5 Things Every BYOD Policy Needs

Bring Your Own Device (BYOD) policies are rapidly gaining traction in the modern workplace owing to the flexibility and convenience they provide to both employees and their employers.

However, just like any other major change in the workplace, BYOD comes with its fair share of challenges.

That’s why, rather than simply allowing your employees to use their own smartphones and other technology for work, you need a carefully thought-out BYOD policy that protects your corporate apps and, more importantly, your data while upholding the rights of your employees.

#1. Clear Explanation of Data Ownership

One of the biggest challenges facing BYOD is balancing data protection and employee privacy. Few people will be willing to enrol in your BYOD programme if they feel they’re going to lose control and ownership over their own devices. That’s precisely one of the main reasons why a fifth of BYOD policies are doomed to fail.

Naturally, employees expect a reasonable degree of privacy, as well as complete control over their own data. That’s why any BYOD policy should also include a formal documentation of data ownership that considers company-owned data of different categories, such as unrestricted, sensitive and mission-critical data.

Once you’ve defined who owns which data, you’ll then need a way to enforce the policy that doesn’t encroach on the rights of your employees. One way to do this is to use mobile device management (MDM) software to partition the device. This way, you should be able to keep work-related apps and data completely separate from employee-owned content.

#2. Criteria for Allowed Apps and Devices

Bring your own device doesn’t mean bring anything into the workplace.

In fact, one of the most important elements of any BYOD policy is a detailed list of allowed apps and devices as well as the rules of acceptable use. One of the first and most basic goals of your BYOD policy is to set some standards, and that starts with a whitelist of manufacturers, model numbers and operating systems that are eligible to enrol.

Deciding which apps and devices to allow can be a laborious task, since there is so much variety. However, you shouldn’t base your policy on a single manufacturer or mobile operating system. After all, change is constant in the world of smartphones and tablets and, while you’ll still need to update your BYOD policy on occasion, it’s always better to keep it as flexible as possible.

When it comes to blacklisting apps, it’s important to take a refined approach and avoid the temptation to ban anything that might get in the way of employee productivity.

If you do, there’s a good chance that employees will attempt to circumvent the ban by rooting or jailbreaking their devices, and that can put your corporate data at serious risk.

#3. Remote Wiping Clause

Mobile devices do get lost or stolen. Fact! Furthermore, when an employee leaves your company, they might neglect to dis-enrol from your BYOD policy, thereby taking any corporate data stored on the device with them. As such, if any company data is stored on employee-owned devices, then you will absolutely need to include a remote wiping clause.

You’ll also need to make clear any liabilities, disclaimers or risks to protect your business from legal action if you accidentally delete personal, employee-owned data in the process.

An even better approach to data security is to avoid having any company data stored on the device in the first place. That way, there’ll be no need to have a remote wiping clause, which can only ever be effective if an employee promptly warns you of a lost or stolen device anyway.

If instead your apps and data are hosted in the cloud, employees should only need to use their own devices to access them and not for actually hosting them.

#4. Exit Strategy

One of the most important provisions of any BYOD policy is an exit strategy that governs what happens when an employee decides they no longer want to be a part of the programme. However, there are other occasions when you might need to enforce a mandatory exit strategy from your end, such as when an employee leaves the company or violates the rules of your policy.

Some companies include remote wiping as part of their mandatory BYOD exit strategies but, if they do, they will also need to provide a clear methodology for protecting the user’s personal files. If an employee won’t cooperate, as may be the case if he or she left the company on bad terms, then your BYOD policy should reserve the right to wipe the device without having to take full responsibility over the protection of the former employee’s own data.

#5. Multifactor Authentication

There’s no doubt that BYOD introduces some important concerns and challenges when it comes to authentication. However, these risks can be alleviated by enforcing a multifactor authentication policy that doesn’t rely on passwords alone.

With MFA, users will need to verify their identities when accessing corporate apps and data by using a secondary authentication method, such as an SMS confirmation, push code or a fingerprint. To make matters easier, you can use MDM software to enforce a policy that requires users to verify their identities based on criteria such as device, network and geographical location.

MFA is undoubtedly the most effective way to make BYOD safer, since it helps protect your business data from insecure wireless networks, man-in-the-middle attacks, weak passwords, phishing scams and a multitude of other threats. That’s not a bad deal for a single security solution!


There’s no denying that BYOD introduces some significant challenges. However, if managed properly, a BYOD policy can reduce costs and boost productivity without having to compromise on security. If you would like more information and advice on Mobile Device Management for your business, Grant McGregor can help with GM MDM.

Or you can contact us on 0131 603 7910 or 0808 164 4142.



see all