Skip to main content
โ† All controls
AC-4 / SC-7 / MP-6 / A.6.2.1 / A.8.1.3 / CIS-13.6 NIST SP 800-124 Rev 2

Containerised work profile (BYOD)

Demonstrate that corporate data and applications on BYOD devices are isolated within containerised work profiles that enforce policy-based controls and prevent unauthorised data transfer to the personal device environment.

Description

What this control does

Containerised work profiles (also known as work profile containers or managed profiles) enforce logical separation on personally-owned mobile devices by isolating enterprise applications, data, and credentials into a separate encrypted partition or profile. This approach enables BYOD policies by allowing employees to use personal devices while ensuring corporate data remains segregated, subject to mobile device management (MDM) policies, and remotely wipeable without affecting personal content. The containerisation layer applies distinct authentication, encryption, network, and data-sharing policies exclusively to work applications, preventing data leakage between personal and work contexts.

Control objective

What auditing this proves

Demonstrate that corporate data and applications on BYOD devices are isolated within containerised work profiles that enforce policy-based controls and prevent unauthorised data transfer to the personal device environment.

Associated risks

Risks this control addresses

  • Exfiltration of corporate data to unmanaged personal applications via clipboard sharing, file transfers, or screen capture mechanisms outside the work container
  • Unauthorised access to corporate credentials or tokens stored in work profiles through compromise of the personal device environment or rooted/jailbroken operating systems
  • Loss or theft of BYOD devices resulting in exposure of corporate data if containerised profiles lack independent encryption or authentication
  • Malicious applications in the personal environment intercepting work profile communications through network traffic analysis or man-in-the-middle attacks
  • Users bypassing containerisation by manually re-keying sensitive data from work applications into personal applications or cloud storage
  • Failure to remotely wipe work profiles when employees leave or devices are reported compromised, leaving corporate data accessible
  • Incompatibility or misconfiguration of MDM policies causing work containers to operate without required security controls such as screen lock, storage encryption, or application whitelisting

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organisation's BYOD policy, MDM platform documentation, and work profile configuration standards to identify approved containerisation technologies and mandatory security settings.
  2. Export and analyse MDM policy templates applied to work profile containers, verifying configurations for encryption, authentication requirements, clipboard restrictions, screenshot prevention, application whitelisting, and data-sharing controls.
  3. Select a representative sample of enrolled BYOD devices across operating systems (Android Enterprise work profiles, iOS/iPadOS managed Apple IDs) and obtain device inventory reports showing work profile deployment status.
  4. Perform hands-on testing on sample BYOD devices by attempting to transfer files, copy text, share screenshots, and open work documents in personal applications to validate data-sharing restrictions.
  5. Review MDM compliance reports and device posture logs to verify that devices with work profiles meet minimum security baselines including operating system versions, patch levels, absence of jailbreak/root detection, and biometric or PIN enforcement.
  6. Test remote wipe functionality by simulating a device loss scenario and verifying that selective wipe commands remove only the work profile container while leaving personal data intact, then review wipe completion logs.
  7. Interview a sample of BYOD users to confirm their understanding of work profile boundaries, acceptable use policies, and procedures for reporting lost or compromised devices.
  8. Examine access logs and authentication events from enterprise applications accessed via work profiles to validate that only enrolled, compliant devices successfully connect to corporate resources.
Evidence required Auditors collect MDM platform configuration exports showing work profile policies (encryption, clipboard control, screenshot restrictions, application lists), device enrollment inventory reports listing BYOD devices with active work profiles, screenshots or screen recordings demonstrating attempted and blocked cross-profile data transfers, MDM compliance dashboards showing device posture checks and non-compliant device alerts, remote wipe logs evidencing successful selective wipe operations, and user acknowledgment records for BYOD acceptable use policies.
Pass criteria All sampled BYOD devices with corporate access have active containerised work profiles enforcing configured policies that demonstrably prevent unauthorised data transfer between work and personal environments, meet minimum security baselines, and support selective remote wipe without affecting personal data.

Where this control is tested

Audit programs including this control

MDM Coverage Audit

Mobile devices accessing corporate data should be managed. Quick audit on enrolment, posture and wipe capability.

6 controls ยท v1.0