3.1.18 — Mobile Device Control

The One-Liner

If you can’t see and manage every mobile device accessing CUI, you need an MDM solution.

What It Says

Control connection of mobile devices.

What It Actually Means

Mobile devices — phones, tablets, e-readers, anything portable — that might access CUI must be:

1. Registered — IT knows the device exists and who owns it
2. Managed — MDM policies enforced (encryption, screen lock, remote wipe capability)
3. Monitored — connections logged with device identity

Each device needs a unique identifier. Unregistered devices are blocked from accessing CUI resources. You decide whether to allow BYOD with MDM enrollment or restrict to company-owned devices only — but either way, every device is managed.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are mobile devices that handle CUI identified?	A maintained device inventory
2	Are mobile connections authorized?	Only approved devices connect
3	Are mobile connections monitored and logged?	Connection events recorded with device identity

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, mobile device procedures, system design docs, configuration management plan, system security plan, system config, audit logs

People they’ll talk to: Mobile device users, sysadmins, information security staff

Live demos they’ll ask for: “Show me your MDM dashboard. Show me that an unregistered device is blocked.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Do you maintain a list of mobile devices permitted to handle CUI?”
• “Is the system configured to only permit authorized mobile devices?”
• “How do you handle BYOD?”
• “Show me your MDM policy enforcement.”

Real-World Example

A contractor uses Intune for MDM. All company phones and tablets are enrolled. BYOD is allowed only with Intune enrollment and a compliance policy (encryption on, screen lock, no jailbreak). Conditional Access blocks non-compliant or unregistered devices from accessing M365 and CUI resources. The Intune dashboard shows all enrolled devices with compliance status.

---

Where Companies Trip Up

No MDM. Mobile devices connect with no management or policy enforcement.

BYOD with no controls. Personal phones accessing CUI email without any device compliance requirements.

No device inventory. You don’t know which mobile devices have access to CUI.

---

How to Talk About This

To a CEO or Board

Every mobile device touching our CUI environment is registered and managed through MDM. Personal devices must meet our compliance requirements or they’re blocked.

To an Engineering Team

Intune MDM. Conditional Access requires device compliance: encryption, screen lock, OS version, no jailbreak. BYOD requires Intune enrollment. Non-compliant devices blocked from CUI resources.

---

Connected Requirements

Requirement	Why it matters here
3.1.16 — Wi-Fi Approval First	Wireless access that mobile devices use
3.1.19 — Encrypt CUI on Mobile	Encrypting CUI on these devices

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.18 | SPRS Weight: 5 points | POA&M Eligible: No