Here are several actual BYOD policies that you can use as the framework for your own policy
Just say the words “bring your own device” and IT staffers start to rub their foreheads. Allowing users to attach their consumer devices, including smartphones and tablets, to the network might seem like a bad idea, but with a clear user policy that is re-signed annually, you can reduce a lot of organizational risk.
Make sure to include language about which platforms you support, whether or not you reimburse for various charges, what state the device must be in (i.e. not rooted or jailbroken) and what applications can and can’t be used while on the network.
Here are a few samples of BYOD policies to help guide you. For a longer discussion of BYOD policies, check out this white paper from the SANS Institute.
Good to go
Mobile device management vendor Good Technology has a sample policy that customers can customize to fit their own particular situation. The sample policy provides a solid framework for developing your own BYOD policy:
BYOD: There’s no stopping employees’ devices on your network
The use of a Smartphone in connection with (Company Name) business is a privilege granted to employees through approval of their management. (Company Name) reserves the right to revoke these privileges in the event that users do not abide by the policies and procedures set forth below.
The following policies are aimed to protect the integrity of (Company Name) data and ensure it remains safe and secure under (Company Name) control. Please note that there may be limited exceptions to these policies owing to device limitations between vendors.
(Define corporate policies here. Note: These are only examples and will vary per enterprise.)
*Your device will lock your account after 10 failed login attempts.
*Your device or Good application will lock every 30 minutes requiring reentry of your password.
*Your device will include password rotation every 90 days.
*The password must be a minimum of six characters.
*The password must contain at least one letter or number (except on devices that cannot accept alphanumeric passwords).
*The password must not be one of your previous four passwords.
*Your device will be remote wiped if: (i) you lose the device; (ii) you terminate employment with (Company Name); (iii) IT detects a data or policy breach or virus; or (iv) if you incorrectly type your password 10 consecutive times.
*Your iPhone, iPad or Android with Good device may allow for only the remote wipe of (Company Name) data. This means your personal data is still vulnerable, and thus it is recommended you also set a device password and take additional security precautions.
In addition to the above security settings, all users are expected to use their device in an ethical manner. Using your device in ways not designed or intended by the manufacturer is not allowed. This includes, but is not limited to, “jailbreaking” your iPhone.
Personal smartphone: A personal smartphone can be connected to the (Company Name) infrastructure (Good service), but the user is personally liable for the device and carrier service costs. Users of personal Smartphones are not eligible for expense reimbursement for hardware or carrier services. Users of personal smartphones must agree to all terms and conditions in this policy to be allowed access to those (Company Name) services.
Employees that purchase a device on their own that is not in line with our standard approved device lists may not be allowed to have their devices added to the servers. It is highly recommended that the employee refer to the Smartphone support website to review the devices that are being supported by IT. Users of personal Smartphones are not permitted to connect to (Company Name) infrastructure without documented consent from (Company Name) IT. Furthermore, (Company Name) and (Company Name) IT reserve the right to disable or disconnect some or all services without prior notification.
Release of Liability and Disclaimer to Users of Personal Smartphones Users (Company Name) hereby acknowledges that the use of a personal Smartphone in connection with (Company Name) business carries specific risks for which you, as the user, assume full liability. These risks include, but are not limited to, the partial or complete loss of data as a result of a crash of the OS, errors, bugs, viruses, and/or other software or hardware failures, or programming errors which could render a device inoperable.
(Company Name) hereby disclaims liability for the loss of any such data and/or for service interruptions. (Company Name) expressly reserves the right to wipe the Good application (or similar applications) at any time as deemed necessary for purposes of protecting or maintaining the (Company Name) service.
Furthermore, depending on the applicable data plan, the software may increase applicable rates. You are responsible for confirming any impact on rates as a result of the use of: (Company Name) – supplied applications as you will not be reimbursed by (Company Name). Finally, (Company Name) reserves the right, at its own discretion, to remove any (Company Name) – supplied applications from your smartphone as a result of an actual or deemed violation of the (Company Name) Smartphone Policy.
2. Sample School District Policy
Here is a school district’s BYOD policy. This is tailored to the education world, but it can also serve as food-for-thought when it comes to developing your own BYOD policy no matter what industry you’re in. This is in the form of a request to attach a non-district device to the district’s wired network:
District policy and regulations allow employees to attach personal devices to the WIRED network provided approval is granted from the Chief Technology Officer and the campus/department supervisor. This policy does not extend to devices attached to district’s owned equipment if the device requires the installation of supporting software. This form should be used by employees who wish to request a personal device be attached to the district’s WIRED network. All policy and regulations are to be adhered to strictly.
Terms of Agreement
I understand that the District assumes no obligation for the support, either onsite or by telephone, of the personal equipment neither will it accept any liability for modifications made to the equipment as a result of establishing a connection. The network continues to be configured in the best interests of the District-owned machines that are using it.
