BYOD, for “bring your own device,” refers to corporate IT policy that determines when and how employees, contractors, and other authorized end users can use their own laptops, smartphones and other personal devices on the company network to access corporate data and perform their job duties.
BYOD emerged with debut of iOS and Android smartphones in the late 2000s, as more and more workers preferred these devices to the standard company-issued mobile phones of the era. The rise of remote work and hybrid work arrangements, and the opening of corporate networks to vendors and contractors, accelerated the need for BYOD policy to expand beyond smartphones. Most recently, the COVID-19 pandemic—and the ensuing chip shortages and supply chain disruptions—forced many more organizations to embrace BYOD policy, to enable new hires to work while waiting for a company-issued device.
How to protect corporate data and privacy on personal devices used for work
Typically crafted by the CIO and other high-level IT decision-makers, BYOD policy defines the terms under which employee-owned devices can be used at work, and the security policies end users must observe while using them.
While the specifics of a BYOD policy will vary depending on the goals of an organization’s BYOD strategy, most device policies define some variation of the following:
Acceptable use: BYOD policies typically outline how and when employees can use personal devices for work-related tasks. For example, acceptable use guidelines may include information on securely connecting to corporate resources through a virtual private network (VPN) and a list of approved work-related apps.
Acceptable use policies often specify how sensitive company data must be handled, stored, and transmitted using employee-owned devices. Where applicable, BYOD policies may also include data security and retention policies that comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, and the General Data Protection Regulation (GDPR).
Permitted devices: A BYOD policy may outline the types of personal devices employees can use for work purposes, and relevant device specifications, such as minimum operating system version.
Security measures: BYOD policies typically set security standards for employees’ devices. These can include minimum password requirements and two-factor authentication policies, protocols for backing up sensitive information, and procedures to be followed if a device is lost or stolen. Security measures may also specify security software that employees must install on their devices, such as mobile device management (MDM) or mobile application management (MAM) tools. These BYOD security solutions are discussed in further detail below.
Privacy and permissions: BYOD policies typically outline the steps the IT department will take to respect employee privacy on their devices, including how the organization will maintain separation between employee personal data and corporate data. The policy may also detail the specific permissions the IT department needs on the employee’s device, including certain software it may need to install and apps it may need to control.
Reimbursement: If the company reimburses employees for using their personal devices—e.g., by offering a stipend for device purchases, or subsidizing internet or mobile data plans—a BYOD policy will outline how reimbursement is handled and the amounts employees may receive.
IT support: The BYOD policy may specify the extent to which a company’s IT department will (or won’t) be available to help employees troubleshoot broken or improperly functioning personal devices.
Off-boarding: Finally, BYOD policies typically outline steps to follow if an employee leaves the company or unenrolls their device from the BYOD program. These exit procedures often include plans for removing sensitive corporate data from the device, revoking the device’s access to network resources, and decommissioning the user or device account.
BYOD programs raise device security concerns that IT departments don’t often encounter—or encounter to a lesser degree—with company-issued devices. Hardware or system vulnerabilities in employee devices could expand the company’s attack surface, granting hackers new ways to breach the company network and access sensitive data. Employees may engage in riskier browsing, email or messaging behavior on personal devices than they would dare to engage in with a company-issued device. Malware that infects an employee’s computer because of personal use could easily spread to the corporate network.
With company-issued devices, IT can avoid these and similar issues by directly monitoring and managing device settings, configurations, application software and permissions. But IT security teams are unlikely to have the same control over employees’ personal devices, and employees would likely bristle at that level of control. Over time, companies have turned to a variety of other technologies to mitigate BYOD security risks.
Virtual desktops—also known as virtual desktop infrastructure (VDI) or desktop as a service (DaaS)—are fully provisioned desktop computing instances that run on virtual machines hosted on remote servers. Employees access these desktops and essentially run them remotely from their personal devices, typically over an encrypted connection or VPN.
With a virtual desktop everything happens on the other end of the connection—no applications are installed on the personal device, and no company data is processed or stored on the personal device—which effectively eliminates most security concerns related to personal devices. But virtual desktops can be expensive to deploy and manage; because they’re dependent on an internet connection, there’s no way for employees to work off-line.
Cloud-based software-as-a-service (SaaS) can provide a similar security benefit with less management overhead, but also slightly less control over end-user behavior.
Device management solutions
Before BYOD, organizations managed company-issued mobile devices using mobile device management (MDM) software. MDM tools give administrators total control over the devices—they can enforce log-on and data encryption policies, install enterprise apps, push app updates, track device location, and lock and/or wipe a device if it is lost, stolen or otherwise compromised.
MDM was an acceptable mobile management solution until employees began using their own smartphones at work, and quickly bristled at granting IT teams this level of control over their personal devices, apps and data. Since then, new device management solutions have emerged as user of personal devices and employee working styles have changed:
Mobile application management (MAM): Rather than controlling the device itself, MAM focuses on app management, granting IT administrators control over corporate apps and data only. MAM often achieves this through containerization, the creation of secure enclaves for business data and applications on personal devices. Containerization gives IT has complete control over applications, data, and device functionality within the container, but it cannot touch or even see the employee’s personal data or device activity beyond the container.
Enterprise mobility management (EMM): As BYOD participation grew and extended beyond smartphones to tablets—and beyond Blackberry OS and Apple iOS to Android—MAM struggled to keep up with all the new employee-owned devices being introduced to corporate networks. Enterprise mobility management (EMM) tools soon arose to solve this problem. EMM tools combine the functionality of MDM, MAM, and identity and access management (IAM), providing IT departments with a single-platform, single-pane view of all personal and company-owned mobile devices across the network.
Unified endpoint management (UEM). The one drawback to EMM was that it couldn’t manage Microsoft Windows, Apple MacOS and Google Chromebook computers—a problem as BYOD needed to expand to include employees and third parties working remote using their own PCs. UEM platforms emerged to close this gap, bringing mobile, laptop, and desktop device management together in a single platform. With UEM, IT departments can manage IT security tools, policies, and workflows for all types of devices, running any operating system, regardless of where they’re connecting from.
The most frequently cited benefits of BYOD for the organization are:
These and other benefits of BYOD can be counterbalanced by challenges and tradeoffs, for employees and employers:
Deliver BYOD security that increases mobile productivity, reduces costs and protects employee privacy.
Manage and secure your mobile workforce with AI-driven unified endpoint management (UEM) platform.
Take an open cloud, AI approach to secure and manage any device with a unified endpoint management solutions.
UEM enables IT and security teams to monitor, manage and secure all end-user devices on the network in a consistent manner, using one tool.
IAM allows IT administrators to assign a single digital identity to each entity, authenticate them when they log in, authorize them to access specified resources, and monitor and manage those identities throughout their lifecycle.
Mobile security protects mobile devices and communications hardware from data and asset loss.
Learn more about differences between mobile device management and mobile application management, in order to make sure your mobile devices, users and data remain protected.
Learn about the similarities and differences between advanced endpoint protection, laptop management and risk-based application patching.
With MaaS360, Credico was able to improve its compliance enforcement and reporting capabilities—as well as its self-service portal features—to achieve total policy compliance, quick identification and remediation of security risks, plus dramatic cost reductions.
With IBM Security MaaS360 you will merge efficiency and effectiveness by managing any existing endpoints, and protecting them with evolved native endpoint security capabilities such as threat management, identity and access management (IAM) and more. MaaS360 lets you scale your remote workforce and BYOD initiatives, helping you build a strong cybersecurity posture. And with Watson, you can take advantage of AI-driven insights extracted from vast volumes of endpoint data.