This post explains how to configure a Mobile Device Management (MDM) solution to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.19 — \"Encrypt CUI on mobile devices and mobile computing platforms\" — with practical, actionable steps, platform-specific settings, and real-world small-business examples.
\n\nAC.L2-3.1.19 requires organizations to ensure that Controlled Unclassified Information (CUI) stored on mobile devices and mobile computing platforms (smartphones, tablets, laptops) is encrypted at rest. For organizations following the Compliance Framework, this means demonstrable controls that enforce encryption, protect encryption keys, prevent unauthorized backup or sharing of CUI, and provide remote-remediation (e.g., wipe) for non‑compliant devices. Encryption reduces risk of data exposure from lost/stolen devices or local compromise — a key concern for small businesses that handle Federal Contract Information (FCI) or CUI and rely on worker mobility.
\n\nStart by classifying the data (what is CUI), inventorying devices, and choosing an MDM vendor that supports both mobile device encryption and management of mobile computing platforms (Windows/macOS). The typical phases are: 1) Policy design (encryption, passcode, backup restrictions, app controls), 2) Device enrollment (corporate-owned and BYOD rules), 3) Profile deployment (platform-specific encryption settings), 4) Key escrow and recovery design, and 5) Monitoring and enforcement (compliance posture, conditional access, automated remediation).
\n\nPractical first steps for a small business: create a device inventory (device type, OS version, ownership), map which apps process CUI, and produce a short policy document that states \"CUI must be encrypted at rest, backups of managed CUI are prohibited to uncontrolled cloud accounts, and non-compliant devices will be blocked/wiped.\" Capture minimum OS levels (e.g., iOS 15+, Android 10+, Windows 10/11 with TPM 2.0, macOS 11+) and acceptable device ownership (COBO vs BYOD) because encryption capability differs by OS and OS version.
\n\niOS/iPadOS: Use your MDM to require a device passcode and set \"Require device encryption\" implicitly by enforcing a passcode and disallowing backup of managed apps to iCloud. In practice: create an iOS configuration profile that enforces a strong passcode (minimum length 8-12, complexity), disables unsecured backup of managed accounts (Managed Apps > disallow iCloud backup), blocks jailbroken devices, and deploys managed apps (via Apple Business Manager) that use managed app containers. For macOS use FileVault 2 (enable via MDM) and escrow the recovery key to the MDM server (Jamf, Intune, Workspace ONE). Android: require Android Enterprise (work profile for BYOD or fully managed for corporate devices) and set \"Device encryption required\" in the MDM. Target Android 10+ to rely on File-Based Encryption (FBE); for older devices, require Full Disk Encryption (FDE). Block rooted devices and enforce device attestation where available (Play Integrity or SafetyNet). For both platforms, enforce OS version minimums to ensure hardware-backed encryption (Secure Enclave / TEE) is used.
\n\nWindows: Use your MDM (Intune, Workspace ONE) to deploy BitLocker policies: require BitLocker with TPM+PIN or TPM-only depending on risk, set encryption algorithm to XTS-AES 256 (where available), enable pre-provisioning during Autopilot or imaging, and configure recovery key escrow to Azure AD or your on-prem AD. In Intune, configure \"Endpoint security > Disk encryption > BitLocker\" policies and enforce compliance rules that block sign-in to corporate resources if BitLocker is not enabled. macOS: enforce FileVault via MDM (Jamf or Intune MDM profile) and escrow the FileVault recovery key to the MDM. Require firmware passwords or Secure Boot on supported Macs. For removable media, configure policies to encrypt or disallow external drives; on Windows use BitLocker To Go and enforce encryption via MDM.
\n\nEncrypting the device is necessary but not sufficient. Use managed-app controls to enforce in-app encryption and to prevent uncontrolled data egress: deploy managed apps (Microsoft Outlook/Microsoft Intune App Protection, VMware Boxer, managed versions of Office) and enable App Protection Policies (APP) to block copy/paste, block saving to personal storage, and disable backup of managed app data to consumer cloud. Configure per-app VPN to ensure CUI is transmitted over authenticated tunnels and require TLS 1.2+ for app communications. For encryption key management, rely on hardware-backed keystores (Secure Enclave, Android Keystore, TPM) and ensure MDM escrows recovery keys to an enterprise key store — do not leave recovery keys solely on devices or end-user accounts.
