This article explains what "in scope" means, and what devices come under this term.
Any device which accesses the organisation's data is "in scope" of the Cyber Essentials Assessment; that is, your mobile smart device, even if only accessing calendars and emails, your laptop, tablet, desktop and indeed anything else that accesses any company data.
Thin clients or devices accessing cloud systems or remote desktop (RDS), Citrix and/or VDI solutions are also within the scope and have to be compliant.
Staff-owned devices, considered as "Bring Your Own Device" (BYOD) are in scope, unless those staff, are themselves, contractors (see below for a link about contractors).
The only exception here is a mobile smart device which is used for Multi-Factor Authentication but doesn't access any data itself, for example, a personal device which runs the Microsoft Authenticator App, providing MFA for Microsoft Office 365, but which doesn't access 365, email or calendars.
Note: Native voice and SMS text applications are out of scope alongside multi-factor authentication usage