Prevent Installation of Unapproved Mobile Apps
Mobile devices block users from installing apps that are not approved by the organisation.
Plain language
This control makes sure that once a mobile device is set up for work, no one can install apps that the organisation hasn't approved. This is important because apps that aren't checked and approved could have security risks, like stealing data or crashing the device, which could lead to losing important business information or disrupting operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile devices prevent personnel from installing non-approved applications once provisioned.
Why it matters
Unapproved apps on corporate mobiles can lead to data theft or disruptions, harming business continuity and exposing sensitive information.
Operational notes
Use MDM to block non-approved apps after provisioning; alert on install attempts and review the approved app list regularly.
Implementation tips
- IT team should create a list of approved applications: Identify which apps are safe and necessary for business use and compile a list. Then ensure this list is accessible to staff who manage mobile devices.
- Mobile device manager should set restrictions: Use mobile device management (MDM) software to block installation of any apps not on the approved list. The software should be set up to automatically enforce these restrictions each time an organisational device connects to the network.
- HR or office manager should inform staff: Hold a brief training session to explain the importance of using only approved apps and the risks associated with unauthorised apps. This ensures everyone understands and follows the policy.
- Procurement should include app restrictions in device policies: When purchasing mobile devices, ensure contracts specify the need for app installation controls aligned with this policy. This might involve working closely with suppliers to maintain these controls.
- IT team should review apps regularly: Conduct periodic reviews to ensure the app list remains relevant and secure. Remove any apps that are no longer safe or necessary, and update the list accordingly.
Audit / evidence tips
-
Askthe list of approved apps: Request the document that details all apps allowed for installation
Goodwill show a current list with a date of last review and reasons for any changes
-
Askdevice policy settings: Request a demonstration of the MDM settings on a sample mobile device
Goodshows strict controls preventing unapproved app installs
-
Askstaff training records: Request documentation showing training sessions for staff about app policies
Goodincludes signed attendance, topics covered, and dates
-
Askprocurement policies: Request documents that outline procurement guidelines regarding device app restrictions
Goodshows clear instructions aligned with this control
-
Askrecent audit or review reports: Request any recent audits or reviews about mobile device app installations
Goodhighlights proactive measures taken based on the report's feedback
Cross-framework mappings
How ISM-0863 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-AC-ML1.3 | ISM-0863 requires that provisioned mobile devices prevent personnel from installing non-approved mobile applications | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.