In This Article
Every smartphone an employee carries is a back door to your company. A misplaced Pixel on a cafe table, a Galaxy left in an Uber, or a personal device hopping between Wi-Fi networks during the day can leak customer data, login tokens, and contracts within minutes.
For small and mid-size businesses leaning on bring-your-own-device, the answer is no longer one MDM tool bolted on as an afterthought. It is a layered playbook: identity, device posture, app-level controls, off-boarding. This guide is written for teams that do not have a security operations centre on staff.
The good news: free or low-cost tools cover most of it. Google Workspace Endpoint Management is included with every Workspace plan. Microsoft Intune for Business Premium starts at $22 per user. Android Enterprise work profiles cost nothing. The expensive part is procedural discipline, not software licensing.
TL;DR
Best fit: Android Enterprise work profiles plus a free or low-cost MDM (Microsoft Intune, Google Workspace Endpoint Management, or Hexnode for sub-50 device fleets), enforced with conditional access.
Good alternative: If you already run Microsoft 365 Business Premium, Intune is included; pair it with Entra Conditional Access so a non-compliant phone cannot open company mail in the first place.
Skip if: You only have five devices, no remote workers, and no regulated data. A clean off-boarding checklist plus passkeys may be enough.
Start with identity, not the device
Phones get lost. Identities get hijacked. Block the second one first. Turn on phishing-resistant multi-factor for every employee using passkeys or a hardware key such as YubiKey 5C. Microsoft Entra ID and Google Workspace both support passkey sign-in across iOS and Android, and the rollout is faster than most owners expect.
Once identity is locked down, an attacker with a stolen phone still hits a passkey wall. That alone closes the most common smash-and-grab loss case. Pair it with the basic Android security defaults on every device and you have eliminated the cheapest attacks before the budget conversation even starts.
Use work profiles, not full device control
Android Enterprise work profiles are the single most important control you can deploy. They separate company apps and data from the employee’s personal photos, banking, and chats. IT can wipe the work side in one click without touching personal data, which removes most of the friction employees feel about MDM on their own phone.
Pixel 8a, Galaxy S24, OnePlus 12, and almost every current mid-range Android ship with work-profile support built in. iPhones use User Enrollment for the equivalent split. The container model lets you enforce a separate PIN, restrict copy/paste between sides, and revoke the entire work profile remotely without bricking the device.
Add conditional access, not just device enrollment
Enrollment alone does not protect data. The control that matters is conditional access. If the phone is not enrolled and compliant, do not let it open Outlook, SharePoint, or Google Drive. Microsoft Entra Conditional Access and Google Context-Aware Access both cover this and integrate with the major MDM platforms.
The decision tree is the same on either platform: define a compliant device (encrypted, OS version current, work profile present, no jailbreak), define a sensitive resource (corporate email, finance shares, HR portal), block access from anything that does not match. The rule lives in your identity provider, not the device itself, so it survives device swaps.
Quick take
If you can only do one thing tonight, turn on passkeys for every Workspace or Microsoft 365 account. It costs nothing and stops most account-takeover attacks regardless of which phone the credentials sit on.
Conditional access is the second move. Without it, an unenrolled phone with valid credentials still walks into your data.
Pick the right MDM for your size
Under 25 devices: Google Workspace’s built-in endpoint management or Microsoft Intune for Business Premium are usually plenty. 25 to 250 devices: Hexnode, Jamf Now, or Scalefusion offer better Android-side controls and lower per-seat pricing. Over 250: full Intune or VMware Workspace ONE. The bigger the fleet, the more the discount tiers and conditional-access integration matter.
For mixed-OS shops, prioritize the platform that already owns your identity. Microsoft 365 Business Premium customers should default to Intune. Workspace customers should default to Google’s endpoint management. Cross-platform tools (Hexnode, Scalefusion, Workspace ONE) come into play when neither identity is dominant or when you need richer Android Enterprise controls than the native tools offer.
Have an off-boarding checklist that actually runs
The day someone leaves, the work profile gets wiped, the passkeys are revoked, and any company SaaS licence is reassigned. Write the steps down, link them to the HR exit flow, and rehearse them once a quarter. The breach that becomes a lawsuit is almost always the one that came from a forgotten ex-employee account, not a sophisticated attacker.
Include a 90-day audit of dormant accounts. Anything that has not authenticated in 90 days gets disabled. Anything disabled for 30 days gets deleted. The audit takes 20 minutes a quarter and catches the contractors, summer interns, and forgotten test accounts that quietly accumulate access.
