TL;DR: Internal ERP, HR, finance, and ITSM apps are often blocked on personal mobile devices because VPN and network-based controls do not fit unmanaged endpoints, driving screenshots, colleague relays, and other audit gaps, according to Surf Security. The practical issue is not mobility itself but whether session-level controls can preserve access without expanding device trust.
NHIMG editorial — based on content published by Surf Security: Your Internal Apps Are Off-Limits on Mobile. Well they Don't Have to Be
Questions worth separating out
Q: How should security teams enable internal app access on personal mobile devices?
A: They should use a policy-controlled access layer that mediates the browser session, not rely on the personal device becoming trusted.
Q: Why do network-based controls fail for mobile access to internal applications?
A: Network-based controls assume the user is on a managed network path or through a VPN that reflects corporate trust.
Q: What do organisations get wrong about BYOD access to sensitive apps?
A: They often treat device ownership as the main security boundary, when the real risk may be what happens inside the session.
Practitioner guidance
- Define a mobile access tier for internal apps Classify which internal applications can be accessed through a browser-mediated session and which still require managed endpoints, based on data sensitivity, regulatory exposure, and transaction risk.
- Map shadow workarounds to control gaps Identify where employees use screenshots, messaging apps, or colleague delegation because the official access path is too restrictive, then fix the underlying workflow instead of only tightening perimeter rules.
- Add session DLP to BYOD access designs Require screenshot blocking, copy and paste limits, watermarking, and governed upload and download policies for any unmanaged mobile access path that reaches internal data.
What's in the full article
Surf Security's full article covers the operational detail this post intentionally leaves for the source:
- How the controlled proxy model maps internal application traffic without exposing the app to the open internet
- The browser-layer enforcement approach for screenshot blocking, copy and paste restrictions, and watermarking
- The practical difference between unmanaged mobile access and fully enrolled corporate device access
- Where this pattern fits for legacy internal portals versus modern SaaS applications
👉 Read Surf Security's analysis of secure mobile access to internal applications →
Internal apps on mobile: are your access controls keeping up?
Explore further
Managed-device assumptions are no longer a reliable prerequisite for internal app access. The article shows how organisations often equate security with denying access when a device is outside the corporate perimeter, but that simply shifts activity into shadow channels. The deeper issue is governance drift: once users cannot complete legitimate work, informal transfer paths appear, and those paths are usually less visible than the app they replace. Practitioners should treat mobile access design as a control problem, not a convenience feature.
A question worth separating out:
Q: Which controls matter most when internal apps are opened on unmanaged phones?
A: The most important controls are session logging, screenshot blocking, copy and paste restriction, watermarking, and governed file transfer. Those controls reduce the chance that a successful login turns into uncontrolled data movement. They also create a better audit trail than ad hoc mobile workarounds, which are usually invisible to security teams.
👉 Read our full editorial: Mobile access to internal apps needs a browser control model