Which of the following would not typically be included in a BYOD IT policy

Typically crafted by the CIO and other high-level IT decision-makers, BYOD policy defines the terms under which employee-owned devices can be used at work, and the security policies end users must observe while using them.

While the specifics of a BYOD policy will vary depending on the goals of an organization’s BYOD strategy, most device policies define some variation of the following:

Acceptable use: BYOD policies typically outline how and when employees can use personal devices for work-related tasks. For example, acceptable use guidelines may include information on securely connecting to corporate resources through a virtual private network (VPN) and a list of approved work-related apps.

Acceptable use policies often specify how sensitive company data must be handled, stored, and transmitted using employee-owned devices. Where applicable, BYOD policies may also include data security and retention policies that comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, and the General Data Protection Regulation (GDPR).

Permitted devices: A BYOD policy may outline the types of personal devices employees can use for work purposes, and relevant device specifications, such as minimum operating system version.

Security measures: BYOD policies typically set security standards for employees’ devices. These can include minimum password requirements and two-factor authentication policies, protocols for backing up sensitive information, and procedures to be followed if a device is lost or stolen. Security measures may also specify security software that employees must install on their devices, such as mobile device management (MDM) or mobile application management (MAM) tools. These BYOD security solutions are discussed in further detail below.

Privacy and permissions: BYOD policies typically outline the steps the IT department will take to respect employee privacy on their devices, including how the organization will maintain separation between employee personal data and corporate data. The policy may also detail the specific permissions the IT department needs on the employee’s device, including certain software it may need to install and apps it may need to control.

Reimbursement: If the company reimburses employees for using their personal devices—e.g., by offering a stipend for device purchases, or subsidizing internet or mobile data plans—a BYOD policy will outline how reimbursement is handled and the amounts employees may receive.

IT support: The BYOD policy may specify the extent to which a company’s IT department will (or won’t) be available to help employees troubleshoot broken or improperly functioning personal devices.

Off-boarding: Finally, BYOD policies typically outline steps to follow if an employee leaves the company or unenrolls their device from the BYOD program. These exit procedures often include plans for removing sensitive corporate data from the device, revoking the device’s access to network resources, and decommissioning the user or device account. 

BYOD security solutions

BYOD programs raise device security concerns that IT departments don’t often encounter—or encounter to a lesser degree—with company-issued devices. Hardware or system vulnerabilities in employee devices could expand the company’s attack surface, granting hackers new ways to breach the company network and access sensitive data. Employees may engage in riskier browsing, email or messaging behavior on personal devices than they would dare to engage in with a company-issued device. Malware that infects an employee’s computer because of personal use could easily spread to the corporate network.

With company-issued devices, IT can avoid these and similar issues by directly monitoring and managing device settings, configurations, application software and permissions. But IT security teams are unlikely to have the same control over employees’ personal devices, and employees would likely bristle at that level of control. Over time, companies have turned to a variety of other technologies to mitigate BYOD security risks.

Virtual desktops

Virtual desktops—also known as virtual desktop infrastructure (VDI) or desktop as a service (DaaS)—are fully provisioned desktop computing instances that run on virtual machines hosted on remote servers. Employees access these desktops and essentially run them remotely from their personal devices, typically over an encrypted connection or VPN.

With a virtual desktop everything happens on the other end of the connection—no applications are installed on the personal device, and no company data is processed or stored on the personal device—which effectively eliminates most security concerns related to personal devices. But virtual desktops can be expensive to deploy and manage; because they’re dependent on an internet connection, there’s no way for employees to work off-line.

Cloud-based software-as-a-service (SaaS) can provide a similar security benefit with less management overhead, but also slightly less control over end-user behavior.

Device management solutions

Before BYOD, organizations managed company-issued mobile devices using mobile device management (MDM) software. MDM tools give administrators total control over the devices—they can enforce log-on and data encryption policies, install enterprise apps, push app updates, track device location, and lock and/or wipe a device if it is lost, stolen or otherwise compromised.

MDM was an acceptable mobile management solution until employees began using their own smartphones at work, and quickly bristled at granting IT teams this level of control over their personal devices, apps and data. Since then, new device management solutions have emerged as user of personal devices and employee working styles have changed:

Mobile application management (MAM): Rather than controlling the device itself, MAM focuses on app management, granting IT administrators control over corporate apps and data only. MAM often achieves this through containerization, the creation of secure enclaves for business data and applications on personal devices. Containerization gives IT has complete control over applications, data, and device functionality within the container, but it cannot touch or even see the employee’s personal data or device activity beyond the container.

Enterprise mobility management (EMM): As BYOD participation grew and extended beyond smartphones to tablets—and beyond Blackberry OS and Apple iOS to Android—MAM struggled to keep up with all the new employee-owned devices being introduced to corporate networks. Enterprise mobility management (EMM) tools soon arose to solve this problem. EMM tools combine the functionality of MDM, MAM, and identity and access management (IAM), providing IT departments with a single-platform, single-pane view of all personal and company-owned mobile devices across the network.

Unified endpoint management (UEM). The one drawback to EMM was that it couldn’t manage Microsoft Windows, Apple MacOS and Google Chromebook computers—a problem as BYOD needed to expand to include employees and third parties working remote using their own PCs. UEM platforms emerged to close this gap, bringing mobile, laptop, and desktop device management together in a single platform. With UEM, IT departments can manage IT security tools, policies, and workflows for all types of devices, running any operating system, regardless of where they’re connecting from.

BYOD benefits and challenges

The most frequently cited benefits of BYOD for the organization are:

• Cost savings and reduced IT administrative burden: The employer is no longer responsible for purchasing and provisioning devices for all employees. For companies able to implement and successfully manage BYOD for most or all employees, these savings can be considerable.
  
  
• Faster onboarding of new hires: Employees no longer need to wait for a company-issued device to begin working on job-related tasks. This has been especially relevant during recent chip shortages and other supply chain disruptions, which can prevent a company from providing computer to employees in time to start work.
  
  
• Improved employee satisfaction and productivity: Some employees prefer working with their own devices, which they find more familiar or capable than corporate-issued equipment.

These and other benefits of BYOD can be counterbalanced by challenges and tradeoffs, for employees and employers:

What should be included in a BYOD policy?

What are the three 3 Disadvantages of Bring Your Own Device BYOD processes at a workplace?

What is not a benefit of BYOD?

What are the possible disadvantages of a Bring Your Own Device BYOD policy?