Indigo: secure mobility for government services

From NATO approval to broader government adoption

In early 2026, mobile security reached an important milestone when devices configured under the Indigo framework were officially approved for handling information classified at the NATO Restricted level. The certification confirms that modern smartphones and tablets, when deployed under the right security architecture, can be trusted to process sensitive government data without requiring heavily modified or custom-built hardware.

The announcement is significant because it reflects a shift in how the governments approach secure mobility. For decades, classified or sensitive communications required highly specialized devices with proprietary operating systems and tightly controlled supply chains. These solutions were secure but often expensive, difficult to maintain, and far removed from the usability and innovation cycles of commercial technology.

Indigo represents a different philosophy. Instead of redesigning secure mobile devices from scratch, it leverages the built-in security capabilities of modern smartphones and adds a governance framework, device configuration model, and operational controls suitable for government environments.

While the recent NATO approval has attracted attention, Indigo was not originally designed for NATO specifically. Its roots lie in national government security programs, particularly in Europe, where agencies have been searching for ways to combine strong information security with the flexibility and productivity of modern mobile platforms.

For government services organizations exploring secure mobility strategies, Indigo provides a useful reference model: a structured approach to deploying commercial devices in environments where sensitive or classified information is processed.

Here in the US, Indigo can be understood by drawing parallels with U.S. government security

frameworks such as Commercial Solutions for Classified (CSfC) from the National Security Agency (NSA) and the Security Technical Implementation Guides (STIGs) published by the Defense Information Systems Agency (DISA) pursue a similar objective: allowing commercial technology to be used in sensitive government environments while maintaining strict security assurance. Like Indigo, these frameworks focus less on building proprietary hardware and more on defining trusted architectures, validated components, and strict configuration baselines.

Why Indigo was developed

The rapid adoption of smartphones in both private and professional environments created a dilemma for governments. Employees increasingly expected mobile access to email, documents, and collaboration platforms, yet traditional government IT policies were not designed for such highly connected devices.

Early attempts to secure mobile devices often relied on two approaches. Some agencies issued hardened, custom-built devices designed specifically for classified environments. Others attempted to secure commercial smartphones through restrictive policies or isolated applications. Both approaches had significant limitations.

Custom-built secure phones were extremely expensive and difficult to maintain. They often lagged behind commercial devices in terms of performance, user experience, and ecosystem support. At the same time, security architectures based purely on application isolation or containerization often failed to fully address risks related to operating system vulnerabilities, hardware compromise, or data leakage.

Government cybersecurity authorities therefore began searching for a new model. The goal was to create a security framework that would allow commercial devices to be used in government environments while maintaining strict controls over data protection, device integrity, and communication channels.

Indigo was developed to address this challenge. The name stands for “iOS Native Devices in

Government Operation.” The concept was developed around Apple’s mobile platform and evaluated by the German Federal Office for Information Security (BSI), which is responsible for defining and certifying secure IT solutions for federal government use.

The core objective was straightforward but ambitious: enable government agencies to use standard iPhones and iPads to process sensitive information classified as “Restricted for Official Use” (VS-NfD) which would be equivalent to Controlled Unclassified Information (CUI), while maintaining the same level of assurance expected from traditional government communication systems.

In practice, Indigo demonstrates that secure mobility does not necessarily require specialized hardware. Instead, it relies on a combination of built-in platform security, strict configuration management, certified management infrastructure, and carefully defined operational policies.

What Indigo is and how it works

Indigo is not a single product but rather a security architecture and configuration framework designed for government use of commercial Apple mobile devices.

At its core, Indigo leverages the native security architecture of the iOS and iPadOS operating systems. These platforms already include hardware-backed encryption, secure boot mechanisms, memory protection, biometric authentication, and dedicated security components such as the Secure Enclave. These built-in features provide the technical foundation that allows the platform to meet strict government assurance requirements.

The Indigo model then adds several additional layers of governance and security controls.

The first component is device configuration. Devices deployed under Indigo must follow a strict configuration baseline that disables insecure features, enforces strong authentication mechanisms, and ensures that sensitive data is protected through encryption and access control policies.

These configurations are typically enforced through a certified mobile device management platform. In practice, Indigo deployments also rely on controlled device enrollment mechanisms such as Apple Business Manager (ABM) and Automated Device Enrollment (ADE), ensuring that devices are supervised from the moment they are activated and cannot bypass mandatory security policies.

The second component is device management. Government organizations deploying Indigo typically rely on a Unified Endpoint Management solution to supervise devices, apply security policies, control application installation, and enforce compliance rules.

Another key element is data separation. Government data processed on Indigo devices is handled within managed environments, ensuring that official information remains isolated from personal data or unauthorized applications. This separation allows agencies to support secure professional use while maintaining usability and flexibility for users.

