Mobile Solutions
Managing mobile devices through MDM solutions, deployment models including BYOD, COPE, and CYOD, connection methods, and security controls for enterprise mobile environments.
Understanding Mobile Solutions
Mobile devices create unique security challenges—they leave the corporate network, mix personal and business data, and can be easily lost or stolen. Effective mobile solutions balance security controls with user experience.
Key mobile security elements: • MDM/EMM — Centralized device management • Deployment models — BYOD, COPE, CYOD • Containerization — Separating work and personal • Connection security — VPN, certificates
The 2020 Twitter hack began when attackers socially engineered employees working from home on personal devices, gaining access to internal tools. Proper mobile security policies—including device management and access controls—could have limited the attack surface.
Mobile security requires both technical controls AND policy enforcement.
Why This Matters for the Exam
Mobile solutions are heavily tested on SY0-701 because mobile devices are now essential to business operations. Questions cover MDM capabilities, deployment models, and appropriate controls.
Understanding mobile security helps with endpoint management, data protection, and compliance. Mobile devices often contain the most sensitive data and are the most vulnerable endpoints.
The exam tests recognition of deployment models and appropriate security controls.
Deep Dive
What Is Mobile Device Management (MDM)?
MDM provides centralized control over mobile devices in an enterprise environment.
MDM Capabilities:
| Capability | Description |
|---|---|
| Device enrollment | Register devices for management |
| Policy enforcement | Push security configurations |
| App management | Control installed applications |
| Remote wipe | Erase device data remotely |
| Location tracking | Find lost devices |
| Compliance monitoring | Verify device meets standards |
MDM Architecture:
[MDM Server]
|
| (Management commands)
|
[Mobile Devices]
- iOS
- Android
- Windows Mobile
Capabilities:
- Push configurations
- Monitor compliance
- Deploy apps
- Remote lock/wipeMDM vs EMM vs UEM:
| Term | Scope |
|---|---|
| MDM | Device management (basic) |
| EMM | Enterprise mobility (MDM + MAM + MCM) |
| UEM | Unified endpoint (mobile + desktop) |
What Are Mobile Deployment Models?
BYOD (Bring Your Own Device):
Employee owns device Employee chooses device Personal and work use Pros: + Employee satisfaction + Lower device costs + Latest technology Cons: - Less control - Privacy concerns - Support complexity - Data protection challenges
COPE (Corporate-Owned, Personally Enabled):
Company owns device Company chooses device Personal use allowed Pros: + Full control + Standardized devices + Clear ownership + Personal use benefit Cons: - Higher cost - Privacy boundaries needed - Support responsibility
CYOD (Choose Your Own Device):
Company owns device Employee chooses from approved list Personal use may be allowed Pros: + Employee choice (limited) + Standardized support + Company control + User satisfaction Cons: - Multiple device types - Approved list maintenance - Moderate cost
COBO (Corporate-Owned, Business Only):
Company owns device Work use only No personal use Pros: + Maximum control + Simple policy + No personal data concerns Cons: - Employees carry two devices - Lower satisfaction - Full cost on company
Deployment Model Comparison:
| Model | Ownership | Control | Personal Use |
|---|---|---|---|
| BYOD | Employee | Limited | Yes |
| COPE | Company | Full | Yes |
| CYOD | Company | Full | Maybe |
| COBO | Company | Full | No |
What Is Containerization?
Containerization separates work and personal data on mobile devices.
Container Benefits:
Work container: - Encrypted storage - Managed applications - Remote wipeable - Corporate policy applied Personal area: - User's own apps/data - Privacy maintained - Not remotely wipeable - Not monitored
Container Architecture:
[Mobile Device] ┌─────────────────────────────┐ │ Personal Area │ │ - Personal apps │ │ - Personal photos │ │ - Social media │ │ - Not managed │ ├─────────────────────────────┤ │ Work Container │ │ ┌─────────────────────┐ │ │ │ Corporate Email │ │ │ │ Work Documents │ │ │ │ Business Apps │ │ │ │ Encrypted │ │ │ │ Remotely wipeable │ │ │ └─────────────────────┘ │ └─────────────────────────────┘
What Are Mobile Connection Methods?
Cellular:
| Consideration | Security Implication |
|---|---|
| Carrier network | Outside corporate control |
| Data exposure | Carrier can see traffic |
| Coverage | Works most places |
| VPN | Required for sensitive access |
WiFi:
| Type | Security |
|---|---|
| Corporate | Trusted, WPA3/Enterprise |
| Public | Untrusted, VPN required |
| Home | Variable, policy needed |
Mobile VPN:
Purpose: - Encrypt all traffic - Access corporate resources - Protect on untrusted networks Types: - Always-on VPN - Per-app VPN - On-demand VPN
What Security Controls Apply to Mobile?
Authentication:
| Control | Implementation |
|---|---|
| Screen lock | PIN, password, biometric |
| MFA | App-based, push notification |
| Certificate | Device certificates for access |
| Conditional access | Location/network based |
Data Protection:
| Control | Purpose |
|---|---|
| Encryption | Protect data at rest |
| DLP | Prevent data leakage |
| Remote wipe | Erase lost devices |
| Backup restrictions | Control where data goes |
Application Management:
| Control | Description |
|---|---|
| App allow list | Only approved apps |
| App block list | Prohibited apps |
| Enterprise app store | Internal app distribution |
| App wrapping | Add security to apps |
How CompTIA Tests This
Example Analysis
Scenario: A law firm needs to enable attorneys to access client documents from mobile devices. Requirements: strict data protection, attorney-owned devices, separation of personal and work data, ability to wipe firm data if device is lost.
Analysis - Mobile Security Solution:
Requirements Analysis:
| Requirement | Implication |
|---|---|
| Attorney-owned devices | BYOD model |
| Strict data protection | Encryption, DLP |
| Data separation | Containerization |
| Remote wipe | MDM with selective wipe |
Recommended Solution:
Deployment Model: BYOD with Containerization
Why BYOD: - Attorneys expect personal device use - Various device preferences - Lower firm cost Why containerization: - Clear separation of data - Can wipe work without personal - Privacy maintained - Meets legal/ethical requirements
MDM Configuration:
| Setting | Configuration |
|---|---|
| Enrollment | User-initiated, approved |
| Container | Mandatory for all devices |
| Encryption | Required (container encrypted) |
| PIN policy | 6+ character complex PIN |
| Biometric | Allowed for convenience |
| Remote wipe | Container only (selective) |
Work Container Contents:
Applications: - Secure email (Outlook, managed) - Document access (OneDrive/SharePoint) - Secure browser for intranet - Firm-specific apps Data: - Client documents - Email and attachments - Calendar/contacts (work) - Cached credentials Security: - Encrypted storage - Copy/paste restrictions - Screenshot prevention - No backup to personal cloud
Connection Security:
VPN: Per-app VPN for work apps
- Automatic connection when work app opens
- Traffic encrypted to firm network
- No VPN for personal apps
WiFi:
- Corporate WiFi profile pushed
- Public WiFi requires VPN
- Untrusted network detection
Certificate:
- Device certificates for authentication
- MDM-managed certificate lifecycleCompliance Policy:
Device must have: ✓ Supported OS version ✓ No jailbreak/root ✓ Encryption enabled ✓ PIN/biometric enabled ✓ MDM profile active If non-compliant: - Block access to work apps - Notify user - Grace period for remediation - Escalate to IT if unresolved
Key insight: BYOD with containerization balances attorney preferences with security requirements. The firm can wipe the work container without affecting personal data, maintaining data protection while respecting privacy. Per-app VPN ensures work traffic is protected without impacting personal usage.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Deployment Models - "BCCC":
- •BYOD = Bring (You own it)
- •COPE = Company Owns, Personal Enabled
- •CYOD = Choose Your Own Device (from list)
- •COBO = Company Owns, Business Only
Control Level Order: "BYOD = Least control" "COBO = Most control" BYOD < CYOD < COPE < COBO
Containerization Rule: "Container = Company Can Clean" Work container is wipeable, personal isn't
- •MDM Capabilities - "PEARL":
- •Policy enforcement
- •Enrollment management
- •App management
- •Remote wipe
- •Location tracking
BYOD Privacy Rule: "Your device, your data—our container, our rules" Can't touch personal, can wipe work container
Test Your Knowledge
Q1.An organization wants employees to use their personal phones for work email but needs to protect corporate data. Which deployment model is MOST appropriate?
Q2.Which mobile deployment model provides the company with MAXIMUM control over devices?
Q3.A user's BYOD phone is lost. IT performs a remote wipe of the work container. What happens to personal photos?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee