Clement May Blogs

How to Create A BYOD Policy From Scratch

While the notion of a Bring Your Own Device policy is sound enough in theory, creating a clear and effective set of rules for your organisation can be easier said than done. The specifics of a BYOD strategy will necessarily vary from company to company, but there are a few basic questions they all need to answer. What happens if a device is lost or someone leaves the organisation? What strategies should be put in place to protect devices from external eyes? Which applications and data can be accessed, and by whom? With this in mind, we’ve put together the most important points for CTOs to bear in mind when writing a BYOD policy:

Acceptable use

Your first port of call is to identify precisely which functions can be accessed by which users. It’s also a good idea to specify what behaviours are considered acceptable – the company needs to ensure it’s protected from employees who may have illegal downloads or other illicit material on their machines, for example.


A decent BYOD policy contains clear rules as to which apps are prohibited and permitted. Whitelisting and blacklisting are the most popular ways to keep both the device and your organisation’s IT resources secure. Make sure your policy clearly states that the company has the right to prohibit particular apps, and should also ensure it covers firewall and other security settings, as well as any antivirus apps. The creation of a BYOD policy might necessitate a revision of a company’s whole security approach. It’s essential to be clear what information is sensitive, which approved employees are permitted to access which information in which circumstances, and what to do in the event of a breach. Now also is the time to familiarise yourself with the expanding range of mobile device management (MDM) tools, which allow for configuration, security and monitoring of tablets and smartphones.


While some companies are prepared to pay for monthly services and device costs, partially or in their entirety, others are more guarded over their purse strings. A decent BYOD policy needs to lay out what the company is and isn’t prepared to pay for. It’s possible to obtain a detailed breakdown of monthly phone and data usage from third party services, but it’s often more straightforward to just reimburse employees for a certain percentage of monthly charges.

Written agreement

This sounds obvious, but it’s vital to put a policy in writing for each device user. Not only does this protect companies in the event of a violation, it also makes employees more conscientious about their professional mobile usage. As with the entire policy, this agreement needs to be as clear as you can make it in order to avoid potential misunderstandings later down the road.