Communication security also plays a critical role. Indigo deployments typically rely on secure

applications and encrypted communication channels to ensure that sensitive data remains protected both at rest and in transit. Secure email, calendar, and contact management capabilities are often the baseline functions available on Indigo devices.

Together, these components create a layered architecture where hardware security, operating system protections, device management policies, and operational governance all contribute to the overall security posture.

Comparing to U.S. government security frameworks

Indigo may appear to be conceptually similar to existing frameworks already used across federal agencies.

One close parallel is the NSA’s Commercial Solutions for Classified (CSfC) program. CSfC enables government organizations to protect classified information using carefully selected combinations of commercial technologies rather than proprietary classified equipment. Instead of relying on a single trusted device, CSfC architectures typically combine multiple independently validated security components such as encrypted communication layers, secure mobility management systems, and identity infrastructure. The goal is to achieve strong security assurance through layered protection and certified configurations.

Another important reference is the set of Security Technical Implementation Guides, commonly known as STIGs, published by the Defense Information Systems Agency. STIGs define mandatory configuration baselines for operating systems, mobile devices, applications, and network infrastructure used within the U.S. Department of Defense and other federal environments. These guidelines specify which features must be enabled or disabled, how authentication should be enforced, and how systems should be monitored in order to maintain a compliant security posture.

Indigo follows a comparable philosophy. Rather than introducing a new operating system or proprietary secure phone, it defines a trusted architecture built on commercial Apple devices, strict configuration standards, certified management systems, and secure communication channels. In practice, Indigo plays a role similar to a combination of CSfC architectural guidance and STIG-style configuration baselines, but applied specifically to Apple mobile devices in government environments.

Understanding this parallel helps clarify why Indigo has gained attention internationally. Governments are increasingly moving away from specialized secure hardware and toward architectures that allow commercial technology to be deployed safely under well-defined security frameworks. Similar initiatives for Android OS devices

While Indigo focuses on Apple’s mobile platform, similar initiatives exist across the mobile ecosystem. Government agencies evaluating secure mobility strategies often compare several vendor approaches before deciding which architecture best fits their requirements.

Samsung Samsung offers a well-known alternative through Samsung Knox Native Solution (KNS), a high-security, hardware-based platform integrated into Samsung Galaxy devices, designed for government and enterprise environments that require strong data protection and regulatory compliance. Built on the Samsung Knox framework, KNS leverages a dedicated embedded Secure Element (eSE) to create an isolated, tamper-resistant container that protects sensitive data both at rest and in transit. Evaluated by the Federal Office for Information Security (BSI) to meet stringent “VS-NfD” classification standards, it delivers a high level of assurance for handling sensitive government information. At the same time, KNS maintains usability through simplified access mechanisms such as single PIN activation, reducing operational friction for end users. Tailored primarily for public sector organizations and security-sensitive industries, KNS enables secure communications and data handling on commercial off- the-shelf devices, and forms part of Samsung’s broader strategy to expand trusted mobile security solutions beyond Germany into other regulated markets.

Google

Google has taken a slightly different approach with Android Enterprise and the broader Pixel security architecture. Modern Android devices, particularly those produced by Google, include hardware security modules, secure boot processes, and strong application sandboxing capabilities. Pixel devices, for example, benefit from the Titan M security chip, which protects cryptographic operations, secures lock screen data, and provides verified boot functionality. Google also offers Android Enterprise Recommended programs that certify certain models for enterprise use, ensuring timely security updates and consistent deployment policies. In recent years, Google has significantly strengthened Android’s security posture, making it a viable platform for enterprise and government deployments. A difficult decision to make… However, these vendor approaches differ in important ways. Indigo relies heavily on Apple’s vertically integrated ecosystem, where hardware, operating system, and key security components are tightly controlled by a single vendor, resulting in highly predictable security outcomes. Samsung and Google platforms operate within a broader and more fragmented Android ecosystem, which can introduce additional complexity when trying to achieve consistent security baselines. Samsung offers devices which come with Knox Suite and advanced device hardening features tailored for government and regulated industries. Knox provides hardware-backed secure containers, runtime protection, and enterprise management tools, and Samsung also offers Knox Government Edition, specifically designed

for defense and other high-security environments.

For government organizations, the choice between these approaches is rarely purely technical. Procurement policies, national security considerations, supply chain trust, and regulatory frameworks often play a decisive role in determining which platform can be deployed in sensitive environments. In practice, many agencies evaluate both the device model and the associated management and security services to ensure compliance with strict security standards, continuous patching, and operational resilience in high-risk scenarios.

