BYOD & Mobile Device Policy

Applies to any device used to access [Company Name] data: email, files, customer systems, finance systems. Includes laptops, desktops, tablets, smartphones — company-issued and personally owned.

• The device must be enrolled in [MDM, e.g. Microsoft Intune / Google Endpoint] before it accesses company data.
• Full-disk encryption must be enabled (default on iPhone, modern Android, modern Mac/Windows — verify it is on).
• A passcode and biometric (Face ID / Touch ID / Windows Hello) must be set.
• The operating system must be a currently-supported version, with security updates applied automatically.
• Modern endpoint protection / EDR must be installed and active where the OS supports it.
• Remote wipe must be possible from [MDM].

• BYOD is allowed for [phones] but not for [laptops].
• BYOD phones must enrol in app protection for work apps. We do not manage the personal part of the device.
• Work data may be remote-wiped from a BYOD device — without affecting personal data — if the device is lost, the user leaves, or if a serious risk arises.
• If you don't want company controls on your personal device, you can decline BYOD and use a company-issued device instead.

Report immediately to [Named Manager] — including out of hours. Don't wait until Monday.

Company devices are returned and reset before being reissued. BYOD devices have the work container wiped on the leaver's last day.

Public Wi-Fi is permitted with our VPN active. Avoid working on highly sensitive material in places where screens are visible to others. When travelling abroad, check the latest NCSC travel advice with [Named Manager].

Reviewed annually. Last reviewed: [date].