Best Practices to Secure Your Corporate-Owned Personally Enabled (COPE) Android Devices
What is COPE?
COPE stands for Corporate Owned Personally Enabled Device. These are devices that are owned and provided by the company for work but are also expected to be used for personal reasons. It’s a term that’s especially relevant today, with the adoption of Everywhere Workplace, as companies are giving employees more freedom with corporate-owned and controlled devices.
Why COPE is important to your IT
Over the years, IT professionals have voiced their frustration over carrying multiple devices—one for work and another for personal use. As a result, many organizations have provided Android mobile devices to their employees, expecting that a single device will serve a dual personal/professional purpose. However, this has created multiple challenges for IT, as they need to keep corporate data protected from personal use. Unlike BYO devices, COPE devices are owned by the company, which means you’ll need to track and monitor these assets while minimizing the chance of them being used to exploit the security of your infrastructure.
Best practices to secure COPE devices
Work Profile to protect company apps and data
Use a work profile to protect your company apps and data. With a work profile, you can securely and privately use the same device for work and personal purposes. The work profile keeps your company’s apps and data and the employee’s apps and data in a separate encrypted security domain.
Using White or Blacklist apps outside the work profile
Decide what apps that can be used on the separate personal enable, not in the work profile domain. Protect your users from themselves from downloading apps that can compromise the device by limiting what apps they can install.
Use a lockdown configuration to protect the device from unauthorized access. There are many options you can use to protect your users from malicious activities and your devices from unauthorized access.
Disable USB file transfer
Protect your users and company data by preventing files from transferring over USB. This locks the USB port to only be used for charging.
Disallow debugging features
Debugging data provides verbose data of not only the applications and Android but can also include data that are used by those apps and OS. Only enable debugging when troubleshooting using debug is required by your software or hardware vendors.
Ensure verify apps
Protect your users from possible malicious us apps that are sideloaded. Insure only verified apps that have been scanned and verified by Google Play Protect can be installed via the Google Play store.
Disable data roaming
Keep data on your trusted cellular networks, this can be vital if you are implementing 5G slicing for your Android devices.
Disallow Bluetooth sharing
Prevent user’s personal data from transferring off the device using Bluetooth protocols.
Disallow Bluetooth settings
Preconfigure and pair only authorized Bluetooth devices. Once you are done pairing those authorized devices, disable access to the Bluetooth settings
Disable Wi-Fi settings
If you want the COPE device to only connect to authorized company Wi-Fi networks, preconfigure those Wi-Fi networks with a Wi-Fi policy and disable Wi-Fi setting to prevent users adding and accessing unauthorized Wi-Fi networks.
Tethering may allow access to your mobile endpoint and your corporate network using personal devices. Disabling tethering prevents unauthorized access to the Android device and using your android device to exploit access to your company network.
Disallow adding or modifying accounts
Personal accounts on Work Profile allows user to download public apps on corporate container, which is a risk. Basic AE security always starts from preventing users from adding or modifying accounts within Work Profile
Secure your device with Mobile Threat Protection
Add that next level of protection with Mobile Threat Defense. MTD adds not only provides protection from exploits but also protect your users from phishing attacks by using a hybrid on-device and cloud detection capabilities. MTD is also fully integrated into the MobileIron Go app, which means that when you deploy your devices, MTD is also already deployed to your devices.
Why Ivanti Neurons for MDM?
With Ivanti Neurons for MDM, you can secure your employee- and executive-assigned devices while giving employees the freedom to use those Android devices for personal reasons.
Ivanti Neurons for MDM will integrate your Android COPE devices using a cloud-base device management and security, which integrates mobile application management (MAM), app distribution and configuration, easily onboard Android devices with zero-touch, and the ability to scale when you grow, and secure your employees productivity and connectivity. In addition, Neurons of MDM also integrates with not just Android,. but other Operating Systems and Devices: iOS, MAC, Windows, and Linux.