That iPhone in your employee's pocket, the one they use to check Teams, open email attachments, and pull up SharePoint files, is almost certainly not enrolled in anything. No MDM, no passcode policy, no remote wipe authorization. It's your most exposed endpoint, and you have zero visibility into it. Here's how to fix that with a BYOD policy that actually holds up.
Before you write a policy, you need to decide what device ownership model you're actually enforcing. These three models are meaningfully different, and conflating them produces a policy that doesn't fit your environment.
The employee owns the device entirely. They choose the hardware, the carrier, the apps. The company provides access to corporate resources on that device and must work within the constraints of employee ownership, including limits on what can be remotely wiped without consent. Best for: small businesses with limited IT budget where company-issued devices aren't feasible, or for roles where personal phone use for work is incidental (checking email, occasional Teams messages).
The company purchases and owns the device, but allows the employee to use it for personal activities within defined limits. The employer has full administrative rights, any configuration, any wipe, at any time, because ownership is unambiguous. Best for: organizations handling sensitive or regulated data (CUI, PHI, PCI) where full device management is required, or where employees travel internationally and device security posture needs to be tightly controlled.
The company provides a curated list of approved devices; employees select their preferred model from the list. The company purchases and manages the device. It's COPE with better employee satisfaction. Best for: mid-size organizations that want consistent MDM enrollment and security posture without mandating a single hardware model. Harder to execute at the 1–10 employee level where the overhead isn't justified.
Most small businesses end up in a de facto BYOD situation without having made a conscious decision, employees just start using personal devices because it's convenient. That's the scenario this post addresses.
The shift to cloud-first work has made personal devices more dangerous than they've ever been. In 2019, a personal phone could access work email. In 2026, that same phone can access SharePoint libraries, OneDrive folders, Teams channels, Salesforce records, your accounting software, and your cloud storage, all through browser-based portals that require nothing more than a password to enter.
Meanwhile, company-managed endpoints have gotten more secure. EDR tools, Intune policies, Conditional Access, Defender for Endpoint, all of it is meaningless if an employee can bypass every control by opening Safari on their iPhone and logging into Microsoft 365 with their work credentials.
Cyber insurance underwriters have noticed this. An increasingly common question on renewal applications is: "What percentage of devices that access corporate data are enrolled in MDM?" If the answer is 40% because the other 60% are personal phones, that's a gap that shows up in your premium, or your exclusions.
The hard truth: If you've deployed Microsoft 365 and haven't configured Conditional Access to block unmanaged devices, any personal phone with your employees' credentials can access company data. No MDM required. No policy enforced. This is the default configuration for most SMB tenants out of the box.
Define exactly which devices the policy applies to: smartphones, tablets, laptops, or all three. Specify minimum OS requirements, for example, iOS 17 or later, Android 13 or later, Windows 11 with current security patches. Devices running unsupported operating systems should be explicitly excluded from company resource access. Include a registration or approval requirement: employees should submit their device make, model, and OS version before using it for work, and IT should maintain an active BYOD device inventory.
State plainly that any personal device used to access company resources must be enrolled in the company's mobile device management platform. Name the platform (Microsoft Intune, Jamf, or whatever you're using). Describe the enrollment process and who initiates it. Crucially, explain what the MDM profile can and cannot access, most employees assume MDM means the company can read all their texts and see their photos, which isn't true for work profile enrollment. Transparency here drives compliance. Non-enrolled devices must be blocked from accessing company resources via Conditional Access or equivalent enforcement.
Define what company applications employees are permitted to use on personal devices. Approved apps (Teams, Outlook mobile, company-managed Authenticator) should be listed. Prohibited activities should be explicit: no forwarding company emails to personal email accounts, no screenshots of confidential information, no storing company files in personal cloud storage (personal iCloud, Google Drive, Dropbox). Also address monitoring scope: company MDM profiles do not monitor personal usage, browsing history, or location, but the company can see device compliance status, enrollment status, and company app activity.
If your organization handles Controlled Unclassified Information (CUI), which includes any data subject to DFARS 252.204-7012 or CMMC requirements, this section is mandatory. The rule should be unambiguous: CUI must never be stored, processed, or transmitted on personally owned devices. CUI access is restricted to company-managed endpoints only. If a personal device is used for general work (Teams messages, non-CUI email), that's permissible with MDM enrollment. But any system, file, or application that touches CUI requires a managed, company-controlled device. Document this restriction clearly, your C3PAO assessor will look for it.
Specify the minimum security configuration required on any enrolled personal device: passcode or PIN (minimum 6 digits; biometric authentication acceptable as supplemental), full device encryption enabled (default on modern iOS and Android, but must be verified), auto-lock set to 5 minutes or less, operating system and security patches applied within 30 days of release, and no known malware or jailbreaking/rooting. MDM enrollment enforces most of these automatically, which is one of the key arguments for requiring enrollment rather than asking employees to self-certify compliance.