My campus/department supervisor must sign this waiver allowing the use of my personally owned computer onsite.
I must have current antivirus software installed on my computer and must continue to have up to date virus definitions installed and configured (subject to technical services approval).
I assume all liability when installing or uninstalling any software and do so at my own risk. I am responsible for adhering to copyright and licensing laws and guidelines for all software on my personal equipment.
I am able to properly configure my personally owned equipment for use on the District network using DHCP to obtain an IP address and assume all liability for improperly configuring my equipment.
I cannot have any network services (telnet, DNS, DHCP, web services, file-sharing programs [KaZaa, LimeWire, etc.]); or network utilities running on my system.
I understand that no personal network routers, access points, switches, hubs, network printers, or any other device besides that listed on this form, may be plugged into the District network at any time.
I understand that at no time can District-owned equipment be attached to my personal equipment.
I understand that my actions while using my personal equipment on the District network are governed by the District policy and regulations.
I will not store any confidential District data on my personal equipment.
I will not hold the District liable for theft, damage or loss of personal equipment.
I understand this approval is granted for the current school year and must be reapplied for annually.
A copy of this approval form will remain attached to the equipment at all times while on District property.
To be completed by Desktop Services Staff:
Device Manufacturer:
Model: Serial #:
MAC Address of all network cards:
Anti Virus Software Product Name:
Definitions Current? (circle one) Yes No Initial by DS Staff
I have read and accept the District policies and procedures regarding non-District hardware and/or connectivity to the District WIRED network and I agree to abide by them. I understand that should I commit any violation of the Acceptable Use Policy or regulations, my access privileges may be revoked and/or appropriate legal action may be taken.
User Signature: _____________________________________Date:___________________
Site Administrator Signature: __________________________Date:___________________
Chief Technology Officer – Denial / Approval: _____________________ Date: _________________
Note: This approval is valid for the current school year in which it was approved. Re-approval must take place on an annual basis.
3. Bioscience company’s BYOD policy
Here’s an actual BYOD policy statement from a global bioscience company that instituted an employee-owned smartphone program. As you can imagine, in an industry like bioscience, the policy is highly detailed and refers back to the employee handbook.
1. OVERVIEW
1.1 The company would like to provide greater mobile device choice to its knowledge workers and simultaneously reduce end-user mobile device complexity. Providing secured company email/calendar/contact data on employee personal smartphones allows these employees to use their device of choice, and it eliminates the need to carry multiple devices.
2. PURPOSE
2.1 The purpose of this document is to: (1) define employee eligibility for company-liable mobile devices; (2) establish an employee-owned smartphone alternative; (3) define the responsibilities, guidelines, and terms of use for employee-owned smartphones configured for company data use; and (4) define the enrollment procedure.
3. SCOPE
3.1 This document applies to employees who wish to receive company email/calendar/contact data on a personal mobile device.
3.2 Personal smartphones referenced in this document are limited specifically to smartphones running Apple iOS (iPhone) 4 or higher and Android version 2.2 or higher.
3.3 Employees currently using Blackberry devices and who wish to continue using them may do so. New, eligible employees wishing to use a company-owned Blackberry device may also do so.
4. REFERENCES
4.1 POL-3148 General Information Technology Security Policy
4.2 Employee Handbook use of Internet and Electronic Communications Systems
5. RESPONSIBILITIES
5.1 Information Technology Responsibilities
5.1.1 Information Technology (IT) is responsible for configuring and supporting the Employee-Owned Smartphone Program user’s smartphone to receive and access company email, calendar, and contact data.
5.1.2 IT is responsible for smartphone system removal and for performing a “remote wipe” of company email/calendar, contact data from an Employee-Owned Smartphone Program user’s lost or stolen smartphone. IT may perform a full device wipe at the user’s request.
5.1.3 IT is responsible for smartphone system removal and performing a “remote wipe” of company email/calendar/contact data from an Employee-Owned Smartphone Program user’s smartphone upon termination of employment with the company.
5.1.4 IT is responsible for maintaining a list of stipend-eligible employees and for providing Accounting/Payroll access to that list.
5.2 Accounting/Payroll
5.2.1 Accounting/Payroll is responsible for distributing the stipend to eligible employees.
5.3 Employee-Owned Smartphone Program User
5.3.1 The Employee-Owned Smartphone Program user is responsible for using company email on his or her personal smartphone within the same constraints as on a company-owned device, i.e., adhering to Use of Internet and Electronic Communications Systems in the Company Employee Handbook and POL-3148 General Information Technology Security Policy.
5.3.2 The Employee-Owned Smartphone Program user is responsible for maintaining and paying the monthly/annual fee to the telephone mobile carrier. All mobile telephone charges that he or she incurs are his or her responsibility, regardless whether such charges are work related or for personal use. This includes, but is not limited to, charges resulting from texts, data plan surcharges, calls, navigation, or application uses or from early termination fees.
