BYOD vs. CYOD vs. COPE vs. COBO: Mobile Device Programs & Policies

by | May 13, 2022 | Blog

What is a Mobile Device Program?

A mobile device program outlines the types of mobile devices employees of a company can use, who maintains ownership of the mobile devices, and the policies and rules employees must follow when using mobile devices to complete their work or access valuable company data. 

Establishing a mobile device program is essential. Organizations and employees rely on mobile devices for various tasks, and remote workforces use mobile devices to access company data and networks daily. 

Having a mobile device program in place guides employees to follow best practices when using mobile devices for work, which mitigates the risk of a data breach and protects valuable corporate data.

What is a Mobile Device Policy?

A mobile device policy is a set of rules companies establish that employees, contractors, and other personnel must adhere to, which communicates how devices are expected to be used within an organization. 

Mobile device policies are useful guidelines for employees, as they inform employees how to reduce mobile security risks.

4 Types of Mobile Device Programs and Policies

If organizations don’t take proper precautions, mobile devices can be mismanaged and put entire corporations at risk. They are often overlooked and are some of the least regulated tools employees use.

The type of enterprise mobility programs your organization has in place determines the requirements you can set in your mobile device policy. The four types of enterprise mobility programs include:

  • Bring your own device (BYOD)
  • Choose your own device (CYOD)
  • Company-owned, personally enabled (COPE) devices
  • Company-owned, business-only (COBO) devices (also known as corporate-liable (CL) devices)

Bring Your Own Device (BYOD)

A bring your own device (BYOD) enterprise mobility program is when employees can use their personally owned devices—such as smartphones, tablets, laptops, and wearables—for work-related activities.

Employees might utilize their work email, connect to the corporate network, or access corporate data while using personal devices, which can leave the company vulnerable to cyber threats such as ransomware and data breaches if employees are not required to follow strong security practices.

Benefits of BYOD

  • Device options are unlimited.
  • Employee morale is improved because they don’t have to carry two devices, and they can work more efficiently on familiar devices.
  • Organizations save money on hardware, as they don’t have to provide devices for new hires.

Challenges of BYOD

  • IT departments must secure a wide range of devices and operating systems.
  • Shadow IT, which can disrupt the workflows and security precautions IT departments have implemented, can develop on devices if employees download or use applications without the knowledge of the IT department.
  • Arranging cost-sharing agreements can be a challenge in BYOD programs. If employees can’t reach an agreement, organizations may have to pay the entire cost for employees’ voice and data plans.

BYOD Mobile Device Policy

A BYOD mobile device policy may include:

  • A list of permitted and/or forbidden applications employees may or may not download.
  • A minimum requirement for memory storage, processing power, or other aspects of a device that could affect performance or productivity.
  • Eligibility and security requirements employees must follow.

BYOD Best Practices

A BYOD mobile device policy should include:

  • Two-factor authentication to ensure corporate data is secure when employees access company networks.
  • Annual cybersecurity training programs to inform employees on emerging data threats.
  • A remote-wipe feature to ensure IT departments can remove corporate data from lost or stolen devices.

Choose Your Own Device (CYOD)

A choose your own device (CYOD) enterprise mobility program allows employees to select a corporate-owned device for personal and work-related purposes from a list of pre-approved mobile devices, which are pre-programmed with security applications to safeguard company data while the device is in use.

Depending on a company’s mobility budget, an organization can limit or expand employee device selection in various ways.

Some companies limit employee device selection by only providing Apple and Android products. Other companies may allow employees to select from a device catalog with several models by different manufacturers. Organizations that only offer Apple or Android devices may only give employees cosmetic choices, like allowing them to choose their devices’ color and/or screen size.

Benefits of CYOD

  • Limiting device choices to vetted options ensures the program, and devices themselves, become more manageable.
  • Employees have one mobile device for personal and work use instead of managing two devices.
  • IT departments only need training on specific devices, enabling streamlined support and reducing the time and costs allocated to on-the-job training.

Challenges of CYOD

  • Determining who pays for the device and/or voice and data plans isn’t always clear-cut. Employees may be required to purchase the device upfront, or employers may have to issue employees a stipend to cover voice and data plan costs.
  • Determining who will retain ownership of the device can be a challenge.
  • Since CYOD allows employees to use corporate mobile devices for personal use, employees may raise privacy concerns.
  • Devices in a CYOD program take longer to deploy due to employees selecting from a limited range of available devices. Manufacturing and shipping contribute to a slower deployment time.

CYOD Mobile Device Policy

A CYOD mobile device policy may include:

  • A list of specific device manufacturers and models from which employees can select.
  • A disclaimer detailing the risks employees may encounter using personal devices for work—such as disciplinary action if they fail to comply with their company’s mobile security policy.
  • CYOD policies may require a specific level of integration, ranging from daily workflows to heavy resource requirements.

