This control plane turns mobile app-protection assignments into a buyer-readable surface for platform, security, endpoint, and Microsoft 365 teams: missing policy coverage, risky exceptions, outdated baselines, rooted-device exposure, and the enforcement packet needed before BYOD growth outruns governance.
| Risk | Owner | App | Platform | Message |
|---|---|---|---|---|
| high unmanaged-transfer-allowed |
Revenue Systems | Salesforce | iOS exception |
Managed data can still leave the governed container through copy/paste or Save As. |
| high missing-user-presence-control |
Revenue Systems | Salesforce | iOS exception |
The assignment does not require PIN or biometric re-entry before app access. |
| high stale-policy-sync |
Revenue Systems | Salesforce | iOS exception |
Policy sync is 39 day(s) old and outside the expected review window. |
| high jailbreak-access-allowed |
Revenue Systems | Salesforce | iOS exception |
Jailbroken or rooted devices can still open the protected app surface. |
| high missing-protection-assignment |
People Systems | Workday | Android missing |
App route is still outside the protection policy envelope. |
| high missing-user-presence-control |
People Systems | Workday | Android missing |
The assignment does not require PIN or biometric re-entry before app access. |
| medium stale-policy-sync |
Frontline Operations | Teams Mobile | Android warning |
Policy sync is 21 day(s) old and outside the expected review window. |
| medium outdated-policy-version |
Frontline Operations | Teams Mobile | Android warning |
Assignment is on policy v4 while v5 is the expected baseline. |
| medium missing-managed-browser |
Frontline Operations | Teams Mobile | Android warning |
Links can still open outside the managed browser path on mobile devices. |
| medium outdated-app-sdk |
Frontline Operations | Teams Mobile | Android warning |
App SDK 18.1.0 is below the minimum 18.4.0. |
| medium oversized-offline-grace-period |
Frontline Operations | Teams Mobile | Android warning |
Offline wipe grace is 14 day(s); the recommended cap is 7. |
| medium outdated-policy-version |
Revenue Systems | Salesforce | iOS exception |
Assignment is on policy v2 while v4 is the expected baseline. |
| medium missing-managed-browser |
Revenue Systems | Salesforce | iOS exception |
Links can still open outside the managed browser path on mobile devices. |
| medium weak-conditional-launch |
Revenue Systems | Salesforce | iOS exception |
Conditional launch controls are effectively disabled for this assignment. |
| medium outdated-app-sdk |
Revenue Systems | Salesforce | iOS exception |
App SDK 16.2.0 is below the minimum 18.0.0. |
| medium oversized-offline-grace-period |
Revenue Systems | Salesforce | iOS exception |
Offline wipe grace is 30 day(s); the recommended cap is 7. |
| medium unmanaged-transfer-allowed |
People Systems | Workday | Android missing |
Managed data can still leave the governed container through copy/paste or Save As. |
| medium stale-policy-sync |
People Systems | Workday | Android missing |
Policy sync is 23 day(s) old and outside the expected review window. |
| medium outdated-policy-version |
People Systems | Workday | Android missing |
Assignment is on policy v0 while v3 is the expected baseline. |
| medium missing-managed-browser |
People Systems | Workday | Android missing |
Links can still open outside the managed browser path on mobile devices. |
| medium weak-conditional-launch |
People Systems | Workday | Android missing |
Conditional launch controls are effectively disabled for this assignment. |
| medium oversized-offline-grace-period |
People Systems | Workday | Android missing |
Offline wipe grace is 21 day(s); the recommended cap is 7. |
| medium oversized-offline-grace-period |
Endpoint Platform | OneDrive | iOS limited |
Offline wipe grace is 10 day(s); the recommended cap is 7. |
| info byod-protection-lane |
Workplace Messaging | Outlook Mobile | iOS protected |
BYOD assignment is inside the protection envelope; keep scope and user messaging aligned. |