Mobile device policy guide: How BYOD policies help IT manage devices

How mobile device policies make IT's job easier

Mobile device policy writing is an important task these days, even if it isn't exactly the most exciting facet of an IT administrator's job. Those policies, once written and implemented well, can head off lots of potential problems.

There are plenty of different policies that can help you get a handle on users' mobile devices, such as consumerization and BYOD policies. And in some cases -- as with acceptable use policies -- employees can learn what they can do to protect and secure their own devices, which can make your job easier.

The important thing is to understand the functions of each end user and mobile device policy so you and your users can get the most out of them. Brush up on the different kinds of policies and how you can use them to your advantage.

Table of contents:

Need to know: User and mobile device policy definitions

BYOD policy
BYOD policies outline the level of support an IT department offers for employees' personal devices. Every organization's BYOD policy is different. Some companies give employees a stipend to purchase and maintain devices of their own, but companies usually just agree to support personal devices as well as corporate devices. BYOD policies usually include more than just mobile devices and may be referred to as a bring your own technology (BYOT) policy.

Consumerization policy
Consumerization policies outline how IT will manage consumer devices in a company and define rules for acceptable use. They usually list which devices employees can use, how much control admins will have over those devices, how much (if any) of the bill the organization will cover and how IT will support devices.

End user policy
Any list of directives that applies to end users is an end user policy. That includes BYOD policies, consumerization policies, acceptable use policies, corporate mobile device policies, mobile security policies and/or social networking policies. Usually, employees must agree to the terms of the policy, and the violation of those terms can result in consequences, such as termination.

Corporate mobility policy
Corporate mobility policies set out to protect data from prying eyes and make sure that the company is compliant with regulatory guidelines. The policies define how data will be secured, both at rest and in transit. Much of the time, a company also lists how it will enforce the terms of its mobility policy, including use of encryption and secure connectivity to prevent unauthorized devices from accessing the network.

Acceptable use policy (AUP)
Users must agree to acceptable use policies if they want access to a network or to the Internet. Usually employees must agree not to use the Internet to break the law, spam people or break the security of other computers or users. Organizations may personalize their acceptable use policies.

Writing and implementing a mobile device policy

Creating BYOD policies
There isn't one cookie-cutter program that works for every company, so every BYOD policy will be different. But there are certain things every business should consider when writing BYOD policies, such as how users should protect their devices, which apps they can and can't use on their personal devices, and what users and IT should do when an employee loses a device or leaves the company. Decide which devices you'll support, draw up policies, then get users to agree to the terms.

Enforcing BYOD policies
Users need to know the consequences of violating their company's BYOD policies, and IT needs the tools to enforce those consequences. For example, if your BYOD policy states that users' passwords must meet certain requirements, then your mobile device management (MDM) system should be able to push those requirements to devices. And if you tell employees that their devices will be wiped if they're lost or stolen, you should be able to wipe their devices.

Following BYOD and mobile security policy best practices
There are some basic strategies and best practices you can follow to strengthen your BYOD and mobile security policies: Encrypt business data on users' devices, update hardware and apps (or make sure users are doing it), register devices before you let users connect them to the network and use Secure Sockets Layer certificates to authenticate devices.

Using acceptable use policies to improve app management
You can tailor acceptable use policies to help you gain more control over applications. Informing users what they can and can't do with their devices and having them agree to those terms means you can un-enroll or auto-quarantine noncompliant devices. For example, if you want employees to only download apps from your enterprise app store, let them know their devices will be blocked from the network if they download apps from another source. But you also have to explain why you're instating such a rule and make sure the punishment fits the crime.

Protecting mobile data with remote wipe
Think about writing a remote wipe policy to help protect mobile data. There are a few different ways to handle remote wipe, and each is appropriate in different situations. For example, you can use factory reset to return a device to its fresh-off-the-assembly-line condition, but use full device wipe to eliminate everything written to a device's file system.

Enhancing smartphone security with BYOD security policies
MDM helps with mobile device security, but it's only as good as your organization's BYOD security policies. MDM is what helps IT manage devices, but a good mobile security policy lets users know how they can help IT admins protect personal devices, especially when employees understand the risks associated with bringing their devices to work.