End User Devices Security and Configuration Guidance

Configuration guidance for the use of a wide range of mobile platforms for remote working at OFFICIAL

This guidance is for public sector organisations to follow when deploying end user devices for remote working at OFFICIAL. Additional guidance is available for departments considering a ‘Bring Your Own Device’ (BYOD) approach or deploying web browsers.

Please send any feedback to the address

You can subscribe to updates for this and all CESG publications to receive alerts by email when documents are changed or replaced.

End User Devices Security Guidance - Introduction


These documents provide an overview to how the End User Device Security Guidance should be used. The introduction document now also contains several videos explaining this in more detail.

  1. End User Devices Security Guidance: Introduction

    • Guidance
  2. End User Devices Security Principles

    • Guidance
  3. End User Devices Security Guidance: Enterprise considerations

    • Guidance

Forthcoming documents

The guidance documents above are regularly updated as platforms change. If you are deploying a different version, you should perform an analysis of the changes in the platform to see if the risks or configuration will have changed. Currently, CESG are working on updated or additional content for:

Platform Target date
Windows 10 October 2015
Android 5.x October 2015
iOS 9 October 2015
OS X 10.11 November 2015
Windows 10 Mobile Early 2016

Application development guidance

  1. Application Development Guidance: Introduction

    • Guidance
  2. Android Application Development Guidance

    • Guidance
  3. Apple iOS Application Development Guidance

    • Guidance

Other platform guidance

The obsolete platform guidance document in this section contains the information from the Windows XP mitigations document previously published here.

  1. End User Devices Security Guidance: Factory reset and reprovisioning

    • Guidance
  2. Obsolete platforms security guidance

    • Guidance

Other information

This guidance is issued by CESG, the UK’s National Technical Authority on Information Assurance. One of the roles of CESG is to provide advice to UK government entities and organisations providing services to UK government. The guidance found here is provided and intended for use by this audience. It is provided ‘as-is’ an an example of how specific requirements could be met. It should be used to help inform risk management decisions on the use of the products described, but it should not be used for procurement decisions; it is not intended to be exhaustive, it does not act as an endorsement of any particular product or technology, and it is not tailored to individual needs. It is not a replacement for independent, specialist advice. Users should ensure that they take appropriate technical and legal advice in using this and other guidance published by CESG.

This guidance is provided without any warranty of any kind, whether express or implied. It is provided without any representation as to the accuracy, completeness, integrity, content, quality, or fitness for purpose of all or any part of it. CESG cannot, then, accept any liability whatsoever for any loss or damage suffered or any costs incurred by any person as a result of, or arising from, either the disclosure of this guidance to you, or your subsequent use of it.

This guidance is © UK Crown Copyright. All Rights Reserved.

  1. End User Devices Security Guidance: About the guidance

    • Guidance