Mobile Device Security for Small Business

Everyone in your business has a smartphone. Most of them check work email on it. Many access business apps, cloud storage, and collaboration tools.

These devices are part of your security perimeter now, whether you’ve acknowledged it or not.

The Mobile Risk Reality

Lost and stolen devices. Australians lose or have stolen around 1.5 million phones every year. Each one might contain access to your business email, files, and applications.

Malicious apps. Even app stores with review processes sometimes host malware. Sideloaded apps and modified app stores are worse.

Unsecured networks. People connect to public wifi, hotel networks, and other untrusted environments. Man-in-the-middle attacks can intercept data.

Outdated software. Android devices in particular often stop receiving security updates while still being used. Old vulnerabilities remain exploitable.

Personal device risk. If you allow BYOD (bring your own device), you’re trusting devices you don’t control to access business data.

Your Options

Option 1: Company-owned devices (most control)

You buy the phones, configure them, and own them. Benefits:

  • Full control over security settings
  • Can enforce all policies
  • Easy remote wipe if lost
  • Clear separation from personal data

Downsides:

  • Expensive (device cost plus ongoing management)
  • Staff might carry two phones
  • You’re responsible for everything

Best for: Businesses with sensitive data, regulated industries, employees who don’t mind separate devices.

Option 2: Mobile device management on personal devices (balanced)

Staff use their own devices but enroll them in your MDM solution. Benefits:

  • No hardware cost
  • One device for staff
  • Reasonable control over work data

Downsides:

  • Privacy concerns from employees
  • Limited control (can’t manage personal apps)
  • Complexity with diverse device types

Best for: Most SMBs - good balance of security and practicality.

Option 3: Container/app-level security (minimum friction)

Instead of managing the device, you manage only the work apps. Business data stays in isolated containers or protected apps. Benefits:

  • Minimal intrusion on personal devices
  • Works with any device
  • Clear separation of work and personal

Downsides:

  • Less control over device security
  • Depends on user keeping device reasonably secure
  • Some functionality limitations

Best for: Businesses with low sensitivity data or high resistance to MDM.

Implementing Mobile Security

Step 1: Decide your approach

Consider:

  • How sensitive is your data?
  • What’s your budget?
  • How will employees react?
  • What compliance requirements exist?

For most small businesses, MDM on personal devices or container-based security is the right balance.

Step 2: Choose a solution

Options vary by your primary platform:

Microsoft-centric: Microsoft Intune (included in Business Premium) handles both company and personal devices. App protection policies can secure Outlook and other Microsoft apps without full device management.

Google-centric: Google Workspace has built-in endpoint management. Advanced features in Enterprise plans.

Standalone MDM: Solutions like Jamf (Mac/iOS focused), VMware Workspace ONE, or ManageEngine cover mixed environments.

Step 3: Define policies

What do you actually require?

  • Device encryption (should be mandatory)
  • PIN/passcode requirements (minimum length, complexity)
  • Automatic lock timeout (maximum before lock required)
  • Jailbreak/root detection (block compromised devices)
  • Minimum OS version (ensure security patches)
  • Remote wipe capability (for lost devices)

Start with essentials. You can add more requirements later.

Step 4: Communicate with staff

If you’re implementing MDM on personal devices, transparency matters:

  • What data will you collect?
  • What can you see on their device?
  • What can you remotely do?
  • What happens if they leave?

Many MDM solutions have “personal” and “corporate” profiles that limit what employers can access on BYOD devices. Explain this clearly.

Step 5: Roll out carefully

  • Start with IT and willing early adopters
  • Document the enrollment process
  • Prepare for support requests
  • Have a process for employees who refuse

Specific Platform Recommendations

iOS: Apple devices are generally more secure by default. The App Store review process, while imperfect, catches most malware. iOS updates roll out quickly and widely.

Required settings:

  • Passcode enabled
  • Touch ID / Face ID (optional but encouraged)
  • Find My iPhone enabled (for remote wipe)
  • Automatic updates enabled

Android: More variation in security quality. Google Pixel devices get updates quickly; some manufacturers are slower or stop updates after a couple of years.

Required settings:

  • Screen lock with PIN/password
  • Encryption enabled (usually default on modern devices)
  • Google Play Protect enabled
  • Unknown sources disabled (no sideloading)
  • Security updates current

Consider: limiting Android support to devices with current security patches.

App Security

Beyond device management, think about the apps themselves:

Only use business apps from official stores. No sideloading, no modified apps, no APKs from random websites.

Use app protection policies. Microsoft Intune’s app protection policies, for example, can require PIN entry, prevent copy-paste to personal apps, and encrypt app data - all without managing the whole device.

Control which apps access work data. Can people forward work email to personal accounts? Copy files to personal cloud storage? These are policy decisions to make deliberately.

Review app permissions. An app that needs access to contacts, calendar, and location to function is one thing. An app that wants those permissions for no clear reason is suspicious.

Lost Device Protocol

When a device is lost or stolen:

  1. Employee reports immediately. Have a clear process - who to contact, how.

  2. Attempt remote locate. Find My iPhone or Android Device Manager might locate it.

  3. Remote lock if possible. Even if you can’t wipe, you can lock.

  4. Remote wipe business data. This is where MDM or app protection earns its keep.

  5. Reset relevant passwords. Assume anything accessible from that device is compromised.

  6. Monitor for suspicious activity. Watch login attempts, email sending, file access.

Have this documented before you need it. Practice it occasionally.

The BYOD Conversation

If you’re allowing personal devices (BYOD), be honest about the trade-offs:

For the business:

  • Lower hardware costs
  • Happier employees (one device)
  • Less control and visibility
  • Potential liability issues

For employees:

  • Convenience (one device)
  • Privacy concerns about employer access
  • Potential work intrusion on personal device
  • Device might be wiped if they leave acrimoniously

A BYOD policy should cover:

  • What security requirements apply
  • Who pays for what (device, service, repairs)
  • What happens when employment ends
  • What the company can and can’t see/do

Get employees to acknowledge the policy in writing.

The Minimum Viable Mobile Security

If you do nothing else:

  1. Require MFA on all mobile-accessible services. Even if a device is compromised, stolen credentials plus MFA is better than credentials alone.

  2. Enable remote wipe capability. Through Exchange/Microsoft 365 if nothing else - you can wipe just Outlook data from lost devices.

  3. Require current OS versions. Block access from devices that haven’t updated in months.

  4. Train on lost device reporting. Make sure people know to report immediately, not after they’ve “looked for it for a few days.”

These four things provide meaningful protection without requiring full MDM deployment.

Mobile devices are part of your business whether you’ve planned for it or not. A little deliberate security is much better than hoping nothing goes wrong.