CYOD Best Practices

A CYOD mobile device policy should include:

  • Zero-trust software which prevents security from relying on end user decisions.
  • Devices should be pre-programmed with security features and business applications to maintain device compatibility and ensure data security.
  • Containerization tools, like unified endpoint management (UEM) solutions or mobile application management (MAM) programs, to separate corporate and personal data. Implementing a UEM or MAM solution could ease employees’ privacy concerns.

Company-Owned, Personally Enabled

A company-owned, personally enabled (COPE) enterprise mobility program is when an organization gives an employee a pre-selected mobile device to use primarily for business purposes. 

Personal use is allowed but limited in a COPE program. Companies own and pay for the device, its repairs, and applicable voice and data plans.

Benefits of COPE

  • There is little to no cost for employees.
  • Organizations facing strict regulations or heavy security requirements can ensure compliance with complete control over devices.
  • Corporate discounts are available for enterprises since they typically select and buy devices in bulk before deploying them into their workforce.

Challenges of COPE

  • Limited device variety for employees since employers provide employees with a pre-determined mobile device.
  • COPE programs have the slowest deployment timeframe of all the enterprise mobility programs.
  • Organizations are responsible for updating all devices, which can be a heavy task for IT departments.

COPE Mobile Device Policy

A COPE mobile device policy may include:

  • A description of the organization’s reasoning for implementing a COPE program.
  • COPE programs may grant organizations tighter legal control. Some COPE programs have policies that give companies the authority to search corporate-issued devices for intellectual property theft.
  • A usage policy detailing expectations when employees use company-owned devices for personal-related activities and the consequences of misusing a company-owned mobile device.

COPE Best Practices

A COPE mobile device policy should include:

  • Although companies are primarily responsible for supporting corporate-issued devices in a COPE policy, they should implement a support policy to reduce support requests from employees for personal applications.
  • A thorough privacy policy to ease privacy concerns from employees.
  • Terms of service policy to sets user expectations.

Company-Owned, Business Only

A company-owned, business-only (COBO) enterprise mobility program is when an organization provides employees with business-only mobile devices. Devices in a COBO program are monitored and prohibit employees from accessing apps or websites for personal use. The mobile devices only have business-related applications installed and require IT credentials to download other apps. 

A COBO mobile device policy is ideal for organizations looking to strengthen compliance or security. Although employees have limited flexibility in a COBO program, productivity and employee mobility often increase due to keeping personal and work-related content separate.

Benefits of COBO

  • Employers have complete control over corporate devices and their applications.
  • Lower data costs due to devices only storing and transmitting corporate information.
  • Organizations can easily enforce new policies and make policy changes due to devices only being used for business purposes.

Challenges of COBO

  • Employees have limited flexibility due to personal use being prohibited.
  • Companies are responsible for the entire cost and management of devices.
  • Employees have to keep up with two devices–one for personal and one for business use. Managing two devices increases the chance of one becoming lost, especially if devices are transported to events or meetings.

COBO Mobile Device Policy

A COBO mobile device policy may include:

  • Tracking software to monitor employee activity.
  • A list of password requirements employees must adhere to since devices in a COBO program can be used by multiple employees.
  • Programming devices into kiosk mode since devices in COBO programs are only used for business purposes, accessing business-specific applications and websites.

COBO Best Practices

A COBO mobile device policy should include:

  • Anti-virus software pre-programmed onto employees’ devices.
  • Automated operating system updates to ensure compliance and stay up-to-date on security requirements.
  • Security measures like data encryption to protect mobile devices if one becomes compromised or lost.

Choose The Right Mobile Device Policy for Your Organization

Every organization has different mobile device program needs and must consider many factors—including security and cost—when deciding on an appropriate mobile device program. 

Regardless, your organization should be able to find a mobile device program or combination of programs that work best for you, depending on the complexity of your workforce. 

For example, employees who require a phone to work remotely, or employees who are required to travel, could be issued company-owned devices while other employees are part of a BYOD program. However, it’s crucial to remember BYOD programs come with their own security risks. 

If your organization interacts with personally identifiable information (PII), health records, or customer financial information, the safest route is a COBO or COPE mobile device program combined with a unified endpoint management (UEM) solution to monitor and ensure compliance with security policies and regulations.

How Mobile ReCell Can Help Initiate a Mobile Device Program

Whether your organization wants to recover existing company-issued mobile devices or wants to initiate a new corporate-owned mobile device program, Mobile reCell can help.

A proper mobile device recovery process is needed to ensure each device’s recovery and secure corporate data destruction. Every asset Mobile reCell recovers completes NIST-compliant data erasure and receives a Certificate of Data Destruction, allowing your company to rest assured that your data is secure.

If you need assistance initiating an enterprise mobility program or recovering company-issued IT assets, let’s chat.

 

Follow us on social media!

See Mobile reCell’s Recovery Platform in action.

Request a Demo