Why mobile is a work surface now

Multi-factor authentication (MFA) prompts, text messages impersonating executives, and broken authenticator workflows all target phones. If a user grants app permission to a malicious look-alike app, attackers may access Microsoft 365 or Google Workspace without stealing a password. Treat mobile as part of your security architecture, not a consumer afterthought.

In a typical Vancouver SMB, employees check work email, approve MFA prompts, store customer photos, accept calendar invites, and review documents from the same handset they use for banking and personal social media. That single device touches more business data in an hour than a desktop did in a week ten years ago. The risk surface scales accordingly: a compromised phone is a compromised authentication factor, a compromised email account, and a compromised document vault all at once.

BYOD vs corporate-owned: the policy choice

Before any technical control is meaningful, the organisation has to choose a posture and document it. The three viable patterns for BC SMBs:

  • Corporate-owned, business-only (COBO). The company buys the device, locks it to a managed configuration, and prohibits personal use. Highest control. Best for regulated roles. Highest CAPEX and the most user resistance.
  • Corporate-owned, personally enabled (COPE). The company buys the device but permits limited personal apps. Mid control. Often chosen for executives and field staff.
  • Bring-your-own-device (BYOD). The employee owns the device, the company manages a work profile or app set. Lowest CAPEX. Most negotiation about privacy. The dominant pattern in Vancouver SMBs we onboard.

Whichever you pick, write it down in the employee handbook with explicit language about: what the company can see, what the company can wipe, what the employee owes back at termination, and what reimbursement (if any) the company provides for data plans and device wear. Vague policies generate disputes when devices need to be returned or wiped.

MAM vs MDM: pick the right tool for BYOD

The single most common misstep we see in Vancouver SMB BYOD rollouts is using full Mobile Device Management (MDM) when Mobile Application Management (MAM) would have been enough. The two are not interchangeable:

  • MDM (Mobile Device Management) enrolls the entire device under your control. You can require disk encryption, push configuration profiles, block side-loading, and remotely wipe the whole device. Appropriate for company-owned hardware and for regulated industries where the device is essentially a corporate asset. Inappropriate for most BYOD because it touches the user’s personal apps, photos, and call history.
  • MAM (Mobile Application Management) manages only the work apps and the data inside them. With Microsoft Intune App Protection Policies on iOS and Android, you can prevent copy-paste from Outlook into personal apps, require a separate PIN for the work app set, and wipe only the work data on termination without touching the user’s personal information. Appropriate for BYOD in the vast majority of cases.

The decision rule: if you are paying for the device, MDM. If the employee is paying for the device, MAM. Mixing the two by enrolling personal devices under full MDM creates legal exposure and erodes trust quickly. Document the choice and stick to it across the workforce.

Foundational controls (any platform)

  • Enrollment under the right management model. Microsoft Intune (for Microsoft 365 tenants), Google endpoint management (for Google Workspace tenants), or Jamf (Apple-heavy environments). Whatever you choose, enrol every work-active device. Devices outside the policy are gaps the threat actor will find.
  • App sourcing. Require Google Play, Apple App Store, or managed enterprise catalogues. Discourage installing apps from outside the official store except for niche regulated tools reviewed by IT. Side-loading on Android is the single largest source of malware infection in the SMB segment.
  • Least privilege. Separate work profile from personal where the platform supports it. Android Enterprise Work Profile and iOS User Enrolment both create cryptographic separation between work and personal containers. Use them.
  • OS update policy. Require iOS and Android updates within 14 days of release for general staff, 7 days for finance and admin roles, 3 days for executives. Older OS versions miss known-CVE patches and are over-represented in successful compromise.
  • Conditional access. In Microsoft 365, configure Conditional Access so the work mailbox can only open from a compliant device with a recent OS and an enabled screen lock. In Google Workspace, the equivalent is Context-Aware Access. Either one blocks the most common “auth from a stolen credential on an unmanaged device” attack pattern.
  • Offboarding. Revoke sessions, remove MDM or MAM profiles, and reset app passwords when a device is lost or a contractor finishes. Have the playbook documented and rehearsed. Most offboarding incidents we investigate stem from a forgotten step.

Canadian privacy angle

MDM can read inventory and location depending on configuration. MAM cannot read the personal side of the device by design. Document what you collect in an acceptable use and privacy notice so staff understand purpose limitation under PIPEDA and BC PIPA. Consult legal counsel for unionized or highly regulated workplaces.

Specifically for BC employers, the BC Office of the Information and Privacy Commissioner has published guidance on workplace device monitoring. Key takeaways: collection must be reasonable for the business purpose, employees must be notified what is collected, and the data must be retained no longer than necessary. Building these constraints into the technical configuration up front avoids retrofitting them under regulator pressure later.

