BYOD Policy
A bring your own device policy defines the conditions under which personal devices access organisational systems and data. The policy establishes device eligibility requirements, security controls that must be present before access is granted, the organisation’s rights over devices enrolled in the programme, and the boundaries of technical support provided. Organisations implement BYOD programmes to reduce hardware costs, accommodate user preferences, and support flexible working arrangements while maintaining security standards appropriate to the data accessed.
- BYOD (Bring Your Own Device)
- A programme permitting authorised users to access organisational systems using personally owned devices rather than organisation-issued equipment.
- Personal device
- Any computing or communication device owned by an individual rather than the organisation, including smartphones, tablets, laptops, and desktop computers.
- Enrolment
- The process of registering a personal device with organisational management systems and applying required security configurations.
- Mobile Device Management (MDM)
- Software that enables remote configuration, monitoring, and control of mobile devices accessing organisational resources.
- Containerisation
- Technical separation of organisational data and applications from personal data on the same device, enabling independent management and security controls.
Programme scope
The BYOD programme permits personal devices to access organisational email, calendar, documents, and approved applications. Access to sensitive systems containing beneficiary data, financial records, or protection information requires organisation-issued devices and falls outside BYOD scope. The programme operates as a privilege granted at organisational discretion rather than an entitlement; the organisation retains authority to deny, suspend, or revoke BYOD access for any enrolled user or device.
Participation in the BYOD programme is voluntary. Users who prefer not to enrol personal devices receive organisation-issued equipment appropriate to their role. No adverse employment consequence attaches to declining BYOD participation. Users who initially enrol may withdraw from the programme at any time by completing the device removal process and returning to organisation-issued equipment.
The policy applies globally across all organisational locations. Local regulations in certain jurisdictions impose additional requirements or restrict certain provisions; country offices maintain supplementary guidance addressing jurisdiction-specific variations. Where local law conflicts with this policy, legal requirements prevail.
Device eligibility
Personal devices must meet minimum specifications before enrolment. These requirements ensure devices can support required security controls and provide adequate performance for organisational applications. Devices failing to meet requirements cannot enrol regardless of user preference or role requirements.
| Device type | Minimum OS version | Maximum OS age | Additional requirements |
|---|---|---|---|
| iPhone | iOS 16.0 | 6 years from manufacture | Face ID or Touch ID capable |
| iPad | iPadOS 16.0 | 6 years from manufacture | Face ID or Touch ID capable |
| Android phone | Android 13 | 4 years from manufacture | Hardware-backed keystore; security patch within 90 days |
| Android tablet | Android 13 | 4 years from manufacture | Hardware-backed keystore; security patch within 90 days |
| Windows laptop | Windows 11 22H2 | 5 years from manufacture | TPM 2.0; BitLocker capable; 8 GB RAM minimum |
| macOS laptop | macOS 13 Ventura | 7 years from manufacture | Apple Silicon or T2 security chip; 8 GB RAM minimum |
| Linux laptop | Ubuntu 22.04 LTS or equivalent | 5 years from manufacture | Full disk encryption; Secure Boot enabled; 8 GB RAM minimum |
| Chromebook | ChromeOS 120 | 5 years from manufacture | Auto Update Expiration date at least 2 years future |
Devices must be genuine manufacturer products running unmodified operating systems. Jailbroken iOS devices, rooted Android devices, and systems running unofficial firmware or operating system modifications cannot enrol. The MDM platform detects such modifications and blocks enrolment automatically; users who modify devices after enrolment trigger automatic access revocation.
Shared devices present unacceptable security risks and cannot participate in BYOD. Each enrolled device must have a single owner who accepts responsibility for policy compliance. Family tablets used by multiple household members, devices lent frequently to others, and similar shared-use scenarios fall outside programme eligibility.
Enrolment process
Enrolment establishes the management relationship between the personal device and organisational systems. The process installs MDM profiles that enable security policy enforcement, configures access to organisational resources, and registers the device in asset management systems. Enrolment requires user consent to the terms governing BYOD participation; proceeding through enrolment constitutes acceptance of this policy.
Users initiate enrolment through the self-service portal accessible at the organisation’s IT service desk URL. The portal guides users through prerequisite verification, policy acceptance, and MDM profile installation. Enrolment completes within 15 minutes for devices meeting all requirements. Devices failing prerequisite checks receive specific guidance on required updates or configurations before reattempting enrolment.
The MDM profile installed during enrolment grants the organisation specific capabilities over the device. Users review these capabilities explicitly during enrolment and must accept them to proceed. Capabilities vary by device type and operating system but include enforcement of passcode requirements, ability to remotely locate the device, ability to remotely wipe organisational data, and visibility into installed applications and security posture.
Enrolment creates a container or managed profile separating organisational data from personal data. On iOS and Android devices, organisational applications and data reside in a managed partition with independent encryption and access controls. On laptops, containerisation operates through application-level controls rather than device partitioning. This separation enables the organisation to manage and, if necessary, remove organisational data without affecting personal content.
