Why mobile is a work surface now
Multi-factor authentication (MFA) prompts, text messages impersonating executives, and broken authenticator workflows all target phones. If a user grants app permission to a malicious look-alike app, attackers may access Microsoft 365 or Google Workspace without stealing a password. Treat mobile as part of your security architecture, not a consumer afterthought.
Foundational controls
- Mobile Device Management (MDM) enrollment: Use Microsoft Intune, Google endpoint management, or another approved MDM platform so you can require OS updates, block jailbroken devices, and remotely wipe work profiles.
- App sourcing: Require Google Play, Apple App Store, or managed enterprise catalogs. Discourage installing apps from outside the official store except for niche regulated tools reviewed by IT.
- Least privilege: Separate work profile from personal where the platform supports it; limit local copies of sensitive files on phones.
- Offboarding: Revoke sessions, remove MDM profiles, and reset app passwords when a device is lost or a contractor finishes.
Canadian privacy angle
MDM can read inventory and location depending on configuration. Document what you collect in an acceptable use and privacy notice so staff understand purpose limitation under PIPEDA and BC PIPA. Consult legal counsel for unionized or highly regulated workplaces.
Practical habit prompts for staff
- Update OS within two weeks of release unless IT specifies a tested delay.
- Use password managers and reject duplicate passwords across work and personal.
- Report lost devices immediately; do not wait until Monday.
Roll out mobile device management without frustrating users
Hexafusion enrolls Windows, macOS, iOS, and Android into consistent compliance policies, stages pilot groups, and documents exceptions. Ask for a quote if your bring-your-own-device fleet has outgrown manual setup.
Get a Quote Security services