With personal device usage on the rise, businesses need a bring your own device (BYOD) policy to set guidelines. Virtually every employee has a personal smartphone, and many use their mobile device for work. Effective oversight can help you sidestep BYOD challenges and maximize the potential benefits of allowing employee-owned devices in the workplace. But drafting and rolling out a successful BYOD policy can be fraught with obstacles. We’ll walk you through what a BYOD policy is, what you should include, how to implement it, and the potential pros and cons of a BYOD approach.
What is a BYOD policy?
A BYOD policy sets standards that govern employee use of personal devices for work. It essentially documents best practices, including setting requirements and detailing what is and isn’t permissible. A BYOD policy may also detail who has access to company information, which personally owned devices are allowed to connect to the corporate network, and what security measures must be in place.
Every business should have a BYOD policy. Even if you want to implement an outright ban on personal device usage for work, documenting that can help you lay down the law.
What to include in a BYOD policy
Because BYOD policies dance around that fine line between an employee’s work and personal life, transparency is critical. That means your BYOD policy might be epically long. Try not to get overwhelmed. The more you include now, the less you’ll have to justify your actions later.
You’ll need to pick and choose policy content based on your environment, goals, and resources, but we’ll explain a few topics you might want to cover.
It’s the moment we’ve all diligently tried to avoid — time to talk to a lawyer. But before you hide in a corner, hear us out. Your BYOD policy must spell out your company rights while complying with relevant laws, so proper legal advice is a must. Topics to address might include the following:
Who owns the data
Who owns the phone number
What happens to corporate data when an employee leaves the company
Actions the company can perform (monitoring, remote wipe, etc.)
An acceptable use policy dictates constraints on resources. A BYOD policy should include an acceptable use policy detailing what employees can do on their personal devices while at work. However, you might also explain other general best practices for employees.
Most businesses want their employees to avoid dodgy or distracting activities when using the corporate network or VPN. We’re talking about scrolling social media, browsing unsafe or adult websites, transmitting illicit material, or engaging in personal activities (texting, calling, playing games, buying limited edition Crocs, etc.).
Proper authentication separates real users from nefarious imposters. Standard authentication best practices also hold true in a BYOD environment. Multifactor authentication is a security expert’s dream come true, preventing stolen credentials from spelling certain doom by leveraging at least two forms of authentication. In addition, you may want to require re-authentication — just to make sure the folks logging in are still the users you know and sometimes love.
Specifying which BYOD devices you’ll allow is more than just a delightfully authoritarian power grab. It’s also important from an administration and security perspective since you can ensure you’re not stuck juggling antiquated or low-quality systems.
To that end, you might want to establish what types of devices, brands, models, and operating systems are allowed in your BYOD environment. We’ll even get you started with your policy draft: “Don’t you dare come at me with a laptop running Windows Vista. I am not a person with whom you want to trifle.”
Permitted or banned apps
If an employee-owned device connects to your company network, you need a say in the installed apps. So, you might as well keep flexing your power by specifying which personal apps are permitted or banned. It’s usually better to maintain a banned list since you don’t want excessively far-reaching requirements for personal devices. At the very least, consider prohibiting app downloads from outside of the App Store, Google Play, or the Microsoft Store. They’re just not necessary, and your users can find other cheap thrills.
Most employees probably want to use their personal devices for occasional work-related communication — whether answering a coworker’s question from the dentist’s chair or closing client deals while waiting in the 20-car lineup at Starbucks.
Relevant communication channels to assess include your telecommunication, email, video conferencing, and instant messaging platforms. Widespread access is more convenient for employees, but you’ll also need to weigh the potential security implications. Specifying BYOD-appropriate communication channels helps you keep more secure channels locked down while giving your workers the flexibility they need.
Detail how the company protects the privacy of personal information on employee devices. No one wants to feel like their employer is spying on them. No one. Your employees deserve to know what information you’ll collect, how you’ll use it, and how you’ll ensure their private information stays private.
When you have an extensive BYOD program, support becomes a real gray area. Who is responsible for maintaining devices: you or your employees? Set the parameters upfront so that you don’t have to figure everything out along the way. Detail employer and user responsibilities related to performing updates, repairing physical damage, and vetting new devices.
