Back 
An organization’s mobile fleet is likely the largest and least-protected part of its data perimeter. This challenge is amplified by a simple, unavoidable fact: user experience now dictates security policy and its enforcement.
Users demand seamless access to apps and data from any device, including their personal ones (BYOD). As a result, organizations are scrambling to build a mobility governance program, while trying to make sense of a confusing soup of acronyms, including MDM, MAM, MTD, SSE, ZTNA, VPN, and Mobile EDR.
Before choosing the right tools, it is essential to choose the right model – one that balances user demands with security needs.
With that in mind, let’s break down the three primary models of mobile governance.
1. Protecting data on corporate-owned devices
In this model, companies procure and issue mobile devices to employees. The device lifecycle is fully managed via mobile device management (MDM) or enterprise mobility management (EMM), where the app footprint is tightly controlled and security policies are typically applied device-wide. More tools can be used, and in some cases they might be able to co-exist.
In theory, this setup offers maximum control and security, but in practice it’s rarely sustainable.
Users want flexibility. Besides corporate apps, users want to move around, travel, order food, communicate, and just relax. That means using a wide range of personal apps. But do these non-business apps require the same level of security as corporate ones? The answer is both yes and no, and finding that balance is tricky. Typically users would expect to use corporate devices like personal ones, citing productivity or convenience. The result is often a policy tug-of-war, either employees carry a second personal device (which is rarely preferred) or corporate policies are loosened to mimic BYOD, effectively shifting into the next model down the list.
It’s worth noting that user expectations here are about convenience, not privacy. Device-centric security is hard to enforce consistently, so boundaries need to move elsewhere.
2. Protecting data on personal devices enrolled in MDM
This model tries to find a compromise by inviting the user’s personal device into the corporate realm. Once enrolled, a device receives the required managed apps, settings, and policies to meet corporate standards. Security can be enforced at scale, for example, restricting data movement between managed and unmanaged apps or providing secure private access only to corporate apps. No need for special in-app security functions, SDK integrations, or any focused work.
Modern MDM enrollment methods (such as iOS user enrollment and Android work profile) create a clean separation between personal and corporate spaces. Privacy can be well protected, but there’s still a trust gap.
Users must voluntarily enroll their personal device, essentially allowing IT to “manage” part of it. Despite technical assurances; perceptions, lack of understanding, and general mistrust often slow down adoption.
3. Securing data in managed apps on unmanaged personal devices
This model abandons device-level control entirely, and focuses only on what matters: the applications and the data inside them.
Corporate apps are protected individually through built-in or software development kit-enabled (SDK) security controls; no MDM enrollment or extra installations are needed. It’s not surprising this approach is gaining traction fast. Frameworks like Microsoft’s Intune mobile application management (MAM) make it easier to apply uniform protections across app suites and enable remote access without relying on device VPN profiles.
However, from a security standpoint, this is still the riskiest model.
Without device-level or unified management, enforcement becomes fragmented. Security must be embedded within each app, and consistency across the app ecosystem is difficult to achieve. Intune has 100+ apps in the catalog, but many popular tools are not covered (including big names such as Google workspaces, Salesforce, Atlassian, and Workday). Plus, the app protection security capabilities have to be procured, activated, and managed separately.
User experience in this model is generally great. With no MDM enrollment friction and MAM that gets activated within the app after authentication it is as seamless as it could be. But there can be issues stemming from fragmented enforcement, with isolated “security islands” that don’t talk to each other. A good example would be restricted copy/paste activity between Jira and Microsoft Teams, both of which are (separately) MAM protected.
Ironically, this disjointed experience may drive organizations to revisit MDM-based strategies, in search of consistency and simplicity.
Adaptability is key
We often say that both user experience and security should influence mobility strategy, but i user expectations make this a real challenge.
Most employees demand full access from a personal phone, while resisting even minimal management controls, and of course they expect everything to “just work” without restrictions while on a corporate device. Users want privacy, flexibility, and security, all at once, but only when it doesn’t inconvenience them.
Architectural inconsistency leaves enterprises juggling multiple models, tools, and policies to satisfy competing demands that often can’t coexist.
And that’s fine. Each model still has its rightful place in the enterprise architecture catalog, as each aligns with a different mindset and tolerance for control. The goal should not be finding a single perfect model, but to acknowledge that variability, and design mobility governance that adapts to it without compromising trust or protection.
This adaptability is where Netskope excels. Netskope’s unified security service edge (SSE) platform flexibly supports all three mobile governance models through a single policy engine, delivering consistent zero trust protection, advanced threat protection (ATP), and data protection (via data loss prevention, or DLP).
For corporate-owned or enrolled BYOD devices, the Netskope One Client can be deployed via MDM or EMM, using either a device-wide VPN profile to ensure comprehensive traffic inspection and enforcement, or a per-app VPN profile, which controls only hand-picked managed apps for greater flexibility and user privacy. For personal or unmanaged devices, Netskope enables seamless access through the Netskope One Enterprise Browser, offering secure, isolated access to SaaS, web, and private applications without requiring MDM enrollment. This approach allows organizations to balance user privacy, experience, and enterprise-grade security across all device types.
Next steps
Before choosing new tools or frameworks, it’s important to understand where your organization stands today.
Take a moment to assess your current mobile governance maturity and identify where unmanaged devices, fragmented app controls, or inconsistent policies may be leaving your data perimeter exposed. This self-assessment can reveal both risks and opportunities for improvement. With a clearer picture of your current state, the Netskope team can help you translate those insights into an actionable roadmap, aligning your mobility strategy with zero trust principles and ensuring consistent protection across every device model and user scenario.
Want to learn more about mobile security? Take a look at our pages for Netskope One Mobile Client and Enterprise Browser.
Read the blog