What is bring your own device (BYOD)?

BYOD emerged with the debut of iOS and Android smartphones in the late 2000s, as more workers preferred these devices over standard company-issued mobile phones. The rise of remote and hybrid work arrangements, along with the increasing integration of corporate networks with vendors and contractors, accelerated the need for BYOD policies to extend beyond smartphones.

More recently, the COVID-19 pandemic, along with chip shortages and supply chain disruptions, forced many organizations to embrace BYOD policies. This approach enabled new hires to continue working while waiting for a company-issued device.

Typically crafted by the chief information officer (CIO) and other high-level IT decision-makers, a BYOD policy defines the terms under which employee-owned devices can be used at work. It also establishes the security policies that end users must observe while using them.

While the specifics of a BYOD policy vary depending on the goals of an organization’s BYOD strategy, most device policies define some variation of these elements:

Acceptable use: BYOD policies typically outline how and when employees can use personal devices for work-related tasks. For example, acceptable use guidelines might include information on securely connecting to corporate resources through a virtual private network (VPN) and a list of approved work-related apps.

Acceptable use policies often specify how sensitive company data must be handled, stored and transmitted by using employee-owned devices. Where applicable, BYOD policies might also include data security and retention policies that comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act and the General Data Protection Regulation (GDPR).

Permitted devices: A BYOD policy can outline the types of personal devices that employees can use for work purposes and relevant device specifications, such as minimum operating system version.

Security measures: BYOD policies typically set security standards for employees’ devices. These measures can include minimum password requirements and two-factor authentication policies, protocols for backing up sensitive information and procedures to be followed when a device is lost or stolen. Security measures can also specify security software that employees must install on their devices, such as mobile device management (MDM) or mobile application management (MAM) tools. These BYOD security solutions are discussed in further detail later.

Privacy and permissions: BYOD policies typically outline the steps that the IT department take to respect employee privacy on their devices, including how the organization maintains separation between employee's personal data and corporate data. The policy can also detail the specific permissions that the IT department needs on the employee’s device, including certain software that it might need to install and apps that it might need to control.

Reimbursement: If the company reimburses employees for using their personal devices—such as by offering a stipend for device purchases or subsidizing internet or mobile data plans—a BYOD policy outlines how reimbursement is handled. It also specifies the amounts that employees can receive.

IT support: The BYOD policy can specify the extent to which a company’s IT department will (or won’t) be available to help employees troubleshoot broken or improperly functioning personal devices.

Offboarding: Finally, BYOD policies typically outline the steps to follow when an employee leaves the company or unenrolls their device from the BYOD program. These exit procedures often include plans for removing sensitive corporate data from the device, revoking the device’s access to network resources and decommissioning the user or device account.

BYOD programs raise device security concerns that IT departments don’t often encounter—or encounter to a lesser degree—with company-issued devices. Hardware or system vulnerabilities in employee devices might expand the company’s attack surface, granting hackers new ways to breach the company network and access sensitive data. Employees can engage in riskier browsing, email or messaging behavior on personal devices than they would dare to engage in with a company-issued device. Malware that infects an employee’s computer because of personal use might be easily spread to the corporate network.

With company-issued devices, IT can avoid these and similar issues by directly monitoring and managing device settings, configurations, application software and permissions. But IT security teams are unlikely to have the same control over employees’ personal devices, and employees would likely bristle at that level of control. Over time, companies have turned to various other technologies to mitigate BYOD security risks.

Virtual desktops, also known as virtual desktop infrastructure (VDI) or desktop as a service (DaaS), are fully provisioned desktop computing instances that run on virtual machines hosted on remote servers. Employees access these desktops and essentially run them remotely from their personal devices, typically over an encrypted connection or VPN.

With a virtual desktop, everything happens on the other end of the connection—no applications are installed on the personal device and no company data is processed or stored on the personal device—which effectively eliminates most security concerns related to personal devices. But virtual desktops can be expensive to deploy and manage because they rely on internet connection there’s no way for employees to work offline.

Cloud-based software-as-a-service (SaaS) can provide a similar security benefit with less management overhead, but also slightly less control over end-user behavior.

Before BYOD, organizations managed company-issued mobile devices using mobile device management (MDM) software. MDM tools give administrators total control over the devices—they can enforce log-on and data encryption policies, install enterprise apps, push app updates, track device location and lock or wipe a device if it is lost, stolen or otherwise compromised.

MDM was an acceptable mobile management solution until employees began using their own smartphones at work and quickly bristled at granting IT teams this level of control over their personal devices, apps and data. Since then, new device management solutions have emerged as users of personal devices and employee working styles have changed:

Mobile application management (MAM): Rather than controlling the device itself, MAM focuses on app management, granting IT administrators control over corporate apps and data only. MAM often achieves this through containerization, the creation of secure enclaves for business data and applications on personal devices. Containerization gives IT complete control over applications, data and device functionality within the container, but it cannot touch or even see the employee’s personal data or device activity beyond the container.

Enterprise mobility management (EMM): As BYOD participation grew and extended beyond smartphones to tablets—and beyond Blackberry OS and Apple iOS to Android—MAM struggled to keep up with all the new employee-owned devices being introduced to corporate networks. Enterprise mobility management (EMM) tools soon arose to solve this problem. EMM tools combine the functionality of MDM, MAM and identity and access management (IAM), providing IT departments with a single-platform, single-pane view of all personal and company-owned mobile devices across the network.

Unified endpoint management (UEM): The one drawback to EMM was that it couldn’t manage Microsoft Windows, Apple MacOS and Google Chromebook computers, which is a problem as BYOD needed to expand to include employees and third parties working remotely using their own PCs. UEM platforms emerged to close this gap, bringing mobile, laptop and desktop device management together in a single platform. With UEM, IT departments can manage IT security tools, policies and workflows for all types of devices, running any operating system, regardless of where they’re connecting from.

The most frequently cited benefits of BYOD for the organization are:

• Cost savings and reduced IT administrative burden: The employer is no longer responsible for purchasing and provisioning devices for all employees. For companies that are able to implement and successfully manage BYOD for most or all employees, these savings can be considerable.
  
  
• Faster onboarding of new hires: Employees no longer need to wait for a company-issued device to begin working on job-related tasks. This approach has been especially relevant during recent chip shortages and other supply chain disruptions, which can prevent a company from providing computers to employees on time to start work.
  
  
• Improved employee satisfaction and productivity: Some employees prefer working with their own devices, which they find more familiar or capable than corporate-issued equipment.

These and other benefits of BYOD can be counterbalanced by challenges and tradeoffs for employees and employers:

• Employee privacy concerns: Employees might worry about the visibility of their personal data and activity. They might also be uncomfortable installing IT-mandated software on their personal devices.
  
  
• Limited candidate pools, inclusion concerns: If BYOD is mandatory, people who can’t afford or don’t own adequate personal devices might be eliminated from consideration. Some people might also prefer not to work for an organization that requires them to use their personal computer, whether the employer reimburses them or not.
  
  
• Remaining security risks: Even with BYOD security and device management solutions in place, employees might not always adhere to cybersecurity best practices, such as good password hygiene and physical device security on their personal devices, opening the door to hackers, malware and data breaches.
  
  
• Regulatory compliance issues: Employers in healthcare, finance, government and other high-regulated industries might not be able to implement BYOD for some or any employees due to stringent regulations and costly penalties surrounding the handling of sensitive information.