How to create a BYOD policy

BYOD isn’t a synonym for “free for all.” Once an organization decides to let employees use their own mobile devices and PCs for work, it must put a BYOD policy in place to control this usage.

The details of any

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

bring your own device (BYOD) policy will be specific to a given organization, but most policies cover the same basic questions: How should users protect their devices? What data and applications can and can’t be accessed? And what happens when a user loses a device or leaves the company?

BYOD can be confusing, because it involves different kinds of devices, use cases and users. To create a clear and simple BYOD policy, IT and other business decision-makers should consider these issues:

Acceptable use

First and foremost, it’s vital to specify which functions a given user can access, and what general behaviors are acceptable. It’s important to protect the organization from users who may have, for example, illicit materials on their devices, or information that may be proprietary to another firm.

Device selection

It’s probably not reasonable today, because of support costs and the sheer number of devices available, to allow any arbitrary smartphone or tablet on the enterprise network. A relatively broad range of platforms -- for example, Android, iPhone and BlackBerry -- is usually sufficient, enumerating devices and versions as appropriate.


Some BYOD shops will pay for users’ devices and monthly services, either partially or in full. A BYOD policy should explain exactly what charges the organization will and won’t reimburse. Third-party services and software can provide detailed accounting of phone (and sometimes data) usage, but it may be easier to simply reimburse a pre-specified percentage of users’ monthly bills. Your organization may need to modify its accounting systems to support this critical function.

Applications and security

Whitelisting and blacklisting apps is a popular technique that, while certainly not foolproof, helps to maintain the security and integrity of enterprise IT resources (to say nothing of the handset itself). If your organization takes this app control approach, the BYOD policy should explain that IT has the authority to prohibit the use of certain apps. The overall software configuration of the handset is a key variable in successful mobile IT operations, so the BYOD policy should also cover the use of antivirus apps, other security software and firewall settings.

I’m often quite surprised to find that organizations’ security policies are either lacking in the mobile area -- or, clearly much worse, don’t address mobile at all. A security policy in its essence specifies what information is sensitive (or at least defines classes of sensitive information), the circumstances under which approved users may access sensitive information, and what to do in the event of a security breach. Such rules are essential, so when creating a BYOD policy, it might be a good time to revisit your overall security policy as well.

Mobile device management

Mobile device management (MDM) software lets IT configure, secure, monitor and wipe smartphones and tablets. MDM is a rapidly evolving technology with little in the way of standards or even a widely-accepted definition, but IT should become familiar with the wide range of tools and services now on the market. MDM is also one element of a larger set of functions, often called enterprise mobility management, that can enforce BYOD policy and other requirements.


Once you implement a BYOD policy, it’s important to have a written agreement in place with every mobile device user. An agreement raises consciousness about the critical nature of mobile IT operations, and it protects organizations in the event of a BYOD policy violation. Like your BYOD policy itself, this agreement should be as clear as possible, to prevent misunderstandings that could generate a wide range of problems and IT headaches.

BYOD policy challenges

More on BYOD policy and related issues

How to make a BYOD program work

BYOD strains corporate wireless network bandwidth

CIOs scramble to adapt MDM for BYOD era

One challenge in developing a BYOD policy is in defining personal use vs. business use. Some technologies, such as mobile virtualization, attempt to separate the two on the same device, but fine points clearly remain. For example, the aforementioned device wipe: What if purely personal information is lost in the process?

Because of these potential problem areas, a solid legal review of your BYOD policy and agreements by appropriate counsel is vital. The law surrounding BYOD is far from settled at this point, and applicable law can vary from jurisdiction to jurisdiction at every level, including internationally. Regular reviews of policies and agreements (at least twice per year) are also essential.

Developing a BYOD policy can seem complex, especially in larger organizations, but BYOD’s inherent savings on capital and operating expenses can easily pay for the required policy development, legal review, training, education, tools and systems. The convenience of BYOD is undeniable for users, and with a little work, BYOD is poised to become a key to more cost-effective IT operations.

This was first published in March 2012

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.