\n\nExample A — Small defense contractor with 40 employees: Deploy Intune for device management, require enrollment of all corporate devices, configure BitLocker via Endpoint Security policies (XTS-AES 256, require TPM+PIN), enable FileVault for Macs and escrow recovery keys to Jamf/Intune, enforce iOS passcodes and disable iCloud backup for managed apps, and use Conditional Access to restrict access to CUI repositories to compliant devices. Example B — Hybrid BYOD environment: Require Android Enterprise work profiles and iOS Managed Open-In; only allow CUI in managed container apps and prevent data movement to unmanaged apps or iCloud; use per-app VPN so work data always traverses corporate network protections.
\n\nOperationalize compliance by setting up automated device compliance checks, daily reporting of encryption posture, and alerts for devices that fall out of compliance. Integrate MDM logs with your SIEM or control monitoring tool to detect attempts to disable encryption or to jailbreak/root. Common pitfalls include: allowing older OS versions without secure hardware-backed encryption, not escrowing recovery keys (creates recovery risk), permitting unmanaged backups to consumer cloud, and failing to block rooted/jailbroken devices. Regularly test wipe/recovery procedures and perform quarterly audits to demonstrate compliance.
\n\nNot implementing AC.L2-3.1.19 exposes CUI to loss or theft, increasing risk of data breach, contract penalties, and loss of business. For small businesses, a single device breach can result in loss of Federal contracts or reputational damage. Best practices: require enrollment before access (network or application), adopt least privilege for mobile apps, enforce strong passcodes and biometrics, escrow recovery keys, require device attestation, and document policies and enforcement actions. Maintain a clear BYOD policy that specifies what data can be stored on personal devices and how it must be protected.
\n\nSummary: To meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 AC.L2-3.1.19, use your MDM to enforce device and file encryption across iOS/Android and Windows/macOS, escrows recovery keys to an enterprise store, block unmanaged backups and rooted/jailbroken devices, deploy managed apps and per-app VPNs, and implement monitoring and automated remediation. For small businesses, focus on clear policies, minimum OS requirements, and simple enforcement via conditional access so encryption becomes a gatekeeper to CUI — reducing risk and enabling demonstrable compliance.
", "plain_text": "This post explains how to configure a Mobile Device Management (MDM) solution to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.19 — \"Encrypt CUI on mobile devices and mobile computing platforms\" — with practical, actionable steps, platform-specific settings, and real-world small-business examples.\n\nWhat AC.L2-3.1.19 requires and why it matters\nAC.L2-3.1.19 requires organizations to ensure that Controlled Unclassified Information (CUI) stored on mobile devices and mobile computing platforms (smartphones, tablets, laptops) is encrypted at rest. For organizations following the Compliance Framework, this means demonstrable controls that enforce encryption, protect encryption keys, prevent unauthorized backup or sharing of CUI, and provide remote-remediation (e.g., wipe) for non‑compliant devices. Encryption reduces risk of data exposure from lost/stolen devices or local compromise — a key concern for small businesses that handle Federal Contract Information (FCI) or CUI and rely on worker mobility.\n\nHigh-level implementation approach\nStart by classifying the data (what is CUI), inventorying devices, and choosing an MDM vendor that supports both mobile device encryption and management of mobile computing platforms (Windows/macOS). The typical phases are: 1) Policy design (encryption, passcode, backup restrictions, app controls), 2) Device enrollment (corporate-owned and BYOD rules), 3) Profile deployment (platform-specific encryption settings), 4) Key escrow and recovery design, and 5) Monitoring and enforcement (compliance posture, conditional access, automated remediation).\n\nInventory and policy design (practical)\nPractical first steps for a small business: create a device inventory (device type, OS version, ownership), map which apps process CUI, and produce a short policy document that states \"CUI must be encrypted at rest, backups of managed CUI are prohibited to uncontrolled cloud accounts, and non-compliant devices will be blocked/wiped.\" Capture minimum OS levels (e.g., iOS 15+, Android 10+, Windows 10/11 with TPM 2.0, macOS 11+) and acceptable device ownership (COBO vs BYOD) because encryption capability differs by OS and OS version.\n\nPlatform-specific MDM settings — Mobile (iOS/Android)\niOS/iPadOS: Use your MDM to require a device passcode and set \"Require device encryption\" implicitly by enforcing a passcode and disallowing backup of managed apps to iCloud. In practice: create an iOS configuration profile that enforces a strong passcode (minimum length 8-12, complexity), disables unsecured backup of managed accounts (Managed Apps > disallow iCloud backup), blocks jailbroken devices, and deploys managed apps (via Apple Business Manager) that use managed app containers. For macOS use FileVault 2 (enable via MDM) and escrow the recovery key to the MDM server (Jamf, Intune, Workspace ONE). Android: require Android Enterprise (work profile for BYOD or fully managed for corporate devices) and set \"Device encryption required\" in the MDM. Target Android 10+ to rely on File-Based Encryption (FBE); for older devices, require Full Disk Encryption (FDE). Block rooted devices and enforce device attestation where available (Play Integrity or SafetyNet). For both platforms, enforce OS version minimums to ensure hardware-backed encryption (Secure Enclave / TEE) is used.