It’s time to show off your “I ♥ strong passwords” tattoo. There’s never a good reason for a bad password, and the same holds true for BYOD. While password security is an especially high priority for business apps, you may want to encourage strong passwords for non-work apps and websites since they also pose a threat to the device. If you want your employees to love you, consider implementing single sign-on (SSO) for work-related apps. It’s a lot easier for users to remember just one username and password, and they can easily update their credentials more frequently.
Data transfer limitations
Data leakage is one of the most obvious concerns with any BYOD program. To limit the risk of your sensitive data falling into the wrong hands, consider the following measures:
Only allow the transfer of corporate data between approved apps and devices
Ensure business data is encrypted
Limit corporate data to password-protected devices and apps
Good news! You get another gab sesh with your favorite attorney-at-law! That’s because your BYOD policy is the perfect place to put any legal disclaimers related to risks and liabilities. At the very least, you’ll probably want to clarify the following:
The liability for risks (e.g., malware, operating system crashes, etc.) falls on the employee
IT maintains the right to disable services or wipe data
IT will implement strong precautions to avoid wiping an employee device
Noncompliance with the BYOD policy may result in disciplinary action
That’s just a taste of what to include, but you’ll need a real lawyer to make sure the jargon is on point, legally binding, and suitably intimidating.
BYOD security is a top concern, so your policy should specify the necessary measures. Organization-wide efforts for your BYOD security policy may include installing antimalware and antivirus software, blocking unauthorized downloads, and locking the device after a set number of failed unlock attempts.
As an added layer of security, consider implementing reporting requirements for lost or stolen devices. You’ll need to act quickly to stop unauthorized users from accessing company resources, so you may want to establish the appropriate timeframe during which users must notify IT of loss or theft. The sooner you know, the better.
So that everyone is on the same page, explain your intended maintenance procedures, including scheduled data backup, software deployment and patching processes, and lost or stolen device protocols. Clarity is key. Otherwise, you may overlook important maintenance because everyone assumes someone else is doing it.
Whether you must reimburse your employees for their BYOD expenses depends on state law, so it’s time to talk to your lawyer friend again. For instance, California Labor Code Section 2802 requires that employers cover their employees’ business expenses.
Define what BYOD expenses are reimbursable, such as the employee’s data plan, replacement of lost or stolen devices, repair of damaged devices, and replacement of faulty batteries.
Onboarding and offboarding
Document what steps the employee needs to take to use their personal device for work. The process may include vetting the device, removing any prohibited content, and enrolling in the company’s MDM solution. The offboarding process documentation should spell out how the company will remove the following:
Corporate data access
A complete wipe is more secure, but employees must have the opportunity to back up personal data. Keep in mind that you may also have to deal with an unexpected offboarding should a device be lost or stolen — or if an employee leaves the company on bad terms. To prepare for these possibilities, select an MDM with remote wipe capabilities and explain when you’ll use remote wipe within your policy.
How to implement a BYOD policy
Rolling out a BYOD policy is a lot like introducing any other policy, but there are a few extra steps. We’ll walk you through what to do.
Write your policy
This step is probably the heaviest lift. But it sets the framework for your entire BYOD program, so you need to get it right. And, of course, don’t forget to have all the necessary conversations with lawyers.
Establish a simple sign-up process
Keep your users happy with a simple device sign-up process. High-quality MDM solutions support a plethora of enrollment options, including User Enrollment, enrollment by link, and Apple Configurator enrollment. Setup should take just a couple of minutes — possibly less. Making everything simple for users encourages compliance and helps prevent shadow IT.
Train staff on your BYOD policy
For a BYOD policy to be effective, your employees need to understand it. Sure, you can hope they read it. But better still, train them and answer any questions they have. While you’re at it, go ahead and teach them about phishing, malware, unsafe websites, and other common mobile device cybersecurity threats. Mobile device cybersecurity is critical regardless of who owns the device.
Implement an MDM solution
An MDM is the not-so-secret answer to all your mobile device management woes. You can update, license, and monitor devices at scale, making it easy to manage BYOD devices, corporate-owned devices, or a mixture of the two.
Automate whatever you can
Maintaining up-to-date software is essential to BYOD security, and automation is the easiest way to do that. Automate your app distribution and patching to streamline workflows. With an MDM solution, you can assign, deploy, and configure custom and App Store apps with little effort.
