Mobile device management (MDM) is a known cure for the bring-your-own-device (BYOD) uprising hitting businesses today. However, fear of privacy intrusion and loss of personal data are major deterrents for the BYOD workforce, discouraging them from enrolling in its enterprise programs. IT administrators now have a responsibility to implement strategies that encourage BYOD adoption, alleviating fears in their workforce.

A popular strategy for balancing corporate and work interests is the segregation of device data, specifically personal (photos, music, and apps) and work (corporate email, documents, and apps). Read on for MDM best practices to separate and protect personal and work data on mobile devices.

At the start of device enrollment, IT must classify personal devices versus corporate devices. Relevant email, calendar, and contacts must be configured for the device and the appropriate passcode and network settings must be applied. Restrictions apply to sending business emails and attachments from personal accounts or third party accounts. Once the device has been registered on the MDM platform, mobile policies must be applied to safeguard device data and network security.

A key driving factor for the success of a BYOD program is employee education. Fear of invasion of privacy and loss of personal data often discourages users from signing up for enterprise BYOD. Therefore, it is important for IT administrators to educate their employees on the benefits of BYOD. This may include what’s in it for them and what MDM strategies have been adopted to protect their privacy. Employees should be given a tour of the company’s BYOD program, one that covers the implications of violating BYOD policies. IT staff should also provide their BYOD workers with a list of allowed and restricted apps.

IT administrators should configure alerts and compliance actions for continuous monitoring of non-compliant events. Different actions must be configured for different device behaviors. For example, if the user travels abroad and their device is roaming-enabled, the MDM console should send alerts to both the user and the administrator. It is strongly recommended that IT administrators block rooted and/or jailbroken devices from entering or exiting the corporate network, along with alerts explaining why. Some MDM consoles allow IT administrators to pull device and app inventory reports that assess the health of their mobile ecosystem to determine if it is secure.

Mobile apps have redefined the smartphone experience, but have also opened up as a gateway for malware and phishing attacks targeting smartphones and tablets. Therefore, it is important to have control of your mobile application ecosystem. A mobile application management (MAM) solution makes it easy to centrally manage and distribute applications. IT administrators can also include an enterprise app catalog in their MAM solution to distinguish personal apps from work-related apps. If a user is accessing business applications from an open, unsecured, public wireless signal, the MAM solution must enforce, authenticate, and authorize access to corporate resources through a secure tunnel (easily accomplished by enforcing policies of mobile devices).

IT administrators should look for different options to securely share corporate documents through mobile devices. A popular methodology for the secure exchange of corporate documents is the implementation of a mobile catalog application on the device. IT administrators can develop an in-house application or choose a third-party application that not only facilitates centralized sharing and distribution of corporate documents, but also integrates with MDM policies and monitors document compliance status. With a MAM solution, IT can restrict corporate document sharing by unauthorized applications, thereby keeping document distribution details on devices.

One of the top concerns among the BYOD workforce is the exposure and loss of personal data on their device. BYOD workers often fear that their IT administrators could wipe data from the device without their consent if it is lost or stolen. This concern not only discourages employees from participating in the enterprise BYOD program, but also puts the organization’s reputation at risk (if the device hosts corporate data). To ensure that this presumptive reasoning never occurs, IT can create different groups for personal data and applications and corporate data and applications. If the device is lost, IT can selectively wipe corporate content and choose to wipe a user’s personal data only with their consent.

BYOD privacy settings can also be leveraged by IT looking to curb the concerns of their workforce. By arming this MDM feature, you can rest assured that your personally identifiable information (photos, music, personal location, and more) is under full protection, invisible to the administrator behind the management console. This practice often entices users to enroll in the BYOD program without protest.