Most SME data leaves the office every day on phones and laptops. This policy sets out the minimum a device must meet before it can hold or access company data.
Scope
Applies to any device used to access [Company Name] data: email, files, customer systems, finance systems. Includes laptops, desktops, tablets, smartphones — company-issued and personally owned.
Minimum requirements for any device
- Enrolled in [MDM, e.g. Microsoft Intune / Google Endpoint] before it accesses company data.
- Full-disk encryption enabled.
- A passcode and biometric set.
- The operating system must be a currently-supported version with security updates applied automatically.
- Modern endpoint protection / EDR installed where the OS supports it.
- Remote wipe must be possible from [MDM].
BYOD — personal devices used for work
- BYOD is allowed for [phones] but not for [laptops].
- BYOD phones must enrol in app protection for work apps.
- Work data may be remote-wiped from a BYOD device — without affecting personal data.
- If you don't want company controls on your personal device, you can decline BYOD and use a company-issued device.
Lost or stolen devices
Report immediately to [Named Manager] — including out of hours.
Leavers
Company devices are returned and reset before being reissued. BYOD devices have the work container wiped on the leaver's last day.
Public Wi-Fi and travel
Public Wi-Fi is permitted with our VPN active. When travelling abroad, check the latest NCSC travel advice with [Named Manager].
Review
Reviewed annually. Last reviewed: [date].
Tips for adoption
- Decide up front whether you allow BYOD on phones, laptops, or neither.
- Test the remote-wipe flow once a year.
- Pair with the mobile and remote work risk page.