Bring Your Own Device is standard practice at most small businesses, whether or not it's written down anywhere. Staff check email on personal phones, open files on home laptops, and join video calls from personal tablets. Without a written policy, you have no enforceable minimum security standards, and under BC PIPA, "no documented safeguards" is a problem if client personal information is accessible from unmanaged personal devices. Here is a template to adapt and adopt.
Version: 1.0 | Effective date: [Date] | Reviewed annually by: [Privacy Officer / Operations Lead]
Policy Section 1: Scope and Eligibility
1.1 Who this applies to: This policy applies to all employees, contractors, and third parties who access [Business Name] systems, data, or communications using a personally owned device.
1.2 Permitted device types: The following personal device types may be used for work purposes, subject to the conditions in this policy:
- Smartphones (iOS and Android)
- Tablets
- Personal laptops (Windows, macOS)
1.3 Restrictions by data class: The following restrictions apply by data classification:
| Device type | Public data | Internal data | Confidential data | Restricted data |
|---|---|---|---|---|
| Personal smartphone | ✓ | ✓ (email/calendar only) | Not permitted | Not permitted |
| Personal laptop | ✓ | ✓ | With MDM enrollment | Not permitted |
1.4 Prohibited activities on personal devices:
- Storing client contracts, financial records, or regulated personal information in personal cloud storage (iCloud, personal Google Drive, Dropbox personal)
- Installing company applications on jailbroken or rooted devices
- Sharing business email credentials with other household members
Policy Section 2: Minimum Security Requirements
Before accessing company systems from a personal device, the device must meet:
☐ Screen lock, PIN, password, or biometric lock enabled. Auto-lock set to 5 minutes or less. ☐ Encryption, Device storage encrypted. (iOS: enabled by default with passcode. Android: verify in Settings > Security. Windows laptops: BitLocker enabled.) ☐ Operating system, Current or previous major version only. (Example: iOS 17 or 18 accepted; iOS 15 not accepted.) ☐ Remote wipe consent, Employee must consent to remote wipe of company data (not personal data) as a condition of BYOD access. See Section 4. ☐ Antivirus / EDR, Required on personal laptops accessing Confidential data. Managed via MDM enrollment (see below).
Policy Section 3: Acceptable Use
3.1 Work purposes: Personal devices may be used for company email, calendar, video calls, and productivity applications approved by [IT Contact].
3.2 Prohibited on any device (personal or company-owned):
- Accessing company systems while under the influence of substances
- Allowing non-employees to use a device that has access to company systems
- Circumventing MDM or security controls
3.3 Company application installation: Company-managed applications (Microsoft Outlook, Teams, Authenticator, MDM agent) may be installed on personal devices with employee consent. These applications create a managed container, they do not affect personal data, apps, or photos.
Policy Section 4: Remote Wipe and Privacy
4.1 Company data wipe: If a personal device is reported lost or stolen, [IT Contact] will perform a selective remote wipe of company applications and data only. Personal data (photos, personal apps, personal accounts) will not be affected.
4.2 Full wipe (exceptional cases): A full device wipe may be required only if selective wipe is not technically available and the device holds Confidential data. This will be discussed with the employee before action is taken where circumstances permit.
4.3 Privacy of personal data: [Business Name] does not monitor or access personal applications, messages, or files on personal devices. MDM enrollment enables management of company applications only.
4.4 Device departure: When employment ends, company applications and data will be removed from the personal device within 48 hours of the employee's last day.
Policy Section 5: Implementation with MDM
Personal devices accessing Confidential data or enrolled in company systems should be managed via a Mobile Device Management (MDM) platform, Microsoft Intune is the standard for M365 environments. Enrollment takes approximately 10 minutes and does not grant the company access to personal content.
Employees who decline MDM enrollment may retain access to email and calendar only, via browser access to Outlook Web App, and may not access Confidential data from personal devices.
Talk to a Prince George-based IT team about implementing this policy and MDM enrollment, call 672-983-1174 or book a free assessment at northstarit.ca.
Ready to formalise your BYOD policy?
North Star can review your current BYOD situation, write a policy, and configure Intune to enforce it. Book a free assessment to get started.
Book a Free Assessment Read more Insights