Skip to main content

Securing Your Mobile Device

Most of us use our personal phones for work, and that's okay. But it creates real security questions: What happens if your phone is lost or stolen? Who can see your work data? What if your org needs to manage your device? There's no single right answer, and the right approach depends on your role, your organization, and the sensitivity of what you're working with.

If you work with confidential data like client records, legal documents, source information, immigration files, or donor details, the stakes are higher and some of these steps move from "good idea" to "essential."

1. Lock Your Device

A strong lock screen is your first line of defense if your phone is lost, stolen, or handed to someone else.

  • Use a PIN of at least 6 digits or a strong alphanumeric passcode. Avoid patterns and 4-digit PINs.
  • Face ID and fingerprint unlock are convenient and secure but not sufficient on their own. Always require a passcode as the fallback.
  • Set your screen to lock automatically after no more than 1–2 minutes of inactivity.
  • Enable "Erase data after failed attempts" if you carry particularly sensitive information.

Higher-sensitivity roles: Consider disabling biometric unlock entirely and using a strong passcode only, particularly especially for border crossings or high-risk situations. Border agents can legally compel biometric unlock in ways they cannot compel a passcode.

2. Review App Permissions

Apps routinely request access to your location, contacts, camera, and microphone, often more than they need.

  • Go through your app permissions periodically: Settings → Privacy (iPhone) or Settings → Apps (Android).
  • Revoke location access for apps that don't need it. Choose "While Using" rather than "Always" where possible.
  • Disable microphone and camera access for apps that have no clear need for it.
  • Uninstall apps you no longer use. Dormant apps can still collect data.

Work accounts specifically: Be thoughtful about which apps have access to your work email or calendar. A personal productivity app like Asana or Trello connected to your work Google account could expose more than you intend.

3. Keep a Boundary Between Work and Personal Data

When your personal phone is also your work phone, data can mix in ways that are hard to untangle. A few strategies help keep things separate:

  • Use your work email account (e.g., Google Workspace) through a dedicated app (like the the Gmail app) rather than the Mail app, which combines personal and work inboxes.
  • Android work profiles: Some organizations use MDM tools (see section 4) to set up a dedicated work profile — a separate section on your phone for work apps. This keeps work data isolated even if your personal apps are compromised.
  • Avoid storing work documents in personal cloud storage (personal Google Drive, iCloud, Dropbox). Use your organization's designated storage (Google Workspace, Tresorit, or another approved service).
  • Use a dedicated secure messaging app like Signal for sensitive conversations, rather than SMS or personal messaging platforms.

4. Mobile Device Management (MDM)

MDM software allows an organization to remotely manage devices, enforcing security policies, pushing updates, and wiping a lost or stolen device. If your organization uses MDM (such as Jamf, Microsoft Intune, or Google Endpoint), they may ask to install a profile on your personal device.

What MDM can do on your device:

  • Enforce passcode requirements and encryption
  • Remotely wipe the device if it's lost or stolen
  • Require software updates
  • Limit or monitor work-related apps and data

MDM profiles give your organization visibility into and control over the portions of your device covered by the profile. Before installing, ask your IT contact exactly what the profile can see and do.

If installing MDM on a personal device feels like too much of an intrusion, it's worth discussing with your organization whether they can provide a dedicated work device instead.

5. Keep Your Phone Updated

Software updates patch security vulnerabilities. An unpatched phone, even one with a good passcode, can be compromised through known holes in the device's software.

  • Enable automatic OS updates on your phone.
  • Update your apps regularly, or enable automatic app updates.
  • Don't ignore "your software is out of date" warnings! These often address active vulnerabilities.
Back to top