Security requirements
Enrolled devices must maintain security configurations throughout their participation in the programme. The MDM platform monitors compliance continuously and restricts access when devices fall out of compliance. Users receive notifications when compliance issues arise and have 24 hours to remediate before access suspension takes effect.
Device-level security
All enrolled devices must use screen locks with authentication. Mobile devices require a six-digit PIN minimum or biometric authentication. Laptops require passwords of at least 12 characters or biometric authentication. Screen lock must activate automatically after a maximum of 5 minutes of inactivity on mobile devices and 15 minutes on laptops.
Storage encryption protects data if devices are lost or stolen. iOS devices enable encryption automatically when a passcode is set. Android devices must have encryption enabled explicitly on older hardware; the MDM platform verifies encryption status and blocks non-encrypted devices. Windows devices require BitLocker encryption with recovery keys escrowed to organisational systems. macOS devices require FileVault encryption with recovery keys similarly escrowed. Linux devices require LUKS full disk encryption configured before enrolment.
Operating systems and applications must remain current. Security patches must be applied within 14 days of release for critical vulnerabilities and within 30 days for other updates. The MDM platform tracks patch status and notifies users of pending updates. Devices exceeding patch windows lose access until updates complete. Users bear responsibility for installing updates; the organisation does not push updates to personal devices.
Application security
Organisational applications accessed from personal devices must be installed from official sources: the Apple App Store, Google Play Store, Microsoft Store, or organisation-approved enterprise distribution. Sideloaded applications present malware risks that the BYOD programme cannot accept. The MDM platform detects applications installed from unofficial sources and flags devices as non-compliant.
Certain application categories are prohibited on enrolled devices regardless of installation source. These include applications that capture screen content, record keystrokes, or proxy network traffic in ways that could expose organisational data. Remote access applications permitting third-party control of the device are similarly prohibited. The MDM platform maintains a blocklist of known problematic applications; devices with blocklisted applications installed cannot access organisational resources.
Users must keep organisational applications updated to the current version or one version prior. Application updates address security vulnerabilities and compatibility requirements; outdated applications pose risks to organisational data and may cease functioning as backend systems evolve. The MDM platform can enforce minimum application versions and notify users when updates are required.
Network security
Organisational data transmission must use encrypted connections. All organisational applications enforce TLS encryption for data in transit; applications failing to establish encrypted connections refuse to transmit data. Users must not employ network proxies, VPN services, or traffic interception tools that could expose organisational data to third parties. Organisational VPN services for accessing internal resources remain permitted and encouraged.
Public Wi-Fi networks present elevated risk. Users accessing organisational resources over public networks should enable the organisational VPN to encrypt all traffic. The MDM platform can enforce VPN activation on untrusted networks for users with elevated access privileges. Users in high-risk contexts should consult location-specific security guidance regarding network usage.
Organisation access and rights
Enrolment grants the organisation specific access to personal devices necessary for security management and data protection. These rights exist solely to protect organisational data and systems; the organisation commits to exercising them only for legitimate security purposes.
The organisation can view device identifiers including make, model, serial number, and operating system version. The organisation can view security posture including encryption status, passcode compliance, jailbreak detection results, and patch currency. The organisation can view installed applications though not application content or usage patterns. The organisation cannot view personal files, photographs, messages, browsing history, or location history outside of active device location requests.
Remote wipe capability exists in two forms. Selective wipe removes organisational data and applications while preserving personal content; this capability executes when users leave the organisation or when devices are removed from the programme. Full device wipe erases all device content and returns the device to factory settings; this capability executes only when devices are reported lost or stolen to prevent data exposure to unauthorised parties. Users acknowledge and accept both capabilities during enrolment.
Device location capability enables locating lost or stolen devices to facilitate recovery or inform wipe decisions. Location requests require security staff authorisation and generate audit logs. The organisation does not conduct routine location tracking; capability exists solely for loss response scenarios. Users receive notification when location requests execute on their devices.
Limitations on organisational access
The organisation commits to boundaries on exercising access rights over personal devices. Personal content remains outside organisational access; security staff cannot view personal photographs, read personal messages, or access personal cloud storage. Application usage monitoring extends only to organisational applications; personal application usage generates no visibility to the organisation. Network traffic monitoring does not extend to personal device traffic except when actively connected to organisational VPN.
The containerisation model enforces these boundaries technically as well as by policy. Organisational data resides in managed spaces with defined access paths; personal data resides in unmanaged spaces that MDM tools cannot access. This separation protects both user privacy and organisational data by preventing commingling that would complicate both security management and privacy protection.
