Mobile Device Policy Guide: BYOD, CYOD, COPE, COBO
The landscape of mobile device policies is vast and cluttered with acronyms sure to inspire uncertainty. How does BYOD differ from CYOD? Is COBO really worth the investment? Wait, what’s COPE, again?
Not to worry. Our guide on mobile device policies will get you up to speed and well on the way to better device management in no time.
Bring your own device (BYOD)
BYOD policies allow employees to “access enterprise data and systems using personal mobile devices, such as smartphones, tablets and laptops,” according to IBM. Enterprises can assign various BYOD access levels, from unlimited access to restricted access, which limits the apps employees can use and designates how stored data is handled.
Formalizing a BYOD policy is important for enterprises that allow employees to connect to the network through their own devices. Without a BYOD policy in place, these companies have little insight into how data is being protected on personal devices. They also have less recourse when employees use devices irresponsibly.
Formally allowing BYOD is not without risk, however. Many millions of cell phones are misplaced each year, which means enterprises are placing a great deal of trust in employees to follow BYOD policies when they leave the premises. Smartphones with high-level access are especially vulnerable to malicious attacks and data theft.
When crafting a BYOD policy, enterprises must be mindful of the overarching issue of mixing personal and work-related data. There are many employee privacy regulations in play, which can present challenges for enterprises when extracting or monitoring work-related data.
Keep in mind that employees could also access the private information of clients on their devices. This kind of personally identifiable information is also specifically regulated and must be protected at all times, including when it is accessed from BYOD devices.
The global BYOD market is expected to exceed $350 billion by 2022, up from $250 billion in 2014. This increase is partly due to the rising cost of mobile devices, but it also accounts for related costs, such as enterprise mobility management (EMM) solutions that can help enterprises manage their BYOD programs.
Choose your own device (CYOD)
CYOD policies are based on a list of devices employees are permitted to buy themselves and use. While similar to BYOD in that employees can access the network from anywhere, an important distinction is that CYOD policies typically dictate that the enterprise retains complete control over device usage and security.
Many companies opt to enact CYOD policies in place of unwieldy BYOD policies.
CYOD can be more expensive than BYOD. Enterprises often enter into service contracts with approved device vendors and may have more obligations when it comes to maintaining and upgrading devices with this setup. Still, CYOD gives companies a tighter grip on security issues than BYOD or going without a policy at all.
CYOD policies should include a framework for device oversight and a clear breakdown of how the devices will be financed. By restricting employees to specific mobile device models, enterprises need to take a more proactive role when it comes to issues such as training and keeping devices updated with the latest security patches and operating system (OS) updates.
A 2016 study indicated that 74 percent of decision makers surveyed said their organizations offered or planned to offer CYOD programs, often to replace BYOD policies.
Corporate owned, personally enabled (COPE)
COPE takes the mobile device policy a step farther than BYOD and CYOD policies. With COPE, enterprises retain a greater deal of control over device usage by directly issuing mobile devices, although some companies choose to implement CYOD policies that are managed with COPE guidelines.
COPE does not restrict usage to business purposes, which makes this policy a potentially enticing recruiting tool. Employees enjoy the benefit of getting “free” company-purchased devices they can use for non-work activity.
The main benefit of COPE programs is the enhanced network security they offer. By exerting more control over the purchase and usage of connected devices, security teams can maintain better oversight of network behavior. Companies can block apps and websites and remotely wipe devices if they are lost or stolen.
COPE is typically more expensive than BYOD programs, since the burden is on the enterprise to purchase costly devices.
Like other mobile device policies, when crafting a COPE policy, it is critical to keep privacy concerns at the forefront. This extends to the purchase of COPE devices.
Companies need to look at built-in security features and data collection settings when purchasing COPE mobile devices, according to Matt Diaz, a privacy attorney with Dinsmore and Shohl.
“Businesses should evaluate existing security features on devices and determine whether more security measures are necessary based on how employees will use them,” Diaz said.
Companies are increasingly adopting policies that allow for COPE devices, according to a recent Citrix white paper, “Best Practices to Make BYOD, CYOD and COPE Simple and Secure.”
