This content is part of the Essential Guide: Put it on paper: A guide to mobile device policy creation

Essential Guide

Browse Sections

How to create a BYOD policy

Without a comprehensive BYOD policy, IT’s just asking for management and security nightmares. Clearly spell out what users can and can’t do, and you’ll keep the boogey man at bay.

BYOD isn’t a synonym for “free for all.” Once an organization decides to let employees use their own mobile devices and PCs for work, it must put a BYOD policy in place to control this usage.

The details of any bring your own device (BYOD) policy will be specific to a given organization, but most policies cover the same basic questions: How should users protect their devices? What data and applications can and can’t be accessed? And what happens when a user loses a device or leaves the company?

BYOD can be confusing, because it involves different kinds of devices, use cases and users. To create a clear and simple BYOD policy, IT and other business decision-makers should consider these issues:

Acceptable use

First and foremost, it’s vital to specify which functions a given user can access, and what general behaviors are acceptable. It’s important to protect the organization from users who may have, for example, illicit materials on their devices, or information that may be proprietary to another firm.

Device selection

It’s probably not reasonable today, because of support costs and the sheer number of devices available, to allow any arbitrary smartphone or tablet on the enterprise network. A relatively broad range of platforms -- for example, Android, iPhone and BlackBerry -- is usually sufficient, enumerating devices and versions as appropriate.


Some BYOD shops will pay for users’ devices and monthly services, either partially or in full. A BYOD policy should explain exactly what charges the organization will and won’t reimburse. Third-party services and software can provide detailed accounting of phone (and sometimes data) usage, but it may be easier to simply reimburse a pre-specified percentage of users’ monthly bills. Your organization may need to modify its accounting systems to support this critical function.

Applications and security

Whitelisting and blacklisting apps is a popular technique that, while certainly not foolproof, helps to maintain the security and integrity of enterprise IT resources (to say nothing of the handset itself). If your organization takes this approach, the BYOD policy should explain that IT has the authority to prohibit the use of certain apps. The overall software configuration of the handset is a key variable in successful mobile IT operations, so the BYOD policy should also cover the use of antivirus apps, other security software and firewall settings.

I’m often quite surprised to find that organizations’ security policies are either lacking in the mobile area -- or, clearly much worse, don’t address mobile at all. A security policy in its essence specifies what information is sensitive (or at least defines classes of sensitive information), the circumstances under which approved users may access sensitive information, and what to do in the event of a security breach. Such rules are essential, so when creating a BYOD policy, it might be a good time to revisit your overall security policy as well.

Mobile device management

Mobile device management (MDM) software lets IT configure, secure, monitor and wipe smartphones and tablets. MDM is a rapidly evolving technology with little in the way of standards or even a widely-accepted definition, but IT should become familiar with the wide range of tools and services now on the market. MDM is also one element of a larger set of functions, often called enterprise mobility management, that can enforce BYOD policy and other requirements.


Once you implement a BYOD policy, it’s important to have a written agreement in place with every mobile device user. An agreement raises consciousness about the critical nature of mobile IT operations, and it protects organizations in the event of a BYOD policy violation. Like your BYOD policy itself, this agreement should be as clear as possible, to prevent misunderstandings that could generate a wide range of problems and IT headaches.

BYOD policy challenges

One challenge in developing a BYOD policy is in defining personal use vs. business use. Some technologies, such as mobile virtualization, attempt to separate the two on the same device, but fine points clearly remain. For example, the aforementioned device wipe: What if purely personal information is lost in the process?

Because of these potential problem areas, a solid legal review of your BYOD policy and agreements by appropriate counsel is vital. The law surrounding BYOD is far from settled at this point, and applicable law can vary from jurisdiction to jurisdiction at every level, including internationally. Regular reviews of policies and agreements (at least twice per year) are also essential.

Developing a BYOD policy can seem complex, especially in larger organizations, but BYOD’s inherent savings on capital and operating expenses can easily pay for the required policy development, legal review, training, education, tools and systems. The convenience of BYOD is undeniable for users, and with a little work, BYOD is poised to become a key to more cost-effective IT operations.

Like on Facebook.

Next Steps

How to make a BYOD program work

BYOD strains corporate wireless network bandwidth

CIOs scramble to adapt MDM for BYOD era

Mastering the BYOD trend: The ultimate guide for IT

Dig Deeper on EMM tools | Enterprise mobility management technology