Challenges in government environments

Despite its promise, implementing Indigo or similar secure mobility frameworks is not without challenges. Government organizations often face technical, operational, and organizational obstacles when introducing secure smartphones into sensitive environments. Successfully deploying Indigo requires more than simply purchasing compliant devices or selecting a management platform; it requires a structured operational approach that ensures the entire environment remains secure over time.

One of the most common challenges is certification and configuration complexity. Government security programs often require multiple layers of evaluation and approval before a device, operating system, or management platform can be deployed. These certification processes can take months or even years, especially when they involve national cybersecurity authorities or international alliances. Even after approval, maintaining compliance requires continuous validation of device configurations, policy enforcement, and platform updates.

Operational integration is another major hurdle. Secure mobile devices must integrate with existing government infrastructure such as identity systems, email services, collaboration platforms, and secure network gateways. Achieving this integration without introducing new security risks requires careful architectural planning and regular validation of the overall security posture.

User adoption and operational consistency can also present difficulties. While Indigo relies on

commercial devices that users are already familiar with, the strict security policies required in

government environments can introduce restrictions that affect usability. Organizations must therefore continuously balance security requirements with user productivity while ensuring that configuration standards remain consistent across the entire device fleet.

The solution: ISEC7 SEVENCEES

These challenges illustrate an important reality of modern secure mobility: deploying Indigo is not a one- time project but an ongoing operational program. This is where structured service frameworks such as ISEC7 SEVENCEES can provide significant value.

ISEC7 SEVENCEES is designed to support organizations throughout the lifecycle of secure mobility deployments. Instead of focusing on a single technical component, it provides a set of complementary services that help organizations design, validate, deploy, and continuously improve their mobile security architecture.

For example, SEVENCEES health checks allow organizations to evaluate the current state of their mobile environment, identifying configuration weaknesses, policy inconsistencies, or operational gaps that may affect security or compliance. Indigo deployment checks can then validate that devices, management platforms, and supporting infrastructure are correctly configured according to Indigo requirements and best practices.

Configuration and architecture services further help ensure that the mobile environment remains aligned with evolving security standards and organizational needs. As policies change, new devices are introduced, or infrastructure evolves, these services help maintain a consistent and compliant security posture across the entire fleet.

Ultimately, this reflects a broader shift in how government organizations approach secure mobility. The future is no longer about purchasing individual tools to solve isolated problems. Instead, agencies are increasingly adopting cohesive programs that combine architecture design, configuration validation, operational monitoring, and continuous improvement.

In that model, secure mobility becomes a flexible and holistic capability that can evolve alongside organizational requirements, technology changes, and emerging security threats. Managing your Indigo fleet ISEC7 SPHERE provides centralized visibility across mobile environments, allowing security teams to monitor device activity, compliance status, and operational health from a unified platform. In Indigo deployments, SPHERE can complement device management systems by providing an additional layer of operational intelligence.

One key capability is Indigo-specific monitoring. By integrating with the underlying device management infrastructure, SPHERE can collect telemetry related to device compliance, policy enforcement, and device lifecycle events. This allows administrators to quickly identify misconfigured devices, unauthorized changes, or potential security incidents.

SPHERE can also help organizations manage large fleets of Indigo devices by providing analytics and reporting capabilities. Security teams can monitor adoption trends, identify operational bottlenecks, and ensure that security policies remain consistently enforced across thousands of devices.

Another important benefit is incident investigation. In government environments, mobile devices may become part of forensic investigations or compliance audits. SPHERE’s device activity tracking capabilities allow organizations to reconstruct device activity and understand how a particular event occurred.

Ultimately, Indigo provides a secure device foundation, but platforms like SPHERE help organizations operate and manage that environment at scale. Together, they enable government agencies to move beyond experimental secure mobility deployments and build sustainable, operationally mature mobile infrastructures. The future of secure government mobility (?) Secure mobility has long been one of the most difficult challenges in government cybersecurity. Agencies must balance the need for strong data protection with the practical realities of modern mobile work.

Indigo represents an important evolution in this space. By combining the built-in security capabilities of commercial devices with strict configuration standards, certified management platforms, and clearly defined operational frameworks, it demonstrates that consumer hardware can meet demanding government security requirements.

The recent recognition of Indigo-based devices for handling NATO Restricted information highlights how far this approach has progressed. But the broader lesson goes beyond any specific certification.

For government services organizations, the future of secure mobility will likely depend on frameworks similar to Indigo: architectures that combine secure hardware platforms, strong device governance, and robust operational monitoring.

In that ecosystem, technologies like ISEC7 SPHERE play a vital role by providing the visibility and control required to operate these environments safely at scale.

Secure devices are only the starting point; sustainable secure mobility requires the ability to monitor, manage, and continuously improve the security posture of the entire mobile ecosystem.