Choosing mobile devices
When choosing laptops, mobile phones and tablets for use by your organization, there will be many competing factors to consider. Price, functionality and portability will all play a part in your decision-making process, and security should too.
This guidance will help you properly assess the security aspects of the devices you are considering. The goal is to ensure you purchase and use devices which are able to provide the level of security your work requires.
Why choose devices with security in mind?
Nearly all modern mass-market mobile devices are secure enough for nearly all users. So, most organizations won’t need to worry about security until a shortlist of devices has been drawn up that meet your other requirements.
Your shortlist will have been decided on the basis of numerous non-security considerations. Which devices are within budget and support the apps you’ll be using? Do these meet your users’ accessibility requirements? These questions will need to be asked first.
If your users can’t work effectively with the devices you give them, they will find other ways to do their jobs. This could mean resorting to insecure alternatives.
Preparation for device procurement
Once you know that the devices under consideration will fulfilll all the needs of your users, you should apply some thought to the security of the machines, and the systems they run.
We’ve listed the most important aspects you should consider below. These are grouped by device type, for Android, macOS and Windows. In the most part, iOS and Chrome OS devices do not have specific security considerations to distinguish between them. Linux device considerations, including Ubuntu, are mostly the same as Windows devices.
For all types of device
Consideration | Explanation |
|---|---|
Support duration of devices | You should ensure that the device will be supported by the manufacturer for the entire time you intend to use it. This way you will receive security updates and bug fixes. Some manufacturers do not publish end-of-life dates for devices. You may be able to look at the historic lifespans of devices from the same manufacturer to estimate how long the current device will be supported. |
For Android devices
Android devices include a wide range of smartphones and tablets from various Original Equipment Manufacturers (OEMs).
Consideration | Explanation |
|---|---|
Android Enterprise Recommended | The Android Enterprise Recommended (AER) program contains devices that have been subjected to more stringent testing and security requirements than non-recommended devices. These additional requirements include minimum software versions, hardware performance, MDM capabilities and delivery of Android security updates within 90 days of release from Google for a minimum of three years. |
Monthly patch updates | As of Android 10, Google now allows security updates and patches via Google Play rather than requiring each OEM to deploy their own dedicated updates. Google currently schedule security updates every month for their own devices and minor version updates as and when they’re ready, with OEMs releasing updates on their own individual schedules. Update files are downloaded with the new .apex file format, which allows updates to be installed without user interaction, or on next power on. |
Major release updates | Some manufacturers commit to releasing one or more future versions of Android on their devices. These manufacturers can be preferred if you want to ensure access to future major releases of the platform. Google have published the guaranteed support dates for Pixel and Nexus devices in their support pages. Additional version support is at the discretion of the OEM, however Google have compiled a linked list for other manufacturers who use Android. |
Hardware-backed keystore | Hardware-backed keystores significantly strengthen the encryption features of an Android device and should be selected when available. Any device that was released with Android 8.0 or higher pre-installed, or has a fingerprint reader, will have a hardware-backed keystore. |
Reputable vendor | There are many Original Equipment Manufacturers (OEMs) within the Android ecosystem, and each will have its own security reputation. Before choosing an OEM to supply your devices, investigate their security reputation, including how they have handled vulnerabilities in the past and what bundled apps they pre-install on their devices (and what permissions those apps have). |
Play Protect Certified | Google Play Protect certified devices have been tested to ensure they do not contain any pre-installed malware, and come with Google Play Protect, which includes automatic virus scanning. Devices that are not Google Play Protect certified have not been verified by Google, so their security or functionality cannot be confirmed. We recommend you choose devices carrying the Google Play Protect certification. |
Additional security features | Several OEMs also include additional features in their variant of Android. For example, Knox Platform for Enterprise features many security enhancements over the standard build of Android. The latest Google devices contain a Titan M chip, which improves the security of the device |
For Chrome OS devices
Chrome OS devices include a wide range of Chromebooks and tablets from various manufacturers.
Consideration | Explanation |
|---|---|
Reputable Vendor | A device from a reputable vendor, or OEM should be chosen. Google’s Auto Update policy will help you determine which devices may be in support for the longest. |
For macOS devices
macOS devices include MacBook, MacBook Air, MacBook Pro, iMac, and Mac Mini devices.
