Safeguard 4.12: Separate Enterprise Workspaces on Mobile End-User Devices

“Separate enterprise workspaces” is a mobile data containment requirement. The outcome you need is simple to explain to an auditor: corporate email, documents, messaging, and line-of-business apps run in a managed workspace on the phone, and the organization can enforce policy and remove only corporate data without touching personal data. This reduces data leakage through personal apps, unmanaged backups, screenshots, copy/paste, and unapproved cloud sync.

From an operator’s standpoint, the hard parts are scoping and enforcement. Scoping means deciding which users and which mobile use cases are in-scope (corporate-liable, BYOD, contractors, high-risk roles, privileged admins). Enforcement means moving from “we publish a policy” to “access is blocked unless the device is enrolled and the work profile/container is active.” Safeguard 4.12 also creates ongoing work: you must keep evidence that separation remains enabled as device fleets and OS versions change, and you must control exceptions without turning them into permanent holes.

This page gives requirement-level implementation guidance for the target keyword safeguard 4.12: separate enterprise workspaces on mobile end-user devices requirement, mapped to practical steps and audit-ready artifacts. Source references: CIS Controls v8 and CIS Controls Navigator v8. ¹

Regulatory text

Framework requirement (excerpt): “CIS Controls v8 safeguard 4.12 implementation expectation (Separate Enterprise Workspaces on Mobile End-User Devices).” ¹

Operator interpretation of the text: You must implement technical controls that keep enterprise data and enterprise applications in a distinct, centrally managed workspace on mobile devices. That workspace must be enforceable by the enterprise (policy, configuration, compliance checks) and support targeted removal of corporate data (selective wipe) without requiring a full device wipe for BYOD.

What the operator must do: Implement containerization or equivalent “managed profile” capability (for example, Android Work Profile or iOS managed app/data controls via MDM/UEM), then enforce that corporate access only occurs through the managed workspace. Document the design, operate the control continuously, and retain evidence that separation is active across the in-scope mobile fleet. ¹

Plain-English requirement summary

You need two worlds on a phone:

• Work world: enterprise-managed apps and data, controlled by MDM/UEM, with restrictions that prevent easy exfiltration to personal apps or personal cloud services.
• Personal world: user-owned apps and data that your IT team does not manage (especially for BYOD), except for baseline enrollment checks where allowed by policy.

If an employee leaves, you remove the work world. You do not need to (and often should not) erase personal photos, texts, or personal apps.

Who this applies to (entity + operational context)

Entity types: Enterprises and technology organizations adopting CIS Controls v8 as a baseline cybersecurity framework. ¹

Operational contexts typically in scope:

• Any workforce using mobile devices to access enterprise email, files, chat, ticketing, CRM, source code, or administrative consoles.
• BYOD programs where the company allows personal phones to access corporate SaaS.
• Corporate-liable (company-owned) smartphones and tablets.
• Contractors/consultants who receive mobile access to enterprise systems (treat as third parties for due diligence and access governance, even if they are individuals).

Role-based prioritization (risk-driven):

• Executives, finance, legal, HR (high-value data).
• IT admins and anyone with privileged access (high blast radius).
• Sales and customer support (customer data exposure).

Control objective and success criteria (what “good” looks like)

Use these as audit-ready statements:

1. All mobile access to corporate data is mediated by MDM/UEM enrollment and a managed workspace/profile.
2. Enterprise data cannot be moved to unmanaged apps or personal cloud services except via approved methods.
3. Selective wipe is tested and works.
4. Exceptions are time-bound, approved, and monitored with compensating controls.

What you actually need to do (step-by-step)

1) Define scope and decide your separation model

Choose the model per platform and ownership:

• BYOD Android: require Work Profile (container) for corporate apps.
• BYOD iOS/iPadOS: use managed apps + managed accounts + data separation controls enforced by MDM/UEM (containerization is different on iOS; the goal is still separation).
• Corporate-owned: you can take stricter control (supervised iOS, fully managed Android) while still separating work/personal if personal use is allowed.

Deliverable: a one-page “Mobile Workspace Separation Standard” that states in-scope devices, minimum OS versions you support, and the required enrollment mode. ¹

2) Standardize on an MDM/UEM and enroll devices

Operational requirement: if you cannot enforce policy centrally, you cannot prove separation.

• Configure enrollment methods (BYOD enrollment, corporate-owned enrollment).
• Block access to corporate email/SaaS from unmanaged devices using conditional access (identity provider + device compliance signals).

Deliverables:

• Enrollment procedure (user-facing).
• Admin runbook for enrollment failures and device replacements.
• Conditional access policy description tied to device compliance. ¹

3) Create the enterprise workspace and enforce data boundaries

Implement configuration that makes the “work world” real:

• Publish corporate apps into the managed workspace (email, browser, chat, docs, VPN, EDR where applicable).
• Restrict data movement from managed to unmanaged contexts (copy/paste controls, “open in” restrictions, managed sharing destinations).
• Require encryption and screen lock within corporate policy (even if personal side differs).
• Configure corporate account separation (managed mail profiles, managed app configs).

Practical test: attempt to open a corporate attachment from the work email app into a personal app. Your policy should block it or route it only into managed apps.

Deliverables:

• MDM/UEM configuration profiles (export/screenshot set).
• App protection policies (if you use them) and “approved apps list.”
• A written “Enterprise Data Boundary Rules” appendix that lists what is blocked and what is allowed. ¹

4) Implement selective wipe and offboarding workflows

Separation is incomplete without clean removal of corporate data:

• Configure selective wipe for the managed workspace.
• Run a tabletop and a live test on a non-production user device to confirm: work apps/data removed, personal apps/data remain.
• Define triggers: termination, device loss, role change, non-compliance, third-party contract end.

Deliverables:

• Offboarding SOP with selective wipe steps.
• Evidence of selective wipe test (ticket + screenshot/log extract + approver). ¹

5) Operate the control continuously (compliance monitoring)

Your day-to-day operating rhythm:

• Monitor enrollment status, compliance, and drift (devices falling out of compliance).
• Review new OS releases for policy compatibility.
• Reconcile active mobile users vs enrolled devices (HR roster vs MDM inventory).

Deliverables:

• Monthly (or regular) compliance report export from MDM/UEM showing work profile/container status and noncompliant devices.
• Exception register with owner, reason, compensating controls, and expiration. ¹

6) Map the requirement to documented control operation and recurring evidence capture

This is the most common assessment gap: teams implement the tech but cannot prove it stayed implemented. Build an evidence calendar and assign ownership for recurring exports and screenshots. If you run Daydream, treat this as a control with scheduled evidence tasks, owner attestations, and centralized storage for artifacts so audits do not turn into screenshot hunts. ¹

Required evidence and artifacts to retain

Keep artifacts that prove design, implementation, and operation:

Design

• Mobile/BYOD policy + “Workspace Separation Standard”
• Data boundary rules (managed-to-unmanaged restrictions)
• Roles in scope and access requirements (who must enroll)

Implementation

• MDM/UEM configuration profile exports (PDF/screenshot bundle + change tickets)
• Conditional access policy configuration evidence (screenshots/export)
• Approved app catalog and assignment rules

Operational

• Device inventory with compliance status (export)
• Report showing managed workspace/work profile deployment coverage
• Selective wipe test evidence and at least one real offboarding ticket record (redacted)
• Exceptions register with approvals and expiry
• Change management records for policy modifications

Common exam/audit questions and hangups

Auditors and assessors typically press on:

• “Show me that enterprise data is separated on BYOD devices, not just ‘MDM enrolled.’”
• “How do you prevent users from moving files to personal cloud storage?”
• “What happens if a device is jailbroken/rooted or noncompliant?”
• “Prove selective wipe works and that you can remove corporate data promptly.”
• “How do you handle contractors and other third parties with mobile access?”
• “Where is your recurring evidence that the control operates over time?” ¹

Frequent implementation mistakes (and how to avoid them)

1. Policy-only BYOD programs. Fix: require conditional access so unmanaged devices cannot connect.
2. Enrolled device without data separation. Fix: explicitly require work profile/managed apps, then test data movement paths.
3. No exception discipline. Fix: time-box exceptions, require a compensating control, and track them in a register.
4. Selective wipe not tested. Fix: run a documented test and repeat after major platform/MDM changes.
5. Evidence scattered across email and screenshots. Fix: define an evidence pack and recurring exports; store centrally with change tickets. Daydream is useful here as the system of record for control mapping and evidence capture. ¹

Risk implications (why assessors care)

Without workspace separation, a single mobile device can become an unmanaged data egress channel: personal file-sharing apps, personal browsers, auto-backup features, and copy/paste into consumer messaging. Separation reduces the likelihood that corporate data ends up in places you cannot monitor or wipe, and it shrinks the scope of incident response when a device is lost or an employee exits. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize scope + blocking controls)

• Publish the “Workspace Separation Standard” and define in-scope populations (BYOD, corporate-owned, contractors).
• Configure MDM/UEM enrollment paths for iOS and Android; validate you can create a managed workspace/profile.
• Turn on conditional access for the highest-risk apps first (email, files, chat) so unmanaged devices cannot authenticate.
• Build your evidence pack template (what screenshots/exports you will collect and where they live).

Days 31–60 (enforce separation + migration)

• Roll out managed apps into the workspace/profile; migrate users off unmanaged mail profiles.
• Implement data boundary restrictions (managed-to-unmanaged controls) and validate with hands-on tests.
• Stand up exception handling: intake, approval, compensating controls, and expiry.
• Run and document a selective wipe test.

Days 61–90 (operationalize + audit readiness)

• Expand enforcement to remaining apps and user groups.
• Establish recurring reporting: device compliance, workspace coverage, exceptions.
• Conduct an internal mini-audit: pick sample users and produce end-to-end evidence in one folder.
• In Daydream, map safeguard 4.12 to your control narrative and schedule recurring evidence capture so the next audit is repeatable. ¹

Frequently Asked Questions

Does “separate enterprise workspaces” mean full containerization for every phone?

It means enforceable separation of enterprise apps/data from personal apps/data. On Android that is often a Work Profile; on iOS it is commonly managed apps and managed data controls through MDM/UEM. ¹

Can we meet safeguard 4.12 with policy language and user training only?

Assessors expect technical enforcement, not just policy. Use MDM/UEM controls plus conditional access so enterprise systems block unmanaged devices. ¹

What’s the minimum set of apps/data that must live in the enterprise workspace?

Start with email, file storage/sync, corporate chat, and any app that handles regulated or confidential data. Document the list and enforce that those apps only run as managed apps in the workspace/profile. ¹

How do we handle executives who refuse enrollment on their personal phones?

Treat it as an exception with an expiry and compensating controls, or provide a corporate-owned device. Don’t leave permanent unmanaged access to executive mailboxes and files. ¹

What evidence is most persuasive in an audit?

MDM/UEM exports showing managed workspace coverage and compliance status, conditional access policies that block unmanaged devices, and a documented selective wipe test. Pair that with an exceptions register and change tickets. ¹

If we already have MDM on corporate-owned phones, are we done?

Not automatically. Confirm that enterprise data cannot flow into unmanaged apps, and confirm selective wipe/offboarding works as intended. Then set up recurring evidence capture to show ongoing operation. ¹

Footnotes

1. CIS Controls v8; CIS Controls Navigator v8