Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Policy

BYOD & Mobile Device Policy

What it takes for a phone, tablet, or laptop to be allowed to handle company data.

Most SME data leaves the office every day on phones and laptops. This policy sets out the minimum a device must meet before it can hold or access company data.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

Scope

Applies to any device used to access [Company Name] data: email, files, customer systems, finance systems. Includes laptops, desktops, tablets, smartphones — company-issued and personally owned.

Minimum requirements for any device

  • Enrolled in [MDM, e.g. Microsoft Intune / Google Endpoint] before it accesses company data.
  • Full-disk encryption enabled.
  • A passcode and biometric set.
  • The operating system must be a currently-supported version with security updates applied automatically.
  • Modern endpoint protection / EDR installed where the OS supports it.
  • Remote wipe must be possible from [MDM].

BYOD — personal devices used for work

  • BYOD is allowed for [phones] but not for [laptops].
  • BYOD phones must enrol in app protection for work apps.
  • Work data may be remote-wiped from a BYOD device — without affecting personal data.
  • If you don't want company controls on your personal device, you can decline BYOD and use a company-issued device.

Lost or stolen devices

Report immediately to [Named Manager] — including out of hours.

Leavers

Company devices are returned and reset before being reissued. BYOD devices have the work container wiped on the leaver's last day.

Public Wi-Fi and travel

Public Wi-Fi is permitted with our VPN active. When travelling abroad, check the latest NCSC travel advice with [Named Manager].

Review

Reviewed annually. Last reviewed: [date].

Tips for adoption

  • Decide up front whether you allow BYOD on phones, laptops, or neither.
  • Test the remote-wipe flow once a year.
  • Pair with the mobile and remote work risk page.