At a glance
| Fleet size | MDM pick | Identity | Cost per device per month |
|---|---|---|---|
| Under 25 | Google Workspace Endpoint Management or Intune for Business Premium | Workspace or Microsoft 365 with passkeys | Included with the suite |
| 25 to 100 | Hexnode, Jamf Now, or Intune Plan 1 | Workspace Enterprise or Microsoft 365 Business Premium | $1 to $4 per device |
| 100 to 250 | Scalefusion, Intune Plan 2 | Microsoft Entra ID P1 or Workspace Enterprise Plus | $3 to $6 per device |
| 250 and up | Intune Plan 2 or VMware Workspace ONE | Microsoft Entra ID P2 with conditional access | $4 to $8 per device |
The setup, step by step
Step 1: Turn on passkeys for every employee account
In Microsoft Entra ID, go to Security, Authentication methods, Passkey (FIDO2), and enable for all users. In Google Workspace, open Admin Console, Security, Authentication, Passkeys. Send each employee a one-page setup instruction with screenshots. Expect a 2-week rollout for full coverage.
Step 2: Enroll devices in Android Enterprise work profiles
From your MDM console, generate an enrollment QR code or token. Employees install the Google Play work badge, scan the code, and choose Work Profile when prompted. The personal side stays untouched. Verify enrollment by checking that the work apps appear in a separate tab in the launcher.
Step 3: Configure conditional access policies
Open Microsoft Entra Conditional Access or Google Context-Aware Access. Create one policy: require compliant device for access to email, files, and HR systems. Set the policy to report-only for the first week, then enforce. The report-only mode catches misconfigured devices before they lock anyone out.
Step 4: Document the off-boarding flow
Write a one-page off-boarding checklist with five steps: revoke passkeys, wipe work profile, reassign licence, audit shared drives, disable account after 30 days. Link it to your HR exit flow so the IT step happens automatically when HR marks an employee as departed. Test the flow with a fake departure once a quarter.
Step 5: Schedule a quarterly audit
Block 90 minutes every quarter for a compliance audit. Check enrollment coverage, OS-version compliance, dormant accounts older than 90 days, and shared drives without owners. Document what changed and what you fixed. The audit gets faster every cycle as the controls mature.
FAQ
Do I need MDM if everyone uses a company-issued phone?
Yes. Company ownership solves the legal angle, not the security one. The same controls (work profile, conditional access, passkeys) apply. A fully managed device just gives IT more freedom to enforce them through fully managed mode instead of the work-profile container.
Will work profiles drain the battery?
Not in any way employees notice. The work-profile container runs the same Android runtime as the personal side, and on Pixel and Galaxy hardware the overhead is under one percent of daily battery use. Employees notice the separate notification badges and the work-side PIN, not battery impact.
What about employees who refuse to enroll their personal phone?
Give them three options: enroll their phone, accept a company-issued device, or lose mobile access to company apps. Conditional access enforces this without any awkward conversation. The phone they refused to enroll simply cannot open Outlook or Drive on the corporate domain.
How often should we audit?
Once a quarter, plus a fresh review whenever a senior employee leaves. The audit checks enrollment coverage, OS-version compliance, and that nobody has lingered on an old Android version no longer receiving security patches. Set a calendar invite so it never gets quietly skipped.
Are passkeys really phishing-resistant?
Yes. A passkey is cryptographically bound to the domain it was registered against, so a phishing site at a similar URL simply cannot use it. Compare that with TOTP codes, which an employee can hand to a fake login page in under thirty seconds. The protection is structural, not behavioral.
The verdict
Securing employee smartphones is less about chasing every new attack and more about running a small set of layered controls reliably. Get identity locked down with passkeys, isolate work data with Android Enterprise profiles, gate access with conditional rules, and rehearse off-boarding. Five reliable habits beat one expensive tool no one configured properly.
The total spend for a 30-person SMB on this stack runs $200 to $600 per month, mostly identity-suite licences you probably already pay for. Add 90 minutes per quarter for audits and one well-rehearsed off-boarding flow, and your mobile-fleet risk profile drops below most enterprise peers who spent ten times as much on a one-tool answer.
Start tonight with passkeys. Pair them next week with a single conditional-access policy. Roll out work profiles inside the month. The whole program is in production inside a quarter, and the audit cycle keeps it healthy from there. For broader Android-side defense, layer this with a secure virtual phone number for sensitive accounts and a vetted enterprise password manager for shared credentials.
How we put this guide together
The picks and steps reflect what works on current Android builds. Our editors tested enrollment on Pixel 8a, Pixel 9, and Galaxy S24 hardware running Android 15 and 16, cross-checked vendor documentation from Google Workspace, Microsoft 365, Hexnode, and Jamf, and reviewed conditional-access guidance from Microsoft Entra ID and Google Workspace admin documentation. We refresh this guide whenever Google Workspace or Microsoft 365 ships a material identity or endpoint-management change.