Consideration | Explanation |
|---|---|
Apple T2 Security Chip | Most macOS devices sold since early 2019 include the Apple T2 Security Chip. This chip significantly improves the physical security of the device. Devices with a T2 chip should be preferred where possible. |
For Ubuntu devices
Ubuntu devices include desktops and laptops, some of which may come pre-installed with Ubuntu or have Ubuntu installed by an Administrator. Ubuntu certified hardware is recommended, as these devices include benefits such as full support for security patches, bug fixes, and Ubuntu features, for the duration of the Ubuntu support cycle.
However, there are some cases in which features of these devices may require further security hardening, as detailed below:
Consideration | Explanation |
|---|---|
External Interfaces | DMA is possible from some external interfaces, including FireWire and Thunderbolt. These interfaces can be managed through the Ubuntu settings UI. |
Trusted Platform Module | A TPM is a separate cryptographic co-processor that provides hardware-backed security features. These significantly improve the physical security of the device, and are required for the use of data at rest encryption in its most secure configuration. Devices that include a TPM 2.0 should be preferred where possible. |
For Windows devices
Windows devices include a wide range of desktop PCs, tablets and laptops that may either come pre-installed with Windows, or have Windows installed by an administrator.
Support for the latest Windows 10 security features should be met by OEMs as part of the Windows Hardware Compatibility Program.
Devices that are Modern Standby certified must meet all the requirements for UEFI secure boot and ship with it enabled. They should not have ports that allow DMA access and will have TPM 2.0 or later.
In some cases though, certain security features require a combination of specific processor, firmware and hardware features and therefore may not be supported on all devices. We highlight some of these considerations below.
Consideration | Explanation |
|---|---|
UEFI version | Device firmware should meet the minimum required Unified Extensible Firmware Interface (UEFI) specification 2.3.1c. This is a foundation requirement for many of the security features included in Windows 10, including Secure Boot, Windows Defender Credential Guard, and Device Guard. To meet enhanced standards, as set out by Microsoft for a highly secure Windows 10 device, systems must have firmware that implements UEFI version 2.6 or later. |
Hardware and firmware security features | Virtualization features including both virtual machine extensions and input/output device memory management should be supported. Many of the latest security features of Windows 10, including Windows Defender Credential Guard and Device Guard rely on this hardware support being available. |
Trusted Platform Module | A TPM is a separate cryptographic co-processor that provides hardware-backed security features which significantly improve the physical security of the device, and are required to use BitLocker in its most secure configuration. Devices that include a TPM 2.0 should be preferred where possible. |
Firmware patching and support | Devices should support the Windows UEFI Firmware Capsule Update. This enables Firmware updates to be automated via Windows Update and you should prefer devices that support this. Alternatively, OEMs may provide their own client solutions that include management of firmware updates. You should refer to your OEM to determine if these solutions meet your needs. You should also ensure that the OEM implements signed manufacturer firmware updates by default. This should be checked with the manufacturer as part of your procurement process. |
Windows 10 S | Windows 10 S is a version of Windows 10 designed specifically to increase the security of a Windows 10 device by only allowing apps to be installed from the Microsoft store. This makes code signing mandatory. It also restricts use of default admin user accounts. This is in addition to the existing security features already built in to Windows 10. |
Windows Hello for Business | Windows Hello for Business can make use of biometrics for device unlock. This will require biometric hardware support on the device that meets the Microsoft requirements for Windows Hello. |
Secured-Core PC Range | Secured-Core PC’s come equipped with all the latest security features. |
BYOD
If you’re permitting Bring Your Own Device (BYOD) within your organization, you might not be able to choose your users’ devices.
In this case, it’s likely not possible to impose any of the above security measures on your users, and your security may suffer as a result.
Read our Bring Your Own Device (BYOD) guidance for further details on this.
How to buy secure devices
Ultimately, the process for deciding which devices to use is a few short steps.
You should:
Assess which operating systems support the software features and apps your users need to use to get their jobs done
Decide on device manufacturer(s) that can meet the security requirements for your organization as described above
Decide on device types(s) that have the performance and hardware features that your users need, and that come within your budget
Pilot devices before deploying them widely to ensure you have covered all aspects of the device selection that are relevant to your organization.
Select the device or devices that best meet your business requirements and budget.
Develop a strategy for updating your list of approved devices.
More information
There are many buyer’s guides for mobile devices available online. You should also consult with your device supplier(s) for their advice.
In addition, each manufacturer produces a security guide, explaining the security features of their platforms. You can use these guides to determine which particular platforms might meet your security needs: