Mobile Device Security: Corporate-Owned Personally-Enabled

Corporate-Owned Personally-Enabled (COPE) architectures provide the flexibility of allowing both enterprises and employees to install applications onto organization-owned mobile devices. The goal of the Mobile Device Security: Corporate-Owned Personally-Enabled project is to provide an example solution demonstrating how the security and privacy of organization-owned mobile devices can be enhanced.

Cybersecurity guidance for a clear and repeatable reference mobile architecture that an organization can use to grant secure access while preserving privacy for end users or other organizations that own data on the device

This NIST guidance details tools for an on-premises located enterprise mobility management (EMM) capability, mobile threat defense (MTD), mobile threat intelligence (MTI), application vetting, secure boot/image authentication, and virtual private network (VPN) services. The example solution also provides information on the specific products used, the security control(s) the product provides, and a mapping to the relevant NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity Work Roles. When combined into the practice guide’s example solution, the security tools help improve the security of enterprise-owned mobile devices.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-21: Complete Guide (HTML)Web Version NIST SP 1800-21: Complete Guide (HTML)
NIST SP 1800-21: Complete Guide (PDF)Web Version NIST SP 1800-21: Complete Guide (PDF)
NIST SP 1800-21A: Executive SummaryDocument Version NIST SP 1800-21A: Executive Summary
NIST SP 1800-21B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-21B: Approach, Architecture, and Security Characteristics

Project Abstract

Mobile devices provide access to vital workplace resources while giving employees the flexibility to perform their daily activities. Securing these devices is essential to the continuity of business operations.

While mobile devices can increase efficiency and productivity, they can also leave sensitive data vulnerable. Mobile device management tools can address such vulnerabilities by helping secure access to networks and resources. These tools are different from those required to secure the typical computer workstation.

This practice guide focuses on security enhancements that can be made to corporate-owned personally-enabled (COPE) mobile devices. COPE devices are owned by an enterprise and issued to an employee. Both the enterprise and the employee can install applications onto the device.

To address the challenge of securing COPE mobile devices while managing risks, the NCCoE at NIST built a reference architecture to show how various mobile security technologies can be integrated within an enterprise’s network.

This NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, commercially available products to help meet their mobile device security and privacy needs.

Read the project description

Organizationally owned and end user configurable mobile devices provide access to vital workplace resources while giving employees flexibility while performing their daily activities on organizationally owned devices.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.


Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name