Google Play/Apple Business Manager; block sideloading and unknown sources.
  • Clipboard & data controls: restrict copy/paste from managed to personal; disallow local backups.
  • Lost/stolen response: locate, remote lock, selective wipe (work data only) or full wipe if COPE.
  • Email profile policy: managed mail apps only; disable “add any account” on corporate devices.
  • Logging/alerts: MDM compliance signals into SIEM; alert on jailbreak/root, outdated OS, policy drift.

1.3 BYOD vs COPE — choosing the model

  1. BYOD: user-owned; deploy work container + selective wipe; privacy-respecting, lower cost, narrower control.
  2. COPE: company-owned; stronger controls, full wipe, tighter app and network policy; higher assurance.
  3. Decision: base on data sensitivity, regulatory scope, helpdesk capacity, and user expectations.

1.4 Practical baseline checklist

  • Require 8+ character passcode with biometrics; auto-lock ≤ 2 minutes.
  • OS current (major + security patches auto-update).
  • Encryption on (default on modern iOS/Android when passcode set).
  • Managed apps only for mail, files, chat; block personal mail clients on work data.
  • No sideloading; unknown sources disabled; only approved stores.
  • Per-app VPN for corporate apps; block split-tunnel where required.
  • Disable developer options unless justified and time-bound.
  • Compliance gating: block corporate access if device is non-compliant.

1.5 Incident playbook (lost device / suspected compromise)

  1. Report immediately to IT/security; capture last-known location/time and networks used.
  2. Contain: revoke sessions/tokens; block device ID; disable mail sync; reset account credentials.
  3. Wipe: selective wipe for BYOD; full wipe for COPE or if risk is high.
  4. Scope: check audit logs for unusual access/sharing; rotate app secrets if needed.
  5. Replace & restore: re-enroll new device; restore only from known-good, managed backups.
  6. Improve: tighten policy causing the gap (e.g., allowlist apps, enforce per-app VPN).
Get up to 75% off NordVPN + 3 months free
Affiliate link — helps keep our training free.

2) Real-world example

Sales phone left in a taxi: The device was unlocked with a simple swipe pattern and synced corporate mail and files to a personal app. The finder accessed client pricing and forwarded proposals externally. The company contained it by revoking sessions, remotely wiping the mailbox profile, and moving to managed mail + containerized work apps with copy/paste restrictions and per-app VPN.

3) Assessment — 18 Professional Questions

Choose the best answer for each question. Answers and feedback appear after you submit.

1) Strongest way to separate work and personal data on Android?

2) On iOS, which control prevents moving work docs into personal apps?

3) Best network choice for sensitive approvals on the go?

4) Which setting should block corporate access if a phone is out of compliance?

5) Most appropriate wipe option for BYOD with managed work apps?

6) Which policy best prevents sideloaded malware?

7) A lost COPE device with client data — best first steps?

8) What’s the cleanest way to stop data bleed between work and personal apps?

9) Which signal should trigger investigation in MDM logs?

10) Best authentication setup for approving payments on mobile?

11) For BYOD, which approach best balances privacy and security?

12) Which control reduces exposure on hostile Wi-Fi the most?

13) You notice a new “device administrator” app with broad rights on Android. Action?

14) Which mail/app setup is preferred on managed devices?

15) What’s the minimum lock baseline for corporate access?

16) Which setting helps keep work traffic separate from personal browsing?

17) Which indicator suggests smishing rather than a legitimate bank text?

18) A contractor’s phone is non-compliant but needs access today. Best approach?

4) Finish

When you’re done, mark this module as completed to update your Premium Hub progress.

✅ Mark this module complete

NordVPN — up to 75% off NordPass — up to 70% off
Affiliate links — support our free training.