Enforce Policy with Evaluated Mobile Device Management
Use certified management solutions to ensure mobile devices follow security policies.
Plain language
This control ensures that mobile devices, like phones and tablets used for work, are managed by trustworthy software that follows strict Australian standards for security. If this isn't done, sensitive business information could be at risk if, for example, a device is lost or hacked.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile Device Management solutions that have completed a Common Criteria evaluation against the Protection Profile for Mobile Device Management, version 4.0 or later, are used to enforce mobile device management policy.
Why it matters
Without a Common Criteria evaluated MDM (PP v4.0+), policy enforcement may fail, increasing loss or compromise risks from stolen or unmanaged mobile devices.
Operational notes
Confirm the MDM product remains Common Criteria evaluated against the MDM PP v4.0+ and enforce enrolment, compliance checks and remote wipe for all managed mobile devices.
Implementation tips
- The IT manager should select a Mobile Device Management (MDM) solution that meets the Australian Common Criteria for security. This involves researching and selecting from certified solutions that comply with the latest version of the Protection Profile for MDM systems.
- IT staff must enrol all company mobile devices into the chosen MDM system. They can do this by following the setup guide provided by the MDM vendor, which typically includes installing an app on each device and configuring settings through a central console.
- The IT team should regularly update the MDM system to ensure it includes the latest security patches and policy updates. This can be done by setting up automatic updates in the MDM software or scheduling regular manual checks.
- Management should conduct training sessions for all employees on the importance of MDM policies. This can be achieved by organising workshops where the IT team explains how devices are managed and why it's crucial for security.
- HR should coordinate with IT to ensure that new employees have their mobile devices set up with the MDM solution as part of their onboarding process. This involves creating a checklist that includes MDM enrolment as a mandatory step.
Audit / evidence tips
-
Askthe MDM certification documentation: Request the certification papers that prove the MDM solution meets the Australian Common Criteria
Goodis documents that are current and clearly state compliance with the relevant standards
-
Askto see the list of all enrolled devices: Request a report that lists all mobile devices currently managed by the MDM
Goodall business devices are listed, with enrolment dates and last check-in times
-
Asksecurity policy compliance reports from the MDM: Request regular reports generated by the MDM showing policy compliance status
Goodreports that show consistent policy adherence across devices, with alerts for non-compliance being promptly addressed
-
Askrecords of MDM updates: Request logs or change records showing when the MDM system was last updated
Goodshows regular update patterns aligned with vendor release cycles, indicating active maintenance
-
Askto observe a device being set up: Request a demonstration of the MDM enrolment process for a new device
Gooda clear step-by-step process that includes device recognition by the MDM and confirmation of policy application
Cross-framework mappings
How ISM-1195 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| Annex A 5.19 | ISM-1195 requires the use of a specifically evaluated MDM product to enforce mobile device management policy, which is a product assuranc... | |
| Annex A 5.21 | ISM-1195 requires organisations to enforce mobile device policy using an MDM solution that has passed a Common Criteria evaluation agains... | |
| extension Depends on (1) expand_less | ||
| Annex A 5.1 | ISM-1195 requires a defined mobile device management policy and mandates that it is enforced using an evaluated MDM solution | |
| link Related (1) expand_less | ||
| Annex A 8.1 | Annex A 8.1 requires protection of information on user endpoint devices, which commonly relies on consistent configuration and policy enf... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.