Ensure Mobile Devices Operate in Supervised Mode
Mobile devices must be set to a supervised mode to maintain security controls.
Plain language
Mobile devices in your organisation should be set to run in a supervised mode. This is important because it allows you to control security settings effectively, preventing malicious apps or harmful changes that could lead to data breaches or loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Mobile devices are configured to operate in a supervised (or equivalent) mode.
Why it matters
Without supervised mode, users can install unauthorised apps or bypass MDM controls, increasing risk of data leakage and compromise.
Operational notes
Use MDM to enforce supervised mode at enrolment; regularly report and remediate any devices not in supervised state (re-enrol or quarantine).
Implementation tips
- IT team should ensure that all new smartphones and tablets are set up in supervised mode during initial configuration. This involves using the device's management software to access enhanced security features that can't be changed by employees.
- The IT manager should create a checklist to confirm that supervised mode is enabled on existing devices during routine checks. They can follow device manufacturer instructions to enable supervised mode and use mobile management tools to verify settings.
- Managers should schedule regular training sessions with employees to explain why supervised mode is used and how it helps keep company data safe. This can involve practical demonstrations and Q&A for common concerns.
- Procurement should ensure that any mobile device purchases for the organisation specify compatibility with supervised mode. This involves checking device specifications and consulting with suppliers during the buying process.
- HR should update the mobile device policy to include the requirement of supervised mode, ensuring everyone understands this is a mandatory security measure. This policy update should be communicated during onboarding and through regular policy reminders.
Audit / evidence tips
-
Askthe current mobile device inventory list: Request a document that lists all devices in use by the organisation
Goodis an up-to-date list where all devices have 'supervised' noted along with last verification dates
-
Askthe mobile device management (MDM) software settings report: Request a printout or screenshot showing supervised mode settings
-
Askincident response logs related to mobile devices: Request these logs to see if any security issues were tracked back to unsupervised devices
-
Askstaff training records on device security: Request these to ensure staff have been educated about the importance of supervised mode. Check for attendance and feedback notes. Good is comprehensive records showing regular training sessions with positive feedback
-
Askprocurement files for recent mobile device purchases: Review specifications for any new devices
Cross-framework mappings
How ISM-1886 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1886 requires mobile devices to be configured to operate in supervised (or equivalent) mode to enforce stronger device management and... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.