How to Write Your Enterprise BYOD Policy

As you develop or refresh your mobility policy to include provisions for BYOD and other current issues, be sure to involve all key stakeholders (HR, Finance, IT) and take a methodical approach, focused around the 8 key elements outlined below.

An enterprise BYOD policy should include guidelines around: 

1. Eligibility: Defining which employees and devices are eligible for corporate programs.
2. Reimbursement: Defining who is eligible for reimbursement, the amount of reimbursement, the reimbursement process, and the employee’s responsibility within it.
3. Acceptable use: Defining the employer’s expectations for usage. E.g. restricted applications, international travel, use of cloud-based data storage, device sharing etc.
4. Security & UEM governance: Defining the responsibilities of the end user, including compliant use of your UEM solution, to safeguard corporate data and networks.
5. Legal issues: Considerations include data ownership, device confiscation, expectations of privacy, GPS tracking, and work performed in off hours.
6. Change and support: Will your company provide support for devices? If so how and when? How will change be dealt with?
7. Mobility Program administration: Ensuring your policy is concise, understandable, and easy to follow.
8. Expense management: Good expense management can ensure your BYOD policy doesn’t cost you.

"You will also need to consider what the repercussions will be for violations of policy."

1. Eligibility

Organizations must define the employees and devices eligible for corporate programs.

Today, most organizations operate a program of hybrid mobility whereby some devices are corporate-owned (corporate-liable) and some are employee-owned (BYOD). Your corporate policy should define employee eligibility for both corporate-liable mobility and BYOD programs. 

Device eligibility might also be defined specifically in your policy, or your policy may note that the employer retains the right to restrict network access or reimbursement based on device type.

Once you have defined eligibility, you will want to segment users.

Typically your policy will define segments of employees based on organizational role, travel patterns, and usage. Each eligible employee is assigned to a group that reflects their approved eligibilities for access and reimbursement.

Example

Related read: BYOD: Your Gateway to Remote Working

2. Reimbursement

Organizations typically establish various levels of reimbursement based on employee role.

Role-based policies commonly dictate whether an employee might be issued a corporate-liable device – whereby the employer owns the equipment and both devices and service costs are 100% employer-paid. Those using their own phone may be fully or partially reimbursed, usually via expense reports.

The level of reimbursement offered should be given careful consideration. It’s important to remember that reimbursements can act as the “carrot” to entice employees to accept the enterprise mobility policy.

The Expense Report Burden

The cost of processing expense reports is an easily-overlooked cost factor of your BYOD program. Best-practice BYOD programs offer direct-to-carrier payments of employee reimbursements, whereby the employee receives a monthly service bill from the carrier, already credited with the employer’s reimbursement amount. Such programs eliminate the cost of expense reporting.

Don’t forget that your policy will need to address international calls and roaming. Who pays?

Related read: The Complete Guide to Telecom Expense Reporting

3. Acceptable Use

This is your opportunity to decide what is and is not acceptable with BYOD device use. Consider carefully where you wish to draw the line between what is safe and acceptable for your business and allowing your employees a measure of freedom with their preferred devices.

Policies should reference the employer’s expectations for:

• International travel (such as using Wi-Fi, international devices)
• General use of SMS/texting
• Camera use
• Restricted software (e.g. applications, ring tones, social media sites)
• Cloud-based document storing (e.g. Box, Dropbox, etc.)
• Sharing device with others
• Usage while driving (e.g. texting, hands-free calling – and in accordance with local laws)

4. Security & UEM Governance

To safeguard proprietary data and networks, employees must adhere to security measures.

Technologies, including unified endpoint management (UEM), continue to evolve – but so do threats. To protect assets, organizations will continue to invest in solutions for encryption, patch management, anti-malware solutions, network access controls, and identity management initiatives. BYOD items are by no means exempt from the need for stringent security measures.

Your policy should enable you to manage security by employing technology – such as loading UEM software – on employee-owned devices. Adopting a UEM solution allows IT to centrally govern device security, data security, and app management regardless of who owns the device. This reduces organizational fragmentation and lowers operational costs.

UEM offers increased visibility into suspicious activity across all endpoints, making it easier for IT managers to analyze these activities and take corrective action. Plus, it helps your staff.

Users expect more from their organization’s IT.  They want access to any app, any content, from any device or location at any time of day. But is that too much to ask in a security-conscious world?

No, as it turns out.

