CIS Control 4.12: Separate Enterprise Workspaces on Mobile End-User Devices
Mobile devices blur the line between personal and corporate data, creating compliance gaps when users access enterprise resources on their phones and tablets. CIS Control 4.12 requires you to enforce workspace separation—keeping business data and applications isolated from personal content through native mobile security features. This control is foundational for protecting sensitive information on devices outside your direct IT control.
What this means
Enterprise workspace separation creates a secure, isolated container on mobile devices where corporate applications and data live independently from personal apps and files. This prevents data leakage, simplifies remote wipe capabilities, and ensures that even if a device is compromised or lost, your enterprise environment remains protected. Implementation uses built-in mobile operating system features: Apple Configuration Profiles on iOS devices and Android Work Profiles on Android devices. These solutions create cryptographically separated environments with independent encryption, authentication, and access controls—without requiring separate physical devices.
How to comply
- 1.Identify all mobile devices (iOS and Android) that access enterprise applications or data
- 2.Deploy Apple Configuration Profiles to iOS devices using Mobile Device Management (MDM) to establish separate enterprise containers
- 3.Deploy Android Work Profiles to Android devices through your MDM solution to create isolated corporate workspaces
- 4.Configure enterprise workspace policies including app allowlists, VPN requirements, and credential storage within the container only
- 5.Implement automatic enrollment at device provisioning to ensure new devices receive workspace separation before first use
- 6.Enable remote wipe capabilities for the enterprise workspace in case of device loss or employee termination
- 7.Test that personal applications cannot access enterprise data and vice versa
- 8.Document device inventory and workspace deployment status for audit purposes
Evidence auditors look for
- MDM reports showing 100% of corporate-accessing devices enrolled with active workspace separation
- Configuration profiles deployed to iOS devices via Apple Business Manager
- Android Work Profile policies enforced through your MDM console
- Device enrollment records showing the date and method of workspace deployment
- Screenshots of workspace isolation settings and app containerization rules
- Logs demonstrating failed cross-workspace access attempts
- Remote wipe test results confirming enterprise container removal without affecting personal data
- Compliance baseline report from your MDM solution validating workspace separation status
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks mobile device enrollment status and workspace deployment across your entire device inventory, flagging any non-compliant devices and generating CIS 4.12 audit evidence in seconds—no manual MDM log scraping required.
See how GRCWatch handles this control automatically
Start free trial