All corporate phones enrolled in MDM
Demonstrate that all corporate-owned mobile phones currently in active use are enrolled in the organization's MDM solution and subject to centrally managed security policies.
Description
What this control does
This control requires that all corporate-issued mobile phones are enrolled in a Mobile Device Management (MDM) platform before being deployed to employees. The MDM system enforces security policies including passcode requirements, encryption, remote wipe capabilities, application whitelisting/blacklisting, and configuration baselines. Enrollment ensures that devices remain under organizational visibility and control throughout their lifecycle, enabling rapid response to security incidents and consistent application of corporate security standards. The control applies to smartphones used for business purposes, regardless of operating system (iOS, Android).
Control objective
What auditing this proves
Demonstrate that all corporate-owned mobile phones currently in active use are enrolled in the organization's MDM solution and subject to centrally managed security policies.
Associated risks
Risks this control addresses
- Unmanaged devices with weak or no passcodes allow unauthorized access to corporate email, documents, and applications if lost or stolen
- Lack of remote wipe capability prevents timely data sanitization when devices are compromised, lost, or an employee terminates
- Unenrolled devices cannot be forced to apply critical OS security patches, leaving exploitable vulnerabilities active in the field
- Absence of MDM visibility prevents detection of jailbroken or rooted devices that bypass platform security controls
- Employees install high-risk or malicious applications that exfiltrate corporate data or credentials without organizational oversight
- Non-compliant device configurations (disabled encryption, outdated OS versions) persist undetected, creating entry points for attackers
- Inability to enforce network access policies allows unmanaged devices to connect to internal resources and move laterally during breaches
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all corporate-issued mobile phones from asset management records, including device serial numbers, models, assigned users, and purchase/deployment dates
- Export the current device enrollment list from the MDM console showing all enrolled devices with serial numbers, enrollment dates, user assignments, and last check-in timestamps
- Reconcile the asset inventory against the MDM enrollment list to identify any corporate phones not present in the MDM system
- Select a statistical sample of enrolled devices (minimum 25 devices or 10% of population, whichever is greater) and verify each device appears in the MDM console with active status
- Review MDM policy configurations to confirm security baselines are defined, including passcode complexity, encryption requirements, remote wipe enablement, and OS version minimums
- For sampled devices, validate that assigned security policies are actively applied by reviewing device compliance status reports and last policy synchronization timestamps
- Interview IT administrators to understand the device provisioning workflow and confirm MDM enrollment occurs before device handoff to employees
- Test enforcement mechanisms by reviewing documented cases of non-compliant devices being blocked from network access or flagged for remediation
Where this control is tested