5.3.2.1 Exception: Charges incurred during international business travel may be expensed at his or her manager’s discretion.
5.3.3 The Employee-Owned Smartphone Program user is responsible for all smartphone support requirements, including the cost of repairs or replacement. The company is responsible, however, for configuring and supporting the smartphone to receive and access company email, calendar, and contact data.
5.3.4 The Employee-Owned Smartphone Program user receiving a monthly stipend is responsible for notifying the company immediately if he or she discontinues phone service so that the stipend can be discontinued.
5.3.5 The Employee-Owned Smartphone Program user is responsible for contacting the IT Help Desk immediately in the event that his or her smartphone is lost or stolen.
6. PROCEDURE
6.1 Program Signup
6.1.1 Employees wishing to participate in the program must initiate an IT Help Desk ticket online… To complete and submit the request, employees must agree, by checking the appropriate box on the form that they have read and understood this document, Employee-Owned Smartphone Program, posted on the company’s Intranet home page under Policies.
6.1.2 Participating employees who will receive a stipend must agree to the Smartphone Stipend Terms and Conditions by signing and attaching the form to the IT Help Desk ticket. Smartphone Stipend Terms and Conditions can be found on the company’s Intranet home page under Policies.
6.2 Employee-Owned Smartphone Program with Stipend
6.2.1 Employees currently using a company-liable Blackberry smartphone, or future employees who are eligible for a company-liable smartphone, who prefer instead to use a personal iPhone or Android smartphone for both business and personal use, are eligible for a $50-per-month stipend to help defray their mobile costs.
6.3 Employee-Owned Smartphone Program without Stipend
6.3.1 Employees who are ineligible for a company-liable Blackberry smartphone but request company email/calendar/contacts use on a personal smartphone are also ineligible for a stipend. However the company will license and configure their personal iPhone or Android smartphone for business use if requested.
6.4 Stipend Eligibility
6.4.1 Stipend eligibility mirrors company-liable smartphone eligibility, which is determined based on a job function’s mobile device profile. Mobile device profiles eligible for a company-liable smartphone and therefore a stipend for personal smartphone use, are as follows:
6.4.1.1.1 *Executive – Employees who are director and above.
6.4.1.1.2 *Mobile Professional – Employees who are on business travel >10%.
6.4.1.1.3 *Support Professional – Employees who are (1) on call and required to respond to business emergencies or system outages, or (2) primary contact for a company partner or client, or a first responder to critical business events.
6.4.2 Exceptions to these criteria require approval from a member of the company’s Operating Committee.
6.5 Stipend Details
6.5.1 The $50/month stipend for eligible program participants will be non-taxed, and the annualized sum of $600 will be distributed across a given year’s 26 paychecks; each paycheck, therefore, will reflect a non-taxed $23.08 stipend value ($600/26).
6.5.2 Upon termination of employment with the company, a user receiving a smartphone stipend must have worked at least one week during the current pay period in order to receive a stipend for that pay period.
6.6 International Business Travel
6.6.1 The IT Help Desk maintains international Blackberry devices for temporary use during international business travel. Employee-Owned Smartphone Program users are encouraged to use these devices for international business travel to avoid high international roaming charges on personal mobile bills.
6.6.2 Charges incurred on an Employee-Owned Smartphone Program user’s personal device during international business travel may be expensed at his or her manager’s discretion. Employee-Owned Smartphone Program users are encouraged to check with their managers before international business travel to determine whether it will be acceptable to expense international charges.
6.7 License Limitation
6.7.1 The company will license one (1) personal device for company email/calendar/contacts per participating Employee-Owned Smartphone Program user.
6.7.2 Additional licenses will be based on business need and will require CIO approval.
6.8 Mobile Number Porting/Transferring
6.8.1 Upon request, the company will port an existing company mobile number to an Employee-Owned Smartphone Program user whose smartphone is registered to another mobile carrier; alternatively the company will transfer liability for the number from the company to an Employee-Owned Smartphone Program user using the same carrier. In both cases, the mobile number liability will transfer from the company to the Employee-Owned Smartphone Program use, and in both cases the company will absorb the port/transfer fee.
6.9 The Company Email/Calendar/Contacts App
6.9.1 To enable corporate email/calendar/contacts on an Employee-Owned Smartphone Program user’s personal device, the company will use a secure communications app.
6.9.2 Once a participating employee installs the secure communications app on his or her iPhone or Android device and the app is configured, all corporate email/calendar/contacts will reside within the secure communications app.
6.9.3 The company will manage the configuration of the secure communications app, but the company has no access to any data residing on a participating employee’s personal device.
6.10 Rooted or Jailbroken Devices
6.10.1 Rooted Android devices and jailbroken Apple iOS devices pose a risk to company data contained within the secure communications app. Therefore, the company will disable or remove the app and remove company data on devices determined to be rooted or jailbroken.