\n\nPlatform-specific MDM settings — Mobile computing platforms (Windows/macOS)\nWindows: Use your MDM (Intune, Workspace ONE) to deploy BitLocker policies: require BitLocker with TPM+PIN or TPM-only depending on risk, set encryption algorithm to XTS-AES 256 (where available), enable pre-provisioning during Autopilot or imaging, and configure recovery key escrow to Azure AD or your on-prem AD. In Intune, configure \"Endpoint security > Disk encryption > BitLocker\" policies and enforce compliance rules that block sign-in to corporate resources if BitLocker is not enabled. macOS: enforce FileVault via MDM (Jamf or Intune MDM profile) and escrow the FileVault recovery key to the MDM. Require firmware passwords or Secure Boot on supported Macs. For removable media, configure policies to encrypt or disallow external drives; on Windows use BitLocker To Go and enforce encryption via MDM.\n\nApp-level controls, backup, network, and key management\nEncrypting the device is necessary but not sufficient. Use managed-app controls to enforce in-app encryption and to prevent uncontrolled data egress: deploy managed apps (Microsoft Outlook/Microsoft Intune App Protection, VMware Boxer, managed versions of Office) and enable App Protection Policies (APP) to block copy/paste, block saving to personal storage, and disable backup of managed app data to consumer cloud. Configure per-app VPN to ensure CUI is transmitted over authenticated tunnels and require TLS 1.2+ for app communications. For encryption key management, rely on hardware-backed keystores (Secure Enclave, Android Keystore, TPM) and ensure MDM escrows recovery keys to an enterprise key store — do not leave recovery keys solely on devices or end-user accounts.\n\nSmall business scenarios and examples\nExample A — Small defense contractor with 40 employees: Deploy Intune for device management, require enrollment of all corporate devices, configure BitLocker via Endpoint Security policies (XTS-AES 256, require TPM+PIN), enable FileVault for Macs and escrow recovery keys to Jamf/Intune, enforce iOS passcodes and disable iCloud backup for managed apps, and use Conditional Access to restrict access to CUI repositories to compliant devices. Example B — Hybrid BYOD environment: Require Android Enterprise work profiles and iOS Managed Open-In; only allow CUI in managed container apps and prevent data movement to unmanaged apps or iCloud; use per-app VPN so work data always traverses corporate network protections.\n\nCompliance operations, monitoring, and common pitfalls\nOperationalize compliance by setting up automated device compliance checks, daily reporting of encryption posture, and alerts for devices that fall out of compliance. Integrate MDM logs with your SIEM or control monitoring tool to detect attempts to disable encryption or to jailbreak/root. Common pitfalls include: allowing older OS versions without secure hardware-backed encryption, not escrowing recovery keys (creates recovery risk), permitting unmanaged backups to consumer cloud, and failing to block rooted/jailbroken devices. Regularly test wipe/recovery procedures and perform quarterly audits to demonstrate compliance.\n\nRisk of non-implementation and best practices\nNot implementing AC.L2-3.1.19 exposes CUI to loss or theft, increasing risk of data breach, contract penalties, and loss of business. For small businesses, a single device breach can result in loss of Federal contracts or reputational damage. Best practices: require enrollment before access (network or application), adopt least privilege for mobile apps, enforce strong passcodes and biometrics, escrow recovery keys, require device attestation, and document policies and enforcement actions. Maintain a clear BYOD policy that specifies what data can be stored on personal devices and how it must be protected.\n\nSummary: To meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 AC.L2-3.1.19, use your MDM to enforce device and file encryption across iOS/Android and Windows/macOS, escrows recovery keys to an enterprise store, block unmanaged backups and rooted/jailbroken devices, deploy managed apps and per-app VPNs, and implement monitoring and automated remediation. For small businesses, focus on clear policies, minimum OS requirements, and simple enforcement via conditional access so encryption becomes a gatekeeper to CUI — reducing risk and enabling demonstrable compliance." }, "metadata": { "description": "Step-by-step MDM guidance to enforce encryption of CUI on mobile devices and mobile computing platforms to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 AC.L2-3.1.19.", "permalink": "/how-to-configure-mdm-to-meet-nist-sp-800-171-rev2-cmmc-20-level-2-control-acl2-3119-and-encrypt-cui-on-mobile-devices-and-mobile-computing-platforms.json", "categories": [], "tags": [] } }