Support boundaries
The organisation provides limited technical support for enrolled personal devices. Support scope covers organisational applications and access methods; support does not extend to personal device hardware, operating systems, personal applications, or personal data.
| Support included | Support excluded |
|---|---|
| MDM profile installation and troubleshooting | Hardware repair or replacement |
| Organisational application installation | Operating system installation or upgrade |
| Organisational application configuration | Personal application support |
| Access and authentication issues | Home network configuration |
| Security compliance remediation guidance | Data recovery for personal content |
| Organisational data backup and restore | Malware removal |
| Container or profile removal | Warranty claims or manufacturer support |
Users experiencing hardware failures, operating system problems, or personal application issues must seek support from device manufacturers, retailers, or commercial support providers. The organisation does not provide loaner devices when personal devices require repair; users without functioning enrolled devices must request temporary organisation-issued equipment through normal asset request processes.
The IT service desk assists with BYOD issues during standard support hours. After-hours support for BYOD devices is available only for security incidents involving potential data exposure. Routine access issues outside support hours must wait until the next business day.
Privacy and personal data
The BYOD programme processes personal data about users and their devices as necessary for programme operation and security management. Processing occurs under legitimate interest provisions, balancing security requirements against user privacy. Users receive detailed privacy information during enrolment and may request a copy of data held about them and their devices through standard data subject access request procedures.
Data collected through the programme includes device identifiers and characteristics, security posture assessments, compliance status history, application inventory for organisational applications, and audit logs of administrative actions taken on devices. The organisation retains this data for 12 months following device removal from the programme, or longer when required for legal compliance or ongoing investigations.
The organisation does not collect personal content from enrolled devices. Technical controls prevent MDM platforms from accessing personal photographs, messages, files, or application data outside the managed container. Organisational commitment not to access personal data is backed by technical enforcement, not merely policy prohibition.
Users should understand that personal devices used for work purposes may become relevant to legal proceedings or regulatory investigations affecting the organisation. The organisation may be required to preserve and produce data from enrolled devices in response to litigation holds or regulatory demands. Users may need to make devices available for forensic examination in such scenarios. This possibility constitutes an inherent characteristic of using personal devices for work purposes.
Loss, theft, and incidents
Users must report lost or stolen enrolled devices within 4 hours of discovery. Prompt reporting enables rapid response to prevent data exposure. Reports go to the IT service desk by phone for immediate action; email reports do not provide adequate response time for loss scenarios.
Upon receiving a loss report, the IT security team initiates device location to assess recovery possibility. If the device appears unrecoverable or if circumstances suggest theft rather than simple loss, security staff execute selective wipe to remove organisational data. Users may request full device wipe if they prefer complete data destruction to prevent personal data exposure; the organisation executes such requests within 2 hours during business hours.
Recovery of wiped devices enables re-enrolment once users confirm physical possession. The wipe operation removes organisational data but does not permanently block the device from future enrolment. Users who recover devices after wipe must complete fresh enrolment before resuming organisational access.
Security incidents affecting enrolled devices follow standard incident response procedures. Users who suspect malware infection, unauthorised access, or data exposure must report immediately to the IT service desk. Security staff assess reported incidents and may require users to make devices available for examination. During active security incidents, users must follow security team instructions including disconnecting devices from networks or surrendering devices for analysis.
Exit and offboarding
Users leaving the organisation or withdrawing from the BYOD programme must complete device removal procedures. The offboarding process removes organisational data and management profiles while preserving personal content. Users should back up any personal data from the managed container before initiating removal, as the process irreversibly deletes organisational content.
Standard offboarding occurs through the self-service portal. Users initiate removal, receive confirmation of pending action, and complete the process by following on-device prompts. The MDM platform removes management profiles, deletes organisational applications and data, and revokes access credentials. Removal completes within minutes and users receive confirmation when finished.
Employment termination triggers administrative removal regardless of user action. HR systems notify IT of departures, and security staff initiate remote wipe within 24 hours of termination effective date. Users departing on good terms may complete voluntary removal before termination to maintain control over timing; users departing involuntarily undergo administrative removal without device access.
Users withdrawing from BYOD while remaining employed must return to organisation-issued equipment before removal processes complete. Coordination with IT ensures continuous access to required systems. Users cannot withdraw from BYOD and continue accessing organisational resources from unenrolled personal devices; access attempts from removed devices are blocked automatically.
Policy violations
Violations of BYOD policy terms result in consequences proportionate to severity. Minor violations such as delayed security updates receive warnings and remediation deadlines. Repeated minor violations or single significant violations result in device removal from the programme with a 6-month waiting period before re-enrolment eligibility. Serious violations involving intentional security circumvention, data exposure, or policy evasion result in permanent programme exclusion and may trigger disciplinary proceedings under general employment policies.
The organisation reserves the right to remove any device from the programme at any time without cause. This reservation exists to address situations where security needs require rapid response that investigation timelines cannot accommodate. Users removed without cause may request review through IT governance channels; confirmed unjustified removals result in immediate re-enrolment eligibility.
Tampering with MDM profiles, attempting to circumvent security controls, or misrepresenting device status constitutes serious violation regardless of whether data exposure results. Such actions demonstrate incompatibility with the trust model underlying BYOD access and result in permanent exclusion from the programme.