Smartphones may have evolved from the telephone, but today they have a lot more in common with laptops. Both have operating systems, installed applications, hold gigabytes of user data and have a limited life. The question is: when is it time to replace an outdated phone?

Modern smartphones, with tight power, CPU, memory and storage budgets, can reasonably last for three or even five years — depending on usage. Eventually, though, factors including battery life, increasing CPU and memory demands and storage needs leave you with no choice.

But deciding to replace an outdated phone should be based on clearly-defined metrics. They may not be 100 percent objective, but with some guidelines in place, IT managers remove much of the uncertainty associated with smartphone life cycles. This makes it easy to say “no” to eager users with usable devices who want an upgrade, and to push “yes” on those who insist their outdated phone is perfectly fine.

Upgrade decisions should be made based on three factors: support, mobile device security and productivity.

1. Hardware and Software Support Costs

Hardware repairs may be obvious costs, but don’t always justify swapping out devices. Third-party smartphone repair shops bring down the cost of swapping out batteries and LCD screens — the most common repair — low enough that recent mainstream devices can be fixed very economically. However, as devices age, repair times and costs jump up. A good hardware support metric combines cost with time: for example, devices that can be repaired for less than 25 percent of the replacement cost within 24 hours should be fixed, not swapped.

More insidious are other support costs: EMM/MDM tool management and application compatibility issues increase over time as more and more smartphone hardware and software needs to be supported. Smart IT managers will mark a range of software and hardware that can be economically supported, to account for all potential corporate device programs — including BYOD and COPE.

For example, application testing might only cover the current and previous major release of each smartphone OS or browser. A device that can’t run enterprise applications (installed or web-based) should be replaced, preferably before the applications start breaking or aren’t supported anymore.

Limits should be placed on all “soft” support costs, including EMM systems, documentation creation and maintenance, and help desk training. It’s important to not waste time keeping an EMM running for an outdated device, but it’s also important to not have to constantly rewrite documentation and training because of a brand new smartphone.

2. Security Risk to the Enterprise

A smartphone that is connected to enterprise networks, through Wi-Fi, VPNs or application tunnels, affects enterprise security architecture and — at least partially — becomes the responsibility of enterprise IT. Certain security updates may be mandatory to manage vulnerabilities. Enterprises who control risk for compliance reasons or as part of their own security framework are usually prohibited from having un-patched operating systems and out-of-date applications. Where a device cannot be brought into compliance, then replacement is easily justified.

Security risk is more than just patching and version control, though. Enterprises expect mobile device security as a distinguishing feature. As security teams start requiring things like fingerprints to unlock devices or hardware encryption, the decision whether or not to replace a smartphone is simplified. Organizations don’t want corporate data potentially compromised because a phone is without the latest hardware advances.

With Samsung’s latest devices, enterprises not only get hardware-based security measures such as biometrics and roots of trust, but can also apply granular device policies with Knox Configure. This remote configuration tool lets IT managers easily generate specific user profiles and push out dynamic updates, so you can tailor device settings to match your security posture. Another Samsung tool, E-FOTA, lets you easily manage security updates.

Risk may be hard to measure, but compliance requirements are easy to describe. IT managers who clearly lay out hardware and software compatibility requirements in the context of reducing enterprise risk will find it easy to determine which devices need replacement, and which can continue to be supported.

3. User Productivity

There is no single, objective way to measure user productivity. Still, this should be a criterion to help decide whether an outdated phone needs to be replaced.

Obviously, if a device locks up or crashes daily, something is very wrong. IT managers should be supportive when a user complains about productivity problems with older devices. Once the help desk has done an initial evaluation to see if there is a device misconfiguration or other solvable problem, it’s a good idea to approve requested upgrades.

Evaluating the impact on user productivity should go beyond whether the device is too slow or too unreliable for a user. The act of swapping devices can be intrusive and upsetting to users, especially if an operating system upgrade is part of the deal. Smart IT managers will put programs in place, such as cloud backup services and user training programs, to help minimize these costs across all users, and make switching devices painless for both employees and IT professionals.

Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.