Mobile Data Separation

Mobile data separation means establishing a logical boundary on a single mobile device to keep corporate data and personal data completely isolated from one another. This ensures that work emails, documents, and credentials cannot be accessed, shared, or backed up by the user's personal applications.

On Android devices, organizations typically use the Android Enterprise Work Profile feature. This creates a secure, OS-level container for work apps and data, ensuring that personal apps cannot see or interact with corporate information, and allowing IT to manage only the work profile.

For iOS devices, data separation is achieved using Apple's User Enrollment or supervised modes, which separate managed corporate apps from unmanaged personal apps. Mobile Application Management tools can also enforce containerization by restricting data sharing between managed work apps and personal apps like iMessage.

While full Mobile Device Management (MDM) is highly effective, it is not strictly required if you can achieve separation through other means. Mobile Application Management (MAM) or secure container applications can often meet the requirement by isolating corporate data without controlling the entire device.

Yes, Mobile Application Management (MAM) is often the preferred method for BYOD programs because it focuses exclusively on securing and separating corporate applications and data. MAM applies protection policies directly to work apps without requiring full device enrollment, preserving employee privacy.

Acceptable technical controls include OS-level partitioning like Android Work Profiles or iOS User Enrollment, third-party secure workspace containers, and managed applications with strict data protection policies. These controls must actively prevent data from flowing between work and personal boundaries.

Organizations use Data Loss Prevention (DLP) and Mobile Application Management (MAM) policies to restrict clipboard actions. These policies block users from copying text, saving files, or sharing content from managed corporate applications into unmanaged personal applications or cloud storage.

CyberSecure Canada requires organizations to formally document the details of how separation is achieved. This documentation should be included in the information security policy or mobile device policy, outlining the technical mechanisms used, the specific rules applied, and the scope of devices covered. Tools like WatchDog Security's Policy Management can help maintain the policy lifecycle (version history, approvals, attestations) and keep the current requirements easy to evidence during audits.

Audit evidence should include screenshots of Mobile Device Management (MDM) or Mobile Application Management (MAM) configurations showing data separation policies in effect. Examples include policies enforcing managed app boundaries, containerization settings, and records of active devices enrolled in these profiles. Tools like WatchDog Security's Compliance Center can help track the required evidence items for this control and store configuration exports and screenshots with clear ownership and timestamps.

Contractors and temporary staff accessing corporate IT resources from mobile devices must be subject to the same data separation requirements as permanent employees. Organizations often enforce this by requiring them to use managed applications or secure web gateways that isolate corporate sessions without requiring full device enrollment.

Mobile data separation depends on clear, enforceable rules that users understand (e.g., required work profiles, managed apps, and prohibited data sharing). Tools like WatchDog Security's Policy Management can help you publish the BYOD/mobile device policy, track user attestations, and retain version history and acceptance records for audit evidence.

Auditors typically want to see both the documented approach and proof it is enforced (policy language, MDM/MAM settings, and device scope). Tools like WatchDog Security's Compliance Center can map this control to required evidence, track collection tasks, and store screenshots/exports from MDM or MAM systems alongside the control record.