Pros and cons of a BYOD approach
Increasingly, businesses rely on BYOD, but it isn’t always sunshine and rainbows. An effective BYOD policy maximizes the benefits while reducing the potential drawbacks. However, you should be aware of the potential pros and cons to develop the best course of action for your business.
Pros of a BYOD approach
BYOD is affordable, convenient, and quick, making it a popular choice for businesses.
Allowing employees to use their own devices can save your company big bucks. We’re talking extra-guac-level money here. Not only can you avoid the upfront expense of purchasing devices, but you’re also not necessarily on the line to replace the battery or fix a cracked screen. And devices may be less susceptible to physical damage since people tend to treat their own property with kid gloves.
Most of us keep our smartphones handy at all times. If your BYOD policy allows personal device use, that means your employees could work pretty much any time and any place. And while we’re all for a healthy work-life balance, this added flexibility can enhance productivity — especially for working parents, on-the-go employees, or folks spread across different time zones.
Scaling puts a high demand on the IT team. If your company is in growth mode, implementing a simple BYOD enrollment process can save valuable time. It takes an employee just a few minutes to enroll their existing smartphone in your MDM solution. In contrast, even expedited shipping of a new company-owned device usually takes a day or two.
Plus, since employees already know how their personal devices work, you don’t have to account for a learning curve.
Cons of a BYOD approach
BYOD policies often present privacy, administrative, and cybersecurity issues. While these potential drawbacks may give some business leaders pause, you can overcome them with a carefully crafted approach.
Both company and employee privacy are valid concerns with any BYOD policy. You may worry about the privacy of your company data, while your employees think about the privacy of their personal data. Increased monitoring can put your mind at ease, but it could simultaneously heighten employee concerns. The good news is that Managed Apple IDs can live alongside personal IDs on the same device, separating personal and corporate data. You have the control you need, while employees still enjoy their independence.
Embracing BYOD can lead to a diverse fleet of operating systems and device types, complicating device administration. Since you’re likely to have both Apple and Windows devices in your environment, you’ll probably need an Apple MDM (like SimpleMDM) along with a Windows device management solution (such as PDQ Deploy, Inventory, and Connect). Spelling out permitted operating systems and device types in your BYOD policy can at least help rein things in a bit. After all, you never know which user will show up with an iPhone 4 and expect you to install the latest productivity tools.
Make no mistake: Security is a top concern regardless of whether you rely on corporate- or employee-owned devices. However, a comprehensive BYOD policy and appropriate MDM solution can mitigate risks:
Weaker security: Personal devices usually don’t have as robust of security measures as corporate devices.
Risky user behavior: Users may visit sites or download apps they’d never dream of putting on a company-owned device, increasing the risk of malware.
Unsecured Wi-Fi: As is the case with any mobile device, an employee may connect to unsecured Wi-Fi. Even if you require VPN while using public Wi-Fi, the employee may feel it isn’t important if they only access personal resources. However, this puts the whole device at risk.
Insider threat: Employees looking to exploit resources have ample opportunity to copy data from their personal devices. This risk increases if an employee is let go from the company and becomes disgruntled. While your policy might allow you to erase data or even wipe the device when an employee leaves the company, any lag time gives them a window of opportunity to misuse data or access.
Household device sharing: You let your cat use your tablet to watch bird videos. You hand your phone to your child to play games. You lend your tablet to your grandparents to stream the latest trashy reality show (grandma loves drama). The more hands on a device, the greater the risk that someone could mess up, jeopardizing the security of your data and putting your environment at risk when that device reconnects to your network.
Compliance issues: While the company doesn’t own BYOD devices, those devices may still be subject to relevant compliance requirements, like HIPAA, HITECH, PCI, and GDPR, if employees use them for work purposes.
Let’s be real: Even if you haven’t rolled out a BYOD policy yet, some of your employees probably already use personal devices for work. Implementing comprehensive guidelines gives you more oversight, thereby reducing risks.
The right MDM solution provides much-needed support as a BYOD solution. SimpleMDM streamlines monitoring, updating, securing, and licensing your Apple fleet. Start a free 30-day trial to see how easy it can be to enforce your BYOD policy.