Every employee carries a phone. Most of them connect to corporate email, calendar, MFA prompts, and increasingly the corporate document store. How much control does the company need over those phones? The answer determines the management model, the friction the employee feels, and the privacy concessions on both sides.
Three models
Corporate-Owned, Business-Only (COBO)
Company buys the phone. Company manages everything. Employee uses it only for work. Maximum control, maximum cost, minimum employee acceptance.
Corporate-Owned, Personally Enabled (COPE)
Company buys the phone, manages it, but allows personal use. Employee gets a nicer device than they'd buy themselves; company gets full management rights.
Bring Your Own Device (BYOD)
Employee owns the phone. Company manages only the corporate apps and data — via a work profile (Android) or managed apps (iOS). Privacy-respecting; less control.
MDM, MAM, MTD — the tools
- MDM (Mobile Device Management) — the platform manages the whole device. Push configuration profiles, enforce passcode policy, deploy apps silently, wipe the device remotely. Examples: Microsoft Intune, Jamf, VMware Workspace ONE, Kandji.
- MAM (Mobile Application Management) — the platform manages only specific corporate apps. The user keeps their phone; the company controls the work email app, the Teams app, the SharePoint sync. Implemented via app wrapping or platform-native containers.
- MTD (Mobile Threat Defense) — runtime security for mobile devices. Detects jailbreak/root, malicious apps, suspicious network connections, phishing URLs in SMS. Examples: Lookout, Zimperium, Wandera, Microsoft Defender for Endpoint.
- UEM (Unified Endpoint Management) — the marketing term that covers MDM + MAM + sometimes desktop management in one product. Intune is the canonical example.
Work profiles & managed apps
The most important capability for BYOD: separating corporate data from personal data on a device the user owns. Both platforms provide this:
- Android Work Profile. A separate cryptographically-isolated container on the device. Work apps live in the profile; personal apps live outside. Files, clipboard, notifications can be configured to bleed across or not. The work profile can be wiped without affecting personal data — the user keeps their photos when leaving the company. Default for any organization using Google Workspace's Android management or Intune-managed Android.
- iOS User Enrollment + Managed Apps. iOS doesn't have a fully separate work profile, but it offers User Enrollment for BYOD, where Apple-managed apps and accounts are isolated from personal ones. Photos and personal iCloud are off-limits to the management server. Apple verifies the separation; the MDM cannot see personal data even if the admin wanted to.
What enrollment can and can't see
| Category | COBO/COPE (full MDM) | BYOD work profile / user enrollment |
|---|---|---|
| App inventory | All apps | Only work-profile apps (Android); none (iOS UE) |
| Personal photos | Yes (corp-owned device) | No |
| Browser history | Possible via MTD | No |
| Location | Yes if configured | No |
| Phone calls / SMS | Logged on managed Android; no content on iOS | No |
| Remote wipe | Full device | Work profile only |
| Password policy | Enforced device-wide | Enforced on the work container only |
| App install/removal | Silent install & remove | In work profile only |
Common controls to enforce
- Passcode policy — minimum length, biometric required, auto-lock interval.
- Encryption — enforced (both iOS and modern Android are encrypted by default; verify it).
- OS version floor — reject enrollment on devices below a minimum iOS/Android version.
- Jailbreak/root detection — quarantine or wipe devices that fail attestation.
- Conditional access — integrate with the IdP so non-compliant devices cannot access corporate apps regardless of credentials.
- Network filtering — corporate VPN, DNS filtering for known-malicious domains.
- App allow-list — specifically for COBO/COPE; prohibit specific app categories.
- Email/document policies — block sharing corporate content to personal apps, prevent copy/paste across the boundary.
When the employee leaves
The offboarding workflow is where management models prove themselves:
- COBO/COPE: remote wipe the entire device. Inventory it back. Done.
- BYOD with work profile / managed apps: selective wipe. The work profile (or all managed apps) is removed; the user keeps their device with all personal data intact. The user often doesn't even notice the management profile is gone until the corporate apps stop working.
The cleanness of BYOD offboarding is the strongest argument for it. Employees keep their phones; companies don't lose data; nobody has to argue about who owns the device.
The choice of management model is a policy decision about how much control the company needs and how much friction it's willing to impose. COBO/COPE buy maximum control at high cost. BYOD with work profile / user enrollment buys most of the security benefit while preserving employee privacy — usually the right answer for most organizations in 2026.
Whatever model you pick, communicate the privacy boundaries clearly. The single largest source of friction in mobile management is employees not understanding what the company can and cannot see. Document it, publish it, and the rest of the program becomes much easier to roll out.
References
Formatted in APA 7.
- Apple. (n.d.). User enrollment and MDM. Apple Platform Deployment. https://support.apple.com/guide/deployment/intro-to-user-enrollment-depf0a02e3ed/web
- Google. (n.d.). Android Enterprise: Work profile. https://developers.google.com/android/work
- Microsoft. (n.d.). Microsoft Intune documentation. https://learn.microsoft.com/en-us/mem/intune/
- National Institute of Standards and Technology. (2023). Guidelines for managing the security of mobile devices in the enterprise (NIST Special Publication No. 800-124, Rev. 2). https://doi.org/10.6028/NIST.SP.800-124r2