The beginner’s guide to MDM

Learn how to protect and manage your mobile devices with this step-by-step guide covering everything from planning groups and creating policies, to reporting.

Download Now
Device Management

BYOD, CYOD, COPE, COBO — What Do They Really Mean?

Anyone researching enterprise mobility will run into the terms BYOD, CYOD, COPE, and COBO (plus a few more). The acronyms themselves are easy: BYOD is Bring Your Own Device; CYOD is Choose Your Own Device; COPE is Company Owned/Personally Enabled; and COBO is Company Owned/Business Only. Beyond that, there’s little agreement on what they mean.

In the long run, it doesn’t matter which term you use — they’re all ingredients in the acronym soup that surrounds enterprise mobility. What does matter is that you are clear on what it means to you, your users and your company.

Plan a Successful CYOD Program

icon of a documentWhite Paper

Download our comprehensive 8-step guide to planning and deploying a CYOD initiative at your company. Download Now

Usually, when comparing definitions, there’s a spectrum ranging from a very “laissez-faire” approach — as in, “we don’t have a mobility policy” — through basic integration and access via a smartphone (BYOD and CYOD), to more intense integration and control using a company-owned and company-controlled device (COPE and COBO).

To create your own mobile program definition, whether you call it BYOD, CYOD, COPE, COBO or something else, you’ll want to explicitly describe three important elements:

  • The Device: what is it, who picks it, and who pays for the device and cellular connectivity service?
  • Management and Support: who manages the device and is responsible for support?
  • Integration and Applications: how closely integrated and important is the device with everyday workflow?

1. Start with the Device: When building your own program and definitions, begin with the device. Are you talking about just smartphones and tablets? Or does this include laptops and other devices, such as wearables? Who gets to pick which devices are part of the program? And, importantly, be sure to agree on who pays for the device and any monthly connectivity plans. Your answers to these questions may drive you to one of the acronyms, but it’s more important to answer these questions than to pick exactly the right acronym for your program. At one end is an “anything goes” approach to mobile devices; at the other end is a much more controlled set of choices, usually with corresponding financial commitment from the company.

2. Move to Management and Support: Next, describe who controls the device and who is responsible for support. One option is minimalist: the touch on the device (and its support) is barely there, if at all. If a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) agent is installed on the device and corporate IT sets extensive and restrictive policies, that’s more maximalist, with strong controls and, usually, equally strong support.

3. Describe Integration and Applications: Finally, be explicit about how tightly the device is integrated into the enterprise network and which corporate applications are running — as well as any personal application restrictions. When the device only has basic collaboration tools — things like email and audio/video conferencing — that’s one end of the spectrum. If the enterprise has applications specifically designed for mobile devices, expects them to be part of the daily workflow, and connects them directly to the network, that’s a heavier commitment to mobility, which comes with greater resources and greater opportunity to leverage the value of devices in the hands of mobile workers.


Each of the three elements sits on a spectrum, and often correlations can be drawn. In other words, if you’re tightly integrating the device into everyday workflows by writing applications and connecting it directly to the corporate network, then usually that matches up with equally tight management and support. This, in turn, often means the enterprise will decide to take on all or most of the device and monthly connectivity costs.

To put it another way, an increase in IT system integration and access has to be balanced with a reduction in the risk created by having unmanaged mobile devices connect to your network. That turns into tighter management and fewer device options for end users, which is where CYOD or COBO comes in. BYOD, on the other hand, generally gives users more freedom, but creates greater risk for the enterprise. Enterprises with BYOD policies may have looser device management and support, but balance that by limiting network access and putting less emphasis on enterprise applications.

If you find that you’re creating a program where pieces sit at very different ends of the spectrum, then you may want to reconsider whether things are properly aligned. For example, if mobility is key to your enterprise and you’ve invested in application development, then you probably also want to make an investment in a good MDM/EMM solution to be sure that devices do not represent an uncontrolled risk to security. Don’t have a corporate-issued device program with BYOD benefits — or vice versa.

What Are COPE and COBO?

COPE programs — almost always focused on smartphones — recognize that no one wants to carry two smartphones with them. Companies provide smartphones primarily for work use, but basic functions such as voice calls, messaging and personal applications are allowed, with some controls on usage and flexibility. COPE is used to describe a mobility program where the balance is weighted towards the enterprise’s needs for applications, integration and security, and the end user is allowed to use the device for non-enterprise functions as well. COPE programs should use containerization tools, such as the Work Profile in Android Enterprise or the Knox Platform for Enterprise, to maintain a separation between personal and work data and applications.

COBO takes things even further by outright prohibiting personal use of a mobile device. COBO could be used to describe a device running only a single application, such as an inventory system with an embedded barcode scanner. Or it could just be a smartphone where policy prohibits personal use.

At the end of the day, whether you choose to use BYOD, CYOD or something else, the acronym describing your program isn’t as important as choosing the proper balance between the various elements. Your goal should be to match the level of investment in applications, support and devices. Once you do that, you can call it whatever you want.

Need help with your mobile strategy? Get a comprehensive guide to planning a mobile initiative from start to finish, and download a free white paper to learn to design and roll out a comprehensive CYOD plan.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder