Apple Business Manager and Android Enterprise: Securing company mobile devices

Introduction

Most mobile security issues in business do not start with the handset. They start with an inconsistent setup, unmanaged apps, and limited control over what happens when a device is lost, replaced, or used outside policy.

The scale of the challenge is clear. The UK Government’s Cyber Security Breaches Survey 2025 found that 43 percent of businesses reported a cyber security breach or attack in the previous 12 months. Among those affected, phishing was by far the most common type of breach or attack (experienced by 85 percent), and it was also most often described as the most disruptive.

The impact is not only technical. The same survey reports the average self-reported mean cost of the most disruptive breach or attack among businesses was £1,600 (including businesses that reported £0), or £3,550 when excluding £0 responses.

Smartphones sit in the middle of this risk because they are a primary route into email, Teams, files, CRM, password managers, and multi-factor authentication. They also support day-to-day work away from the office. In early 2025, the ONS reported that 28 percent of workers in Great Britain were hybrid workers.

This is where Apple Business Manager and Android Enterprise fit in. They are not replacements for Mobile Device Management. They are the vendor frameworks that make MDM more consistent and more effective.

To keep the difference clear, use this simple split:

• Apple Business Manager and Android Enterprise determine how a device becomes company-managed and how apps are made available safely.
• MDM or UEM decides what happens to that device every day once it is enrolled, including compliance, configuration, reporting and remote actions.

What is Apple Business Manager

Apple Business Manager is Apple’s web-based portal for organisations. Its main purpose is to streamline deployment and support secure app assignment for Apple devices, especially company-owned iPhones and iPads.

What Apple Business Manager does

Apple Business Manager primarily focuses on deployment and entitlements.

1. Automated Device Enrolment readiness: Apple Business Manager enables automated enrolment into your chosen device management service (your MDM). This is designed to let organisations configure and manage devices from the moment the device is first turned on, without manual hands-on staging.
2. Stronger control for organisation owned devices: When Apple devices are deployed via automated enrolment, they can be placed into supervised management. This is a key difference between lightly managed devices and properly governed corporate devices, because it supports tighter control over the management state.
3. Secure application distribution: Apple Business Manager supports business purchasing and assignment of apps, so you can deploy approved applications without relying on personal Apple IDs for business software.

What Apple Business Manager does not do

Apple Business Manager does not enforce passcodes, encryption, OS update rules, Wi Fi settings, VPN configuration, compliance reporting, or remote wipe actions by itself. Those are MDM or UEM functions.

What is Android Enterprise

Android Enterprise is Google’s enterprise management framework for Android. It provides standardised methods to separate work and personal data, deploy corporate devices at scale, and distribute work apps safely, typically through an MDM platform.

What Android Enterprise does

Android Enterprise focuses on management modes and work app governance.

1. Work profile for BYOD: A work profile separates company apps and data from personal apps and data on the same device. Organisations can manage the work profile without taking control of the employee’s personal side.
2. Fully managed devices for company-owned mobiles: For corporate-owned devices intended for work, Android Enterprise supports fully managed deployments, providing broader policy options than a work profile.
3. Zero touch enrolment and streamlined provisioning: Zero touch enrolment allows devices to provision for enterprise management on first boot, supporting faster and more consistent rollout.
4. Managed Google Play for secure application distribution: Android Enterprise supports approval and distribution of apps for the work environment, reducing the chance of unapproved or unwanted applications entering the business estate.

What Android Enterprise does not do

Android Enterprise provides the framework and modes, but it is not the day-to-day enforcement engine on its own. Your MDM or UEM applies configuration, measures compliance, and performs remediation actions such as lock and wipe.

Why these platforms matter for company phone management

If you manage multiple mobile phone connections across different networks, device types and user roles, you need two things to stay in control:

• a consistent deployment route
• a consistent security baseline

Apple Business Manager and Android Enterprise give you a consistent way to enrol devices. They also remove common problems in day-to-day operations:

• Joiners: devices can be provisioned fast with standard apps and settings
• Leavers: access can be removed, and devices reset and reassigned under a controlled process
• Replacements: faster recovery after loss or damage, since setup is repeatable
• Mixed fleets: same governance for both iOS and Android

This matters because the disruption is not rare. Among businesses that identified any breach or attack in the last 12 months, around half (52 percent) experienced them at least monthly, and 29 percent said it happened at least weekly.

Extra security in conjunction with MDM

What MDM does

MDM is the system that enforces security and operational policy on devices after they enrol. It is the control layer that keeps devices secure, up to date and compliant, and supports the actions businesses need when something goes wrong.

In practical terms, an MDM or UEM platform typically handles:

• configuration profiles (email, Wi Fi, VPN, certificates, restrictions)
• compliance policies (minimum OS version, encryption required, screen lock standards, jailbreak or root detection)
• reporting and alerts (visibility of enrolled devices and compliance status)
• conditional access integration (only compliant devices can access corporate resources, where identity is integrated)
• remote actions (lock, wipe, reset, selective wipe for BYOD)

What Apple Business Manager and Android Enterprise do instead

Apple Business Manager and Android Enterprise do not replace these controls. They make enrolment stronger and governance better, so MDM can apply policies earlier and more reliably.

A practical way to keep it straight:

• ABM and Android Enterprise are your official on-ramps for Apple and Android
• MDM or UEM is your control plane for security, configuration, compliance and response

Device Protection and multi-layered security

Multi-layered security means controls on the device, identity controls, and app controls working together. This is important because phishing and impersonation continue to drive disruption for UK organisations. In the Cyber Security Breaches Survey 2025, phishing was both the most prevalent type of attack among affected businesses and the most commonly cited as most disruptive.

A sensible baseline for secure company mobile devices usually includes:

• strong screen lock and biometric standards
• enforced encryption
• OS update expectations and minimum supported versions
• restrictions on risky settings (for example, unknown sources on Android)
• device compliance tied to access (conditional access, where supported)

Secure application distribution

One of the fastest ways to reduce mobile risk is to control the app route:

• Apple Business Manager supports app entitlement and assignment for business deployment
• Android Enterprise uses Managed Google Play to approve and assign apps for work

This reduces the risk of unwanted or malicious applications because the managed environment is curated and policy-driven rather than left to individual choice.

Instant deployment allows teams to work faster

Deployment speed is not just convenience. It reduces the time a device exists in an unmanaged state.

• Apple Business Manager supports automated enrolment and streamlined initial setup
• Android zero touch supports consistent provisioning on first boot

Lost company phone policy

A lost company phone policy should assume two things: devices will get lost, and attackers act fast. This is especially important with phishing so common and repeat incidents happening often.

A practical policy framework includes:

• Immediate reporting route (single channel, clear ownership)
• Remote actions via MDM (lock, wipe, selective wipe depending on ownership and risk)
• SIM and number controls (suspend, swap to replacement, verify identity for any porting)
• Replacement workflow using automated enrolment and managed app assignment
• Post incident review (was the device compliant, was MFA protected, were risky apps installed)

Costs and licensing

The cost of Apple Business Manager

Apple Business Manager is free to use. The cost is usually in:

• MDM or UEM licensing and support
• implementation and ongoing administration
• paid business apps where required

The cost of Android Enterprise

Android Enterprise is also free. Costs typically come from:

• MDM or UEM licensing
• identity and access management setup
• device standards and support overhead across multiple manufacturers

Why is this still cost-effective?

The goal is to reduce effort and risk. The average cost of the most disruptive breach is £1,600, or £3,550 if you exclude £0 responses, according to the Cyber Security Breaches Survey 2025.

Advantages and disadvantages of Apple Business Manager

Advantages

• Strong foundation for consistent deployment of company-owned Apple devices through automated enrolment
• Supports tighter governance for corporate deployments
• Better control over business app assignment

Disadvantages

• Requires the right procurement and setup discipline to get the full benefit
• Does not deliver security outcomes without MDM policies, compliance rules and access controls
• Needs clear internal ownership of roles and lifecycle processes to avoid admin drift

Advantages and disadvantages of Android Enterprise

Advantages

• Work Profile supports BYOD separation with privacy for personal use and control of work apps and data
• Fully managed deployments provide broader policy controls for company-owned devices
• Zero-touch provisioning speeds up rollout and reduces manual setup
• Managed Google Play supports secure application distribution by limiting apps to approved choices

Disadvantages

• Different devices can affect OS updates and user experience, so verify the device’s settings
• Choosing the wrong management mode can cause problems, especially for BYOD. Clear policy and communication are essential.
• Security depends on MDM enforcement, compliance, and response processes

Future proofing and investment

Future-proofing means using vendor-supported frameworks instead of custom workarounds. Apple and Google keep these frameworks up to date, helping UK organisations keep governance consistent as teams and devices change.

For UK businesses, the practical value is stability:

• fewer deployment exceptions
• consistent governance as device fleets grow
• faster response when devices are replaced or compromised
• clearer reporting for IT and leadership teams

Conclusion

Apple Business Manager and Android Enterprise are best viewed as the official deployment frameworks for iOS and Android. They help you enrol devices correctly, distribute apps safely, and scale company phone management across mixed fleets and multiple mobile phone connections.

MDM or UEM is the control plane that applies security, compliance, remote actions and reporting.

For a reliable approach to securing company mobile devices:

• Use Apple Business Manager to prepare Apple devices for automated enrolment and managed app assignment
• Use Android Enterprise to deploy the right Android management mode and control work app distribution
• enforce security, compliance and incident response through a capable MDM or UEM platform