What is bring your own device (BYOD)?
Explore IBM's BYOD solution Subscribe to Security Topic Updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is BYOD?

BYOD, or bring your own device, refers to corporate IT policy that determines when and how employees, contractors and other authorized end users can use their own laptops, smartphones and other personal devices on the company network to access corporate data and perform their job duties.

BYOD emerged with the debut of iOS and Android smartphones in the late 2000s, as more and more workers preferred these devices to the standard company-issued mobile phones of the era. The rise of remote work and hybrid work arrangements and the opening of corporate networks to vendors and contractors accelerated the need for BYOD policy to expand beyond smartphones. Most recently, the COVID-19 pandemic and the ensuing chip shortages and supply chain disruptions forced many organizations to embrace BYOD policy to enable new hires to work while waiting for a company-issued device.

Cost of a Data Breach

Get insights to better manage the risk of a data breach with the latest Cost of a Data Breach report.

Related content

Register for the X-Force Threat Intelligence Index

Discover the 10 rules of BYOD

How to protect corporate data and privacy on personal devices used for work

BYOD policies

Typically crafted by the chief information officer (CIO) and other high-level IT decision-makers, BYOD policy defines the terms under which employee-owned devices can be used at work and the security policies that end users must observe while using them.

While the specifics of a BYOD policy will vary depending on the goals of an organization’s BYOD strategy, most device policies define some variation of the following:

Acceptable use: BYOD policies typically outline how and when employees can use personal devices for work-related tasks. For example, acceptable use guidelines may include information on securely connecting to corporate resources through a virtual private network (VPN) and a list of approved work-related apps.

Acceptable use policies often specify how sensitive company data must be handled, stored and transmitted using employee-owned devices. Where applicable, BYOD policies may also include data security and retention policies that comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act and the General Data Protection Regulation (GDPR).

Permitted devices: A BYOD policy may outline the types of personal devices that employees can use for work purposes and relevant device specifications, such as minimum operating system version.

Security measures: BYOD policies typically set security standards for employees’ devices. These can include minimum password requirements and two-factor authentication policies, protocols for backing up sensitive information and procedures to be followed if a device is lost or stolen. Security measures may also specify security software that employees must install on their devices, such as mobile device management (MDM) or mobile application management (MAM) tools. These BYOD security solutions are discussed in further detail below.

Privacy and permissions: BYOD policies typically outline the steps that the IT department will take to respect employee privacy on their devices, including how the organization will maintain separation between employee's personal data and corporate data. The policy may also detail the specific permissions that the IT department needs on the employee’s device, including certain software that it may need to install and apps that it may need to control.

Reimbursement: If the company reimburses employees for using their personal devices—such as by offering a stipend for device purchases or subsidizing internet or mobile data plans—a BYOD policy will outline how reimbursement is handled and the amounts that employees may receive.

IT support: The BYOD policy may specify the extent to which a company’s IT department will (or won’t) be available to help employees troubleshoot broken or improperly functioning personal devices.

Off-boarding: Finally, BYOD policies typically outline the steps to follow if an employee leaves the company or unenrolls their device from the BYOD program. These exit procedures often include plans for removing sensitive corporate data from the device, revoking the device’s access to network resources and decommissioning the user or device account. 

BYOD security solutions

BYOD programs raise device security concerns that IT departments don’t often encounter—or encounter to a lesser degree—with company-issued devices. Hardware or system vulnerabilities in employee devices could expand the company’s attack surface, granting hackers new ways to breach the company network and access sensitive data. Employees may engage in riskier browsing, email or messaging behavior on personal devices than they would dare to engage in with a company-issued device. Malware that infects an employee’s computer because of personal use could easily spread to the corporate network.

With company-issued devices, IT can avoid these and similar issues by directly monitoring and managing device settings, configurations, application software and permissions. But IT security teams are unlikely to have the same control over employees’ personal devices, and employees would likely bristle at that level of control. Over time, companies have turned to a variety of other technologies to mitigate BYOD security risks.

Virtual desktops

Virtual desktops, also known as virtual desktop infrastructure (VDI) or desktop as a service (DaaS), are fully provisioned desktop computing instances that run on virtual machines hosted on remote servers. Employees access these desktops and essentially run them remotely from their personal devices, typically over an encrypted connection or VPN.

With a virtual desktop, everything happens on the other end of the connection—no applications are installed on the personal device and no company data is processed or stored on the personal device—which effectively eliminates most security concerns related to personal devices. But virtual desktops can be expensive to deploy and manage; because they’re dependent on an internet connection, there’s no way for employees to work offline.

Cloud-based software-as-a-service (SaaS) can provide a similar security benefit with less management overhead, but also slightly less control over end-user behavior.

Device management solutions

Before BYOD, organizations managed company-issued mobile devices using mobile device management (MDM) software. MDM tools give administrators total control over the devices—they can enforce log-on and data encryption policies, install enterprise apps, push app updates, track device location and lock or wipe a device if it is lost, stolen or otherwise compromised.