Smishing: Train staff to slow down on texts claiming to be banks, parcel services, or “IT support.” Pair technical controls with short quarterly reminders tied to real incidents from your own support tickets. The most effective security training we deploy is a redacted version of an actual phishing attempt that landed in a colleague’s inbox last quarter.

The phishing-on-mobile pattern that catches everyone

Desktop phishing has been studied for two decades and most users have at least minimal pattern recognition (suspicious URL, mismatched display name, request for credentials). Mobile phishing breaks pattern recognition in three ways that the threat actors know:

  • Truncated URLs. Mobile browsers and mail apps hide the full URL behind a domain prefix. The user sees “microsoft.com…” and cannot easily see the “.evil-redirect.tk” suffix.
  • One-handed approval pressure. The Microsoft Authenticator prompt arrives as a tap-to-approve notification. The user is in a meeting or on the bus. They tap to dismiss the buzz. They have just approved an attacker login from across the country.
  • SMS-based MFA bypass. SMS one-time codes are forwarded by malicious apps, intercepted by SIM swap, or socially engineered out of carrier support. Replace SMS-based MFA with authenticator-app or FIDO2 hardware key wherever possible.

Defences that work: number matching on Microsoft Authenticator (turn it on in your tenant), Conditional Access that requires a compliant device for sensitive operations, and Risk-Based MFA that escalates challenges when the sign-in pattern is unusual.

Practical habit prompts for staff

  1. Update OS within two weeks of release unless IT specifies a tested delay.
  2. Use password managers and reject duplicate passwords across work and personal.
  3. Report lost devices immediately; do not wait until Monday.
  4. If an MFA approval prompt appears that you did not trigger, deny it and report to IT. Repeated push-spam is a known attack pattern called MFA fatigue.
  5. Treat any text message asking you to click a link as suspicious by default. Banks, carriers, and parcel services do not send links in unsolicited SMS to verify your account.
  6. If an app asks for permissions that do not match its purpose (a flashlight app requesting contacts, a calculator wanting location), do not grant. Uninstall and find a reputable replacement.
  7. For corporate-issued phones, do not jailbreak or root. The protections you bypass include the very ones the company relied on for compliance attestation.

Frequently asked questions

If we adopt BYOD, can we wipe an employee’s personal photos by mistake? With MAM (App Protection Policies), no. MAM wipes only the work app set. Personal photos, contacts, and apps are untouched. With full MDM enrolment on a personal device, yes, an admin error or policy misconfiguration could trigger a full device wipe. This is the strongest argument for MAM on BYOD.

What is the minimum spec phone we should require for work? An iOS device receiving current security updates (in 2026, iPhone 11 and newer) or an Android device that is current with quarterly Android Security Bulletins (Pixel 6 or newer, current Samsung Galaxy S or A series with confirmed Knox compliance). Older devices stop receiving security patches and become persistent risk regardless of how strict your MDM is.

How do we handle a lost or stolen device after hours? The playbook should include: (1) employee calls or texts the on-call IT number immediately, (2) IT remote-wipes the work container via the management console (MAM-only or full device depending on policy), (3) employee reports the loss to carrier and police if relevant, (4) IT reviews sign-in logs for suspicious activity in the hours since loss, (5) employee receives a replacement device or new credentials. Rehearse this twice a year.

Should we permit personal Gmail or iCloud accounts on a work-managed device? Generally no on COBO, conditional on COPE, and irrelevant on BYOD (where personal accounts are obviously the employee’s right). The reason: shared accounts on corporate devices create data-leak channels that are hard to monitor. Where you allow personal accounts on managed devices, document it and enforce technical separation (work profile on Android, Managed Apple ID on iOS).

What is the legal status of an employer wiping a personal device? Under BC PIPA and PIPEDA, the employer needs a documented business reason and the employee’s informed consent to the policy. That consent has to be obtained at hire or at policy rollout, not retroactively at termination. The acceptable use and privacy notice referenced earlier is the consent vehicle. Without it, wiping a personal device exposes the employer to a privacy complaint.

Are biometrics (Face ID, fingerprint) acceptable for work app sign-in? Yes, and preferred over PINs alone. Biometric unlock combined with a strong device passcode and Conditional Access gives the best usability and security balance. The one caveat: instruct staff to disable biometrics temporarily before crossing international borders, because border officers in some jurisdictions can compel a biometric unlock but not a passcode.

How do we audit which apps employees have installed on managed devices? Microsoft Intune, Google endpoint management, and Jamf all provide app inventory dashboards in the admin console. Review the inventory quarterly. Flag risky categories: unknown VPN apps, unmanaged cloud storage apps, custom keyboards (which can log everything typed). Investigate why the app is present and remediate by replacement or removal.

Roll out mobile device management without frustrating users

Hexafusion enrolls Windows, macOS, iOS, and Android into consistent compliance policies, stages pilot groups, and documents exceptions. Ask for a quote if your bring-your-own-device fleet has outgrown manual setup.

Get a Quote    Security services

← Back to Blog