UEM provides such a “self-service” experience. It offers flexibility, access, and on-demand efficiency that today’s users expect.

A cloud-based unified endpoint management solution allows your enterprise to provide business teams and users:

• Push-based and instant delivery of policies, apps and updates
• Self-service access to any app in its unified catalog across any device – from the latest mobile-cloud apps to legacy enterprise apps
• Fully automated enrollment, pre-configuration, and retirement for any device

Because both security threats and technological solutions continually evolve, your policy should be expressed in flexible language and not restricted to today’s specific technologies.

5. Legal Issues

It’s important that BYOD policies consider all potential legal ramifications and adhere to all applicable local and, where necessary, global laws.

Legal considerations include:

Data Ownership

Corporate data and employee-owned data may be co-mingled on mobile devices. To avoid this complication, enterprises should use a UEM tool, supported by strong policies, to keep data separate. UEM tools create a safe space for corporate data, allowing you to remain compliant without disrupting your employees' user experience.

Device Confiscation & Access

Could a situation occur in which an employer may want to confiscate an employee-owned device? If so, you will need to consider what the processes for this situation will look like?

Expectations of Privacy

What expectations of privacy does an employee have regarding the use of a corporate-owned device or employee-owned device?

Other Considerations

Your policy might also address concerns that involve personal data or the use of global positioning satellite (GPS) tracking, after-hours work performed by hourly employees using mobile devices, and eligibility for overtime pay.

Your corporate mobility policies for managing company business should never be deemed to conflict with or override government laws in any way.

6. Change & Support

Your BYOD policy must anticipate challenges and establish procedures for its management. You will also need to consider how your employees will access support, and, if this is something the enterprise will be providing, how it will work.

Your policy and procedures should address the following:

• What happens when someone leaves the organization?
• What happens if a device is stolen or permanently lost?
• What happens if a lost device is recovered?
• Who helps an employee learn how to use the device and/or manage mobility – from passwords to software?
• What are help-desk hours of operation? Modes of operation?
• What happens if staff damage, destroy, or steal an employee-owned device?
• What happens when an employee moves from one eligibility group to another?
• What is your equipment-refresh policy for corporate-owned devices?
• What controls exist to ensure coordination and communication with terminated employees?
• Are systems integrated so that a single notification can update HRIS, payroll, and Communications Lifecycle / Mobility Management?

7. Mobility Program Administration

Policies are only as strong as an organization’s ability to execute and enforce them. All policies should be as concise as possible, easily understandable, and fully enforceable.

Automate as Much as Possible

The more you can automate, the greater burden you remove from the shoulders of your teams. Cass has found that over 60% of respondents agreed or strongly agreed that they could use better automation to enforce BYOD policy compliance.

In addition to improving efficiency, automated systems and processes – such as self-enrollment via employee portals, online help tools, online procurement (catalogues and shopping carts), and online policy acceptance and training – will promote a healthy program of policy adherence and enforcement.

Automation also ensures visibility to device inventory – both of service plans and corporate devices to employee-owned devices.

Accounting

Costs for corporate-liable devices and BYOD reimbursement payments must be allocated to appropriate cost centers. Use of direct-to-carrier payments for BYOD reimbursements eliminates the cost and hassle of expense reporting.

Providers of Communication Lifecycle Management and Managed Mobility Service (MMS) solutions (including Cass Information Systems) can help your organization develop its own custom mobile policy and manage both corporate and employee-owned devices. Cass provides systematic controls involving HRIS integration and automated GL cost accounting.

Related read: How to Choose the Right BYOD Management Provider

8. Expense Management

BYOD offers the potential for employers to increase mobile usage and productivity. To ensure these benefits are not outweighed by budget strain, organizations must proactively establish the necessary controls to manage the costs of increased mobility.

The cost of BYOD depends largely on the employer’s policies and strategic purposes in offering BYOD, as well as current cost structures and current level of mobility. With this in mind, BYOD can increase or decrease mobility costs or be cost neutral.

Potential Cost Reductions:

• Less IT/help-desk support
• Fewer equipment purchase and upgrade costs
• Potential to move employees from corporate-liable mobility to zero or partial reimbursement or to a lower-dollar, fixed reimbursement

Potential Cost Increases:

• Increased costs for network security and protection against intellectual property loss. (This may include software and services for private networks, encryption, and device, application, and content management)
• Increased use of employee reimbursements where no previous reimbursement existed

Work with your Communications Lifecycle Management provider to manage the costs of increased mobility.