MDM was an acceptable mobile management solution until employees began using their own smartphones at work and quickly bristled at granting IT teams this level of control over their personal devices, apps and data. Since then, new device management solutions have emerged as users of personal devices and employee working styles have changed:

Mobile application management (MAM): Rather than controlling the device itself, MAM focuses on app management, granting IT administrators control over corporate apps and data only. MAM often achieves this through containerization, the creation of secure enclaves for business data and applications on personal devices. Containerization gives IT complete control over applications, data and device functionality within the container, but it cannot touch or even see the employee’s personal data or device activity beyond the container.

Enterprise mobility management (EMM): As BYOD participation grew and extended beyond smartphones to tablets—and beyond Blackberry OS and Apple iOS to Android—MAM struggled to keep up with all the new employee-owned devices being introduced to corporate networks. Enterprise mobility management (EMM) tools soon arose to solve this problem. EMM tools combine the functionality of MDM, MAM and identity and access management (IAM), providing IT departments with a single-platform, single-pane view of all personal and company-owned mobile devices across the network.

Unified endpoint management (UEM). The one drawback to EMM was that it couldn’t manage Microsoft Windows, Apple MacOS and Google Chromebook computers, which is a problem as BYOD needed to expand to include employees and third parties working remotely using their own PCs. UEM platforms emerged to close this gap, bringing mobile, laptop and desktop device management together in a single platform. With UEM, IT departments can manage IT security tools, policies and workflows for all types of devices, running any operating system, regardless of where they’re connecting from.

BYOD benefits and challenges

The most frequently cited benefits of BYOD for the organization are:

  • Cost savings and reduced IT administrative burden: The employer is no longer responsible for purchasing and provisioning devices for all employees. For companies that are able to implement and successfully manage BYOD for most or all employees, these savings can be considerable.

  • Faster onboarding of new hires: Employees no longer need to wait for a company-issued device to begin working on job-related tasks. This has been especially relevant during recent chip shortages and other supply chain disruptions, which can prevent a company from providing computers to employees on time to start work.

  • Improved employee satisfaction and productivity: Some employees prefer working with their own devices, which they find more familiar or capable than corporate-issued equipment.

These and other benefits of BYOD can be counterbalanced by challenges and tradeoffs for employees and employers:

  • Employee privacy concerns: Employees may worry about the visibility of their personal data and activity. They may also be uncomfortable installing IT-mandated software on their personal devices.

  • Limited candidate pools, inclusion concerns: If BYOD is mandatory, people who can’t afford or don’t own adequate personal devices may be eliminated from consideration. Additionally, some people may prefer not to work for an organization that requires them to use their personal computer, whether the employer reimburses them or not.

  • Remaining security risks: Even with BYOD security and device management solutions in place, employees may not always adhere to cybersecurity best practices, such as good password hygiene and physical device security on their personal devices, opening the door to hackers, malware and data breaches.

  • Regulatory compliance issues: Employers in healthcare, finance, government and other high-regulated industries may not be able to implement BYOD for some or any employees due to stringent regulations and costly penalties surrounding the handling of sensitive information.
Supported devices
Learn how to manage multiple platforms with an AI-driven unified endpoint management. Try MaaS360 plan assessment Read the documentation
Related solutions
Bring your own device (BYOD) solutions

Deliver BYOD security that increases mobile productivity, reduces costs and protects employee privacy.

Get started with BYOD
IBM Security® MaaS360®

Manage and secure your mobile workforce with AI-driven unified endpoint management (UEM) platform.

Explore MaaS360
Unified endpoint management (UEM)

Take an open cloud, AI approach to secure and manage any device with a unified endpoint management solution.

Explore UEM solutions
Resources What is unified endpoint management (UEM)?

UEM enables IT and security teams to monitor, manage and secure all end-user devices on the network in a consistent manner using one tool.

What is identity and access management (IAM)?

IAM allows IT administrators to assign a single digital identity to each entity, authenticate them when they log in, authorize them to access specified resources and monitor and manage those identities throughout their lifecycle.

What is mobile security?

Mobile security protects mobile devices and communications hardware from data and asset loss.

MDM vs. MAM: top 5 differences

Learn more about the differences between mobile device management and mobile application management to make sure your mobile devices, users and data remain protected.

Advanced endpoint protection versus risk-based application patching versus laptop management

Learn about the similarities and differences between advanced endpoint protection, laptop management and risk-based application patching.

Credico achieves 100% tablet policy compliance

With MaaS360, Credico was able to improve its compliance enforcement and reporting capabilities, as well as its self-service portal features, to achieve total policy compliance, quick identification and remediation of security risks, plus dramatic cost reductions.

Take the next step

As flexible work models have become the new norm, employees must remain productive when working from anywhere on any device in a protected way. From endpoint management to native security, IBM Security MaaS360 provides an end-to-end UEM solution. 

Explore MaaS360 Book a live demo