Bring Your Own Device (BYOD) Policy

A free UK-aligned template covering 4 essential clauses. Edit the highlighted fields, sign, and adopt.

1.Purpose and Scope

This policy sets out the conditions under which [Company] permits employees and authorised third parties to use personal devices to access company information, systems and communications. The objective is to enable flexible working while maintaining proportionate protection over personal data and confidential business information under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable contractual obligations.

This policy applies to any personally owned smartphone, tablet, laptop, desktop or wearable device used to:

• Send, receive or store company email or messaging traffic;
• Access company-managed cloud services, intranet, file shares or line-of-business applications;
• Process, view or transmit personal data for which [Company] is controller or processor;
• Store any document, image, recording or extract derived from company sources.

Participation in the BYOD scheme is voluntary. Where access to company systems is a reasonable requirement of the role, [Company] will offer a company-issued device as an alternative. Use of a personal device for company purposes outside this policy is not authorised.

2.Definitions

Personal device means any computing device the employee or third party owns or controls and which is not asset-tagged or managed by [Company] IT.

BYOD scheme means the framework established by this policy under which a personal device may be enrolled for access to company systems.

Mobile Device Management (MDM) means the technical platform — for example Microsoft Intune, Jamf, or Google Workspace Endpoint Management — used by [Company] to apply configuration profiles, security baselines and selective-wipe controls to enrolled devices.

Work profile / managed app means a logically separated container on the device within which company data is stored and processed. Examples include the Android Enterprise Work Profile, an iOS Managed App, and the encrypted partitions established by enterprise mobility products.

Selective wipe means the removal of the work profile, managed apps, and company data from a device without affecting the user's personal data, applications, photographs or contacts.

Personal data has the meaning assigned in Article 4(1) UK GDPR.

3.Acceptable Use

Users approved to participate in the BYOD scheme shall:

1. Enrol the device with the [Company] MDM platform prior to first access to company systems;
2. Access company resources exclusively through the approved work profile, managed application set, or browser-based session, and never store company data in personal cloud storage (iCloud Drive, personal Google Drive, Dropbox personal, etc.);
3. Use only operating system versions still in receipt of vendor security updates. [Company] will publish the supported version list and update it quarterly;
4. Promptly install operating system and managed-application security updates pushed via MDM;
5. Report a lost, stolen or compromised device to [Company] IT within four working hours of discovery, by the means set out in the incident response procedure;
6. Cooperate with reasonable evidence preservation and lawful disclosure requirements affecting work-profile data, including legal hold and subject access requests under UK GDPR Articles 15 and 17.

Users shall not:

• Jailbreak, root, or otherwise circumvent the security model of the device;
• Disable any control applied by MDM, including passcode enforcement, encryption-at-rest, or biometric requirements;
• Transfer company data from the managed container to personal apps, including by screenshot or copy-and-paste, except where such transfer is expressly permitted by the application's data-loss-prevention configuration;
• Permit other persons — including family members — to access company resources from the device;
• Continue to use the device for company purposes after employment ends or after the device is sold, gifted, lost or replaced.

4.Security Baseline

Each enrolled device must satisfy the following minimum technical controls. These controls are applied automatically by the MDM configuration profile and audited at enrolment and on a continuous basis thereafter.

4.1 Identity and access

• Device-level passcode of at least six digits, or biometric unlock plus a passcode fallback. Pattern unlocks are not permitted.
• Auto-lock after a maximum of two minutes of inactivity.
• Ten-failed-attempt lockout, with progressive backoff per the vendor default.
• Multi-factor authentication on every company-issued login.

4.2 Encryption

• Storage encryption enabled at rest — FileVault on macOS, BitLocker on Windows, default platform encryption on iOS and Android 10 and above.
• All traffic to and from company resources transported over TLS 1.2 or higher.

4.3 Operating-system support

• iOS — current major version and one prior, while still in vendor support.
• Android — version 12 and above, devices receiving monthly security patches.
• macOS — current major version and one prior.
• Windows — versions in mainstream support per the Microsoft modern lifecycle.

4.4 Network

• Access to company internal services from outside the office permitted only via [Company]-approved VPN, identity-aware proxy, or zero-trust network access broker.
• Connection to untrusted public Wi-Fi without VPN engagement is not permitted for work-profile use.

4.5 Anti-malware and integrity

• The MDM agent's device-integrity attestation (Apple DeviceCheck, Android SafetyNet/Play Integrity, Windows attestation) must report a healthy state.
• Endpoint protection software, where applicable to the platform, must be enabled with definitions current.