Why fleet devices for company use should do less — and why that is a security posture, not a cost cut
This post reflects our perspective on fleet device policy. It is a starting point for discussion — not legal advice, a security audit, or a product recommendation.
The Device That Does Everything Is the Device That Can Lose Everything
The combined personal-business smartphone is so normal now that questioning it feels almost quaint. Employees carry one device. It has their personal email and their work email, their banking app and the corporate VPN, their family photos and the company's customer list. It is convenient. It is also, from a security standpoint, an unnecessary problem.
This post is not about employees being untrustworthy. It is not about surveillance. It is about a basic principle of attack surface reduction: every app installed on a device that touches corporate data is a potential entry point. A device carrying thirty consumer apps plus corporate credentials is a materially larger target than a device carrying six purpose-built ones.
For companies with intellectual property, trade secrets, regulated data, or any meaningful reason to care about what leaves the building — the combined personal-corporate device is a risk that does not need to exist.
No serious company in 2026 should be mixing corporate security with personal phone conveniences. The tools to do otherwise are cheap, the hardware is affordable, and the argument for separation has never been stronger. The only reason it still happens is inertia.
The Firewall Principle — and Why the Modern Phone Violates It
Every fundamental IT security architecture is built on the same rule: default closed, open what you need. A firewall does not start by permitting all traffic and then try to block the bad stuff. It starts by denying everything, and opens only the specific ports and protocols the business requires. This is not a preference. It is the foundational principle. Permit-by-exception. Deny-by-default.
The modern consumer smartphone is the exact opposite. It ships with everything open. Dozens of pre-installed applications. Background services running continuously. Network connections established before the user installs a single app of their own. Permissions granted at setup that persist indefinitely. The model is: here is everything, configure what you want to restrict.
That is the antithesis of every security principle IT has developed over the last forty years.
You cannot secure a device by starting maximally open and trying to close what you don't want. The attack surface is established the moment the device is provisioned. Every app already installed, every permission already granted, every background connection already running — these exist before your MDM policy touches the device. You are not securing a clean surface. You are trying to reduce an already-compromised one.
A dedicated corporate device, configured from first boot with only what the role requires, starts from the correct position. The surface is defined. The permissions are deliberate. The connections are known. This is how you are supposed to build secure systems. The consumer smartphone made the world forget that, because convenience won. For personal use, that tradeoff is a choice. For corporate fleet devices handling IP and trade secrets, it is not a tradeoff worth making.
What Most Business Users Actually Need on a Phone
Strip away the assumption that a work phone is a consumer smartphone with MDM bolted on, and the actual requirements for most corporate mobile users are narrow.
Read, write, and respond to email. One app. A well-configured email client with remote-wipe capability covers most of what corporate mobile communication requires.
Browser
Web access through a corporate HTTP proxy. The proxy filters traffic, logs it, and keeps it off the public internet for sensitive lookups. A standard browser configured to route through the proxy handles this cleanly.
VPN
Access to internal systems when needed. One VPN client. Most employees who need internal access need exactly this and nothing more exotic.
Internal Apps
A small number of purpose-built internal tools if the role requires them — a work chat app, an internal directory, perhaps a ticketing or scheduling tool. These should be chosen deliberately, not defaulted to whatever the MDM vendor bundles.
That is the list for the vast majority of corporate mobile users. Not TikTok. Not a weather app. Not a pre-installed suite of carrier bloatware. Not forty background processes establishing connections to servers the IT department has never heard of.
Every App Is a Door
A modern smartphone shipped from the manufacturer contains dozens of pre-installed applications. Each one represents background processes, network connections, permissions that were granted at install time and rarely revisited, and a software supply chain that the device owner has no visibility into. A consumer user accepts this tradeoff in exchange for convenience. A corporate IT department should not.
When an employee also uses the device personally, the app count grows. Social media clients. Games. Photo editing tools. Shopping apps. Each one may request access to location, contacts, microphone, camera, storage. Each one has its own update cadence, its own third-party SDKs, its own advertising libraries. The permissions model on both major mobile platforms is better than it was five years ago. It is not good enough to make any of this irrelevant.
An attacker who wants access to corporate data does not need to breach the MDM container directly. They can compromise a personal app with broader permissions, move laterally to shared storage, harvest credentials from autofill, intercept clipboard data, or simply wait for a user to paste a password into the wrong field. The personal apps are not in the threat model for most corporate security policies. They should be.
None of this requires a sophisticated attacker. Phishing, credential stuffing, and social engineering work against consumer apps just as well as corporate ones. The personal half of a combined device is routinely the softer target.
The Case for Separation
The argument for a dedicated corporate device is straightforward: keep what matters on hardware that is owned, controlled, and configured by the company, and let employees manage their personal digital lives on their own hardware with their own risk tolerance.
This is not a novel idea. Governments and defence contractors have operated this way for decades. A cleared contractor does not check classified systems from their personal phone. The principle scales down cleanly to any organization with trade secrets, proprietary customer data, or regulatory obligations.
- Defined, auditable app inventory — you know exactly what runs on the device
- Clean data ownership — corporate data stays on corporate hardware
- Simpler MDM enforcement — no negotiation with personal app preferences
- Remote wipe without destroying an employee's personal photos
- Lower hardware cost — most business tasks run fine on mid-range devices
- Clear offboarding — the device comes back, and everything on it comes back with it
- Employees carry two devices — this is real friction, though most adapt quickly
- BYOD is cheaper — it transfers cost and risk to the employee, which is not the same as eliminating either
- Modern MDM containers are good enough — they are better than they were; they do not eliminate the problem described above
- Our employees won't accept it — this is a culture and policy question, not a security one
What a Boring Work Phone Actually Looks Like
The boring work phone is not a flagship device. It does not need to be. A mid-range Android device with a current security patch level, enrolled in MDM from first boot, running a curated app set, is a better corporate security posture than an expensive consumer device loaded with personal apps and half-heartedly partitioned.
The configuration is deliberately minimal. Remove or disable pre-installed applications that serve no business purpose. Configure the browser to route through a corporate proxy. Deploy the VPN client. Deploy email. If the role requires specific internal tools, deploy those. Lock down sideloading. Enforce screen lock. Enable remote wipe. Done.
What it is not: a spy phone. The goal is not to monitor employee behaviour. It is to control what software runs on hardware that touches company data. Those are different objectives, and confusing them is how corporate device policies earn legitimate employee resentment. A minimal fleet device respects both the company's security requirements and the employee's privacy — because the device is only handling work, there is nothing personal on it to surveil.
Most employees who receive a dedicated work phone continue using their personal phone for everything else. The work phone sits on their desk or in their bag. They pick it up for work communications and put it down again. This is fine. It is the point. A device used for a narrow set of well-defined tasks is a device with a narrow attack surface. Boring is the objective.
Who This Is For
This argument applies most directly to organizations where the cost of a breach is high relative to the cost of running a modest fleet: companies with IP that took years to develop, firms handling regulated personal data, organizations in defence or government supply chains, professional services firms with client confidentiality obligations.
It does not apply universally. A small business where the owner is the only employee and personal and professional life are genuinely intertwined is a different situation. A startup where everyone has a high risk tolerance and the data is not yet valuable enough to target is a different calculation.
But for any organization where someone has sat down and thought seriously about what it would cost to have the wrong files on the wrong server — the combined personal-business device is a risk you are accepting by default, not by analysis. A boring work phone is the analysis.