All government organisations and their Arm’s Length Bodies (ALBs) shall manage corporately owned mobile phones and tablets which access, process or store OFFICIAL government and/or citizen data via critical systems, using an appropriate Mobile Device Management (MDM) solution.

Government needs to maintain the security of government and citizen data in order to continue to operate effectively. Data breaches can have a negative impact on the operation of government’s essential functions, its delivery of public services, and the rights, freedoms and safety of individuals. Implementing the controls described in this policy will help government organisations and their ALBs to keep their corporately owned mobile devices secure and prevent data breaches.

This policy is intended for:

• Security advisors responsible for the overall security of an organisation
• Cyber security professionals responsible for advising technical teams on the secure management of IT assets and infrastructure
• Technical delivery teams responsible for managing IT assets and infrastructure

If a corporately owned mobile device is subject to a data breach, then government or citizen data, or users’ personal data held on that device, could be wrongfully accessed, modified, deleted, encrypted, stolen or shared.

Data breaches pose the following risks:

• Negative impacts on the operation of government’s essential functions and delivery of public services.
• Negative impacts on the rights, freedoms and safety of government personnel or private individuals.
• Legal liability for government organisations if a data breach is found to have been caused by government personnel.
• Risk of reputational damage to government organisations if corporately owned mobile devices are misused or found to be insecure, regardless of whether or not a data breach actually occurs.

Organisations

5.1. This policy applies to government organisations and their ALBs.

Devices and systems

5.2. This policy applies to corporately owned mobile phones and tablets which access, process or store OFFICIAL government and/or citizen data via critical systems. (See 5.3 for definition of “critical systems”.)

5.3. “Critical systems” are those which support the operation of the organisation’s essential services, day-to-day business and mission, and without which the organisation would not be able to operate. For example, the primary organisational corporate network.

Device deployment models

5.4. This policy applies to devices deployed under the following models:

• Fully corporately owned and enabled - when an organisation issues a user with a device which they may use for business purposes only.
• COPE (Corporately Owned, Personally Enabled) - when an organisation issues a user with a device which they may use for both business and personal purposes.

5.5. Note: This policy does not apply to the BYOD (Bring Your Own Device) model - when an organisation actively manages access to its data and systems by devices which it does not own.

6.1. This policy contains both mandatory and advisory elements, using the same language as Functional Standard GovS 007: Security:

• shall means a requirement: a mandatory element
• should means a recommendation: an advisory element
• may means approval

Government organisations and their ALBs shall:

6.2. Corporately manage all mobile devices which access, process or store OFFICIAL government and/or citizen data via critical systems. (See 5.3 for definition of “crit ical systems”.)

6.3. For COPE (Corporately Owned, Personally Enabled) devices:

• Segregate the personally enabled parts of the device to restrict their ability to access government data and also to protect the privacy of users’ non-corporate data.
• Implement this policy in consultation with your organisation’s data protection advisers, legal advisers and knowledge and information management team to ensure compliance with the relevant provisions in the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Freedom of Information Act 2000 and the Public Records Act 1958.

6.4. Ensure that mobile devices — including mobile device operating systems, firmware and apps — will be supported by the manufacturer/developer for the entire duration of their intended use.

6.5. Actively manage updates and patches to mobile device operating systems, firmware and apps according to best practice.

6.6. Apply Data Loss Prevention (DLP) and document labelling policies to reduce the risk of unauthorised sharing of government data via mobile devices, including via third-party applications. For example, using the available configuration guidance for using Microsoft 365 in line with the Government Security Classifications Policy. Organisations shall have regard to the Cabinet Office policy on use of non-corporate communication channels (NCCCs) for government business when applying DLP and document labelling policies, ensuring that users have the means to comply with their records management obligations.

6.7. Limit remote access to corporate networks and information systems to mobile devices which are authorised, authenticated, up-to-date and compliant with policy.

6.8. Implement technical controls to protect government data in transit between mobile devices and corporate networks and information systems.

6.9. Maintain the ability to remove non-compliant mobile device access to corporate networks and information systems.

6.10. Formally review and approve third-party applications as part of the organisation’s software asset management process, taking into account:

• business need - including the statutory duty under the Equality Act 2010 to make reasonable adjustments to ensure that an employee with disabilities is not at a disadvantage compared to any other employee (e.g. assistive apps to help employees carry out their work duties).
• scale of use.
• reputation and security maturity of the vendor/developer.
• security vulnerabilities, their possible impacts and any risk mitigation measures.
• app access to device data.
• app behaviours, including permissions requested.
• app ability to auto-update.