Corporate owned, business only (COBO)
COBO mobile device policies give enterprises the most control over usage. Companies implementing COBO supply employees with mobile devices and restrict them to business use only.
COBO and COPE are often mentioned together as these programs work in similar ways, but COPE allows employees to use corporate-issued devices for personal use. COBO doesn’t.
COBO is attractive to enterprises that want to establish strict data and network mobile security policies. These devices are locked down and completely within control of the company. IT administrators can remotely manage COBO devices and entirely monitor their usage.
COBO is usually the most expensive mobile device policy option for enterprises. The initial financial outlay includes purchasing costly devices for employees. However, in the long-run, BYOD and CYOD policies may not offer much of a bargain.
BYOD results in roughly an 11% savings across a 10,000-employee enterprise, according to Oxford Economics. Companies using BYOD spend almost as much on employee mobile stipends as those supporting COBO and COPE policies. When it comes to mobile device management (MDM) overhead and software investments, the costs are nearly identical.
Enterprises are embracing COBO models with more frequency, especially in response to the abrupt shift to remote work across the global workforce. We can expect to see more and more BYOD and CYOD policies replaced with both COBO and COPE policies.
When selecting a policy to govern the usage of mobile devices among employees, enterprises must weigh the financial investment of programs such as COPE and COBO against the threat of data security breaches.
Considering the average data breach cost about $8 million in 2020, it’s not surprising that many enterprises are opting for costlier but safer options for device management.
Regardless of which policy an enterprise selects, privacy is a chief concern. Gaining more control over devices with COBO or COPE makes it easier to stay in compliance with data privacy protections, such as GDPR and CCPA.
At the same time, employee privacy is a serious concern and enterprises need to be careful about employee monitoring, even when employees are using company-issued devices.
EMM vendor selection considerations
An organization's mobile device policy is part of its enterprise mobility management (EMM).
EMM is the collection of tools, technologies, policies and processes involved with managing and maintaining the usage of mobile devices across an organization.
Organizations should examine four key areas when it comes to selecting an EMM provider to help implement and manage their mobile devices: platform neutrality, a purpose-built platform, an extensive ecosystem and a solid customer base, according to MobileIron's guide on EMM.
The mobile device market is in constant fluctuation, MobileIron says. The devices that existed five or 10 years ago barely exist at this point, and we can expect the marketplace to reflect new realities in another five or 10 years.
One approach to selecting an EMM provider is to try to predict which proprietary platform will be able to keep up with changing market conditions, but there's a better approach: selecting a platform-neutral, multi-OS management solution, according to MobileIron. This way, organizations don’t need to be locked into specific products or brands in the future. Platform-neutral vendors can handle virtually all products.
A purpose-built platform
It is important organizations select a vendor whose platform was “built from the ground up” with the future of enterprise mobility in mind. As the company points out, mobile IT is quickly overtaking resources when it comes to how organizations deploy and manage apps and data.
Add-on solutions or those that exist as a component of in-place infrastructure may not offer the comprehensive, integrated approach that can deliver robust scalability and reliability. However, purpose-built platforms are often more expensive than integrated solutions.
An EMM provider should connect organizations with successful, growing ecosystems based around complementary mobile enterprise solution providers, according to MobileIron. This ensures that the selected vendor can support a broad range of mobile apps, operating systems, deployment configurations and devices. Vendors with connections to extensive ecosystems can address a “broad set of customer use cases” as well.
Organizations should to take a high-level look at vendors’ customer portfolios when making a selection, the company says. EMM providers that support a wide range of industries and an expanding customer base may represent a more attractive option for growing organizations. Vendors that serve a narrow segment of the market may not be able to meet the needs of organizations with a complex and diversified business model. That said, organizations with a more niche focus may find it more appealing to go with a vendor that understands their core focus.
Selecting and developing a robust enterprise mobile device policy requires a deliberate approach.
While choosing among BYOD, CYOD, COPE and COBO policies may seem overwhelming, organizations that spend time considering their overarching goals for device management and how best to achieve them will come out ahead in the long run.
Each policy comes with its own legal, HR and privacy risks that should receive careful consideration.
Once an organization selects a mobile device policy, it should also be a key part of its overall EMM solution.