Why mobile is a work surface now

MFA prompts, CEO fraud texts, and broken authenticator workflows all target phones. If a user grants OAuth consent to a malicious look-alike app, attackers may access Microsoft 365 or Google Workspace without stealing a password. Treat mobile as part of your security architecture, not a consumer sidebar.

Foundational controls

  • MDM enrollment: Use Microsoft Intune, Google endpoint management, or another approved MDM so you can require OS updates, block jailbroken devices, and remotely retire work profiles.
  • App sourcing: Require Google Play, Apple App Store, or managed enterprise catalogs. Discourage sideloading except for niche regulated tools reviewed by IT.
  • Least privilege: Separate work profile from personal where platform supports it; limit local copies of sensitive files on phones.
  • Offboarding: Revoke sessions, remove MDM profiles, and rotate app passwords when a device is lost or a contractor finishes.

Canadian privacy angle

MDM can read inventory and location depending on configuration. Document what you collect in an acceptable use and privacy notice so staff understand purpose limitation under PIPEDA and BC PIPA. Consult counsel for unionized or highly regulated workplaces.

Smishing: Train staff to slow down on texts claiming to be banks, parcel services, or “IT support.” Pair technical controls with short quarterly reminders tied to incidents you see in your own ticket queue.

Practical habit prompts for staff

  1. Update OS within two weeks of release unless IT specifies a tested delay.
  2. Use password managers and reject duplicate passwords across work and personal.
  3. Report lost devices immediately; do not wait until Monday.

Deploy MDM without frustrating users

Hexafusion enrols Windows, macOS, iOS, and Android into consistent compliance policies, stages pilot groups, and documents exceptions. Ask for a quote if your BYOD fleet has outgrown manual setup.

Get a Quote    Security services

← Back to Blog