6.11. Know which permissions are requested by approved applications and understand the resulting access to government data. For example, permissions for the app to access the device’s location, contacts, files, camera or microphone.

6.12. Where technically possible, implement technical controls to manage which permissions third-party applications can request and configure them to prevent third-party applications from accessing government data.

6.13. Configure mobile devices so that they will not install or run third-party applications from any other source apart from the corporately managed or corporately approved application marketplace.

6.14. Implement technical controls so that only corporately approved applications can be installed and run on mobile devices using an allow list. In exceptional circumstances only, organisations may instead implement a deny list of applications that are specifically prohibited.

Note: Organisations may implement additional app controls as they see fit. For example, a deny list applied to the personally enabled parts of a COPE device in addition to an allow list applied to the corporately managed parts.

6.15. Include mobile devices in logging and monitoring activity, to collect the following data and to scan for indicators of compromise (where technically possible depending on device platform and in compliance with the relevant provisions in the UK GDPR and the Data Protection Act 2018 to protect the privacy of users’ non-corporate data):

• device state
• device configuration
• device compliance with policy and processes
• device events, including user activity, network communications, authentication, and access to corporate networks and information systems
• third-party applications installed on the device, including presence of restricted apps where this information is available.

6.16. Maintain an Acceptable Use Policy (AUP) which reflects the requirements of this policy, to ensure that end-users understand the intended use of mobile devices and how to keep them secure and up-to-date — such as behaviours they need to adopt, actions they need to take and what their security responsibilities are for the duration of their employment. AUPs shall also include information for end-users on how to report a problem with their device and get help, and how to raise a request for new features or functionality.

6.17. Undertake a Data Protection Impact Assessment (DPIA) in order to identify and minimise risks to users’ personal data held on mobile devices and provide users with a Privacy Notice which clearly sets out:

• who owns the device.
• how the device will be technically managed.
• how government and personal data held on the device will be logged, monitored, inspected, copied for the purposes of the public record, or otherwise processed.
• if applicable, the circumstances in which the organisation may carry out a remote wipe of the device and advice for users on the steps they should take to back up any personal data held on the device.
• a point of contact for users if they have concerns or questions regarding how any personal data held on the device will be processed.

6.18. Include the implementation of this MDM policy in the organisation’s formal governance and risk management processes.

Government organisations and their ALBs should:

6.19. Undertake a technical assessment of third-party applications as part of the formal review and approvals process (see 6.10).

6.20. Maintain the ability to enforce a remote wipe of corporate devices.

6.21. Implement controls which prohibit unauthorised users from unenrolling the device or removing the corporate MDM solution.

7.1. Organisations shall take a threat-driven, risk-based approach to implementation, proportionate to the prevailing level of cyber risk, within practicable timescales, and in line with their organisation’s business objectives and priorities.This means that organisations have the flexibility to decide how to meet the requirements of this policy in practice.

7.2. Where an organisation is not compliant with the requirements of this policy, this risk shall be formally managed and the appropriate risk mitigations put in place in line with the organisation’s risk tolerance.

7.3. If applicable, organisations should have a plan in place to work towards future compliance with this policy, in a way that meets their business objectives and priorities and to ensure continuous improvement over time.

Organisations need to read this policy document in conjunction with:

• Functional Standard GovS 007: Security, which sets expectations for what security activities organisations need to carry out, and why, in order to protect government assets.
• The Cyber Standard, which sets out how organisations need to do this in relation to cyber security, specifying the particular procedures organisations need to follow and the performance criteria to be met.
• Other applicable cross-government policies published on this site.
• Relevant security directives from the Government Chief Security Officer or Government Ministers.

9.1. Implementing the controls set out in this policy will help government organisations to demonstrate that they have met the required security outcomes in the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), including but not limited to:

• A2.a Risk Management Process.
• A3.a Asset Management.
• B2.b Device Management.
• B2.d Identity and Access Management.
• B3.a Understanding Data.
• B3.b Data in Transit.
• B3.d Mobile Data.
• B4.b Secure Configuration.
• B4.c Secure Management.
• C1.a Monitoring Coverage.

9.2. The mandatory elements of this policy are aligned with the Baseline Government CAF profile. Those that exceed the requirements of the Baseline profile do so because they are essential to achieving the policy’s core aims.

9.3. Further guidance for government organisations on how to meet the required security outcomes in the CAF is provided on security.gov.uk.