BYOD Policy Essentials

Over the past several years, many companies, educational facilities, healthcare organizations and others have opened their doors to a wide-range of personal devices.

BYOD or Bring Your Own Device represents a shift in IT perception that asks “How can we support personal devices?” rather than, “How can we block all all personal devices?” This shift is happening rapidly on untested ground for many organizations. Before opening your doors to any and all wireless devices, it is important to establish a working BYOD policy that can be updated as technologies change, but can also provide a guide for implementing BYOD, supporting BYOD, and policing BYOD.

After reading a variety of BYOD policies, I made a list of essentials. This list of topics, can help your mobile device committee or decision makers develop a BYOD policy. Here are the types of issues you need to consider and put into your BYOD policy. As you develop a policy, it might be helpful to set up a BYOD policy wiki that can be updated and clarified over time.[1]

Supported devices. You should decide and state what operating systems that you’re willing to support such as OS, Android, or others. Also, you must indicate if jail-breaking the phone puts it outside of supported policies.[2]

Define Users. Who is allowed to access you network servers and/or wifi? You may designate different types of users such as management, employees, guests, and contractors. Some levels may have more restrictions or required applications. You might also designate users by groups such as departments or project teams. These specific groups may receive different levels of network access and/or different types of required applications.

Process of Sign Up. When someone wants to add their device to the network, you need a standard procedure for signing up. This may involve entering a help ticket in the IT system, going through a policy & procedures training, and more.

Where is the Data? You need to decide if company data will actually reside on the device or will users access online. This decision will help you further decide about protecting/encrypting data.

Required and Banned Applications. You or your team must decide what applications are not allowed on devices with access to network servers, and also what applications may be required.

Password Policies. You must decide password requirements such as password length and character types, login/logout periods (such as will the device lock every time you close it? Or will it lock out every 30 minutes?) Plus, you should establish how often users must update their passwords with a new one.

Lost Devices. What is the procedure for reporting and responding to lost devices? Will the company automatically wipe lost devices? How should an employee report a lost, stolen or corrupted device?

Terminated Employees. How will you deal with data on employee-owned devices after termination of employment?

Personal Data on Device. Are there restrictions on types of personal content allowed on devices?

Signed Agreement. Users should be required to sign a connection agreement that outlines company policies, procedures and restrictions as well as liability issues related to device, applications, content and more. An update agreement should be kept on file and resigned once a year.

Policy Wiki. It might be a good idea to set up a policy wiki or sharepoint site that includes the latest updates to device policies.

Device Registration. All devices that access the network must be registered with the company.

[1] Thanks to Michael Lee for the idea on a wiki. ” Ingredients for a BYOD Policy: Gartner.” ZDNET, July 19, 2012 <>
[2] Jailbreaking is a method of opening your device’s file system in a way that allows you to make modifications that go beyond the manufacturers, operating system, and/or carrier.