Employees must provide written consent to remote wipe before their personal device is enrolled. The policy should specify the two types of wipe and when each applies: selective wipe (removes company app data, email profiles, and MDM configuration, does not touch personal photos, contacts, or apps) triggers on separation from employment; full wipe (factory reset) may be authorized only in confirmed data breach or loss scenarios with documented management approval. Selective wipe is the appropriate default for BYOD; full wipe is reserved for extraordinary circumstances and requires legal review.
Certain application categories create security risk on any device that accesses company data. Prohibited app categories should include: consumer-grade file sync apps used for work data (personal Dropbox, Google Drive), TikTok and other apps with known data harvesting behavior prohibited on government-facing contracts, unapproved remote access tools (TeamViewer installed without IT authorization), and any application flagged by your MDM's threat intelligence feed. Some MDM platforms allow you to detect and block specific app installations on the work profile, use this capability.
A personal device that accesses company resources is a reportable asset when lost or stolen, not a personal matter. The policy must require employees to report loss or theft of any enrolled device within a defined window (typically 2 hours during business hours, first thing the next business day if discovered after hours). Reporting triggers the remote wipe authorization process and activates your incident response plan. Employees must understand that delayed reporting of a lost device may result in uncontrolled exposure of company data that could have been prevented, and that this has insurance implications.
If you're pursuing CMMC Level 2, BYOD is not just an internal policy matter, it's an assessment finding waiting to happen.
AC.L2-3.1.18 requires organizations to "control the connection of mobile devices" to organizational systems. The NIST SP 800-171A assessment objective is explicit: you must have documented policies governing mobile device connectivity, and you must be able to demonstrate that unauthorized mobile devices cannot access CUI systems. An unmanaged BYOD environment with no MDM and no Conditional Access policy fails this practice outright.
MP.L2-3.8.1 covers media protection, protecting system media containing CUI, both paper and digital. Mobile devices are media. A personal iPhone with a cached copy of a CUI email is unprotected media. The practice requires that CUI be sanitized or destroyed before disposal or reuse, which is impossible on a personal device you don't manage.
NIST SP 800-124 (Guidelines for Managing the Security of Mobile Devices in the Enterprise) provides the technical framework for your BYOD controls. Your SSP should reference it. C3PAO assessors are familiar with it and will expect your controls to align with its guidance on MDM deployment, network access controls, and device security baselines.
Underwriters are getting more specific about BYOD every renewal cycle. Questions have evolved from "do you have a mobile device policy?" to "what is your MDM enrollment rate?" and "does your policy prohibit storing company data on personal devices?"
The exposure is real: a breach that originates from an unmanaged personal device, employee's phone compromised via a malicious app, credentials harvested, used to access Microsoft 365, is harder to remediate and harder to document for a claim. You can't pull logs from a personal device. You can't demonstrate what data was on it. You can't show your response timeline from the device's perspective.
Insurers price that uncertainty. A BYOD policy with MDM enrollment, Conditional Access enforcement, and documented remote wipe authorization is a measurable control reduction. It won't eliminate your premium, but it demonstrates a managed risk posture rather than an unacknowledged one.
Microsoft Intune is the default choice for Microsoft 365 environments, it's included in Business Premium and above, integrates natively with Conditional Access, and supports both corporate and personal device enrollment modes. For BYOD, configure the Intune work profile (Android) or device enrollment with user affinity (iOS). Key policies to enforce: minimum OS version compliance, PIN requirement, encryption verification, and jailbreak/root detection. Pair Intune with Conditional Access policies that require compliant devices for access to Exchange Online, SharePoint, and Teams.
Jamf is the standard for Apple-heavy environments, particularly those with a mix of Macs, iPhones, and iPads. Jamf Now is the SMB tier; Jamf Pro handles more complex enterprise requirements. Jamf's strength is depth of Apple management, granular configuration profiles, app installation management, and integration with Apple Business Manager for streamlined enrollment. If your workforce is predominantly Mac/iOS, Jamf gives you more precise control than Intune's Apple management capabilities.
| Requirement | 1–10 Employees | 11–50 Employees | 51–250 Employees |
|---|---|---|---|
| Written BYOD Policy | Required | Required | Required |
| MDM Enrollment | Strongly recommended; required if CUI involved | Required for any device accessing company data | Required; automated enrollment via ABM/Intune |
| Conditional Access | Recommended if using M365 | Required | Required; device compliance policies enforced |
| Device Inventory | Manual spreadsheet acceptable | MDM-generated inventory required | MDM inventory + quarterly audit required |
| Employee Acknowledgment | Written acknowledgment at hire | Signed consent form + annual re-acknowledgment | Signed consent + annual training + attestation |
| CUI Restriction | Documented; enforced by policy | Documented + technical enforcement | Documented + Conditional Access blocking personal devices from CUI systems |
| Incident Reporting SLA | 2-hour window, business hours | 2-hour window, any time | Immediate; 24/7 reporting channel required |
The remote wipe section is where BYOD policies most often create legal exposure, not because of what the policy says, but because of what it doesn't say.
What employers can do: With proper written consent obtained at enrollment, employers can execute a selective wipe of company data, email profiles, and MDM configuration from a personal device. This is legally defensible when the consent language is clear about what will be removed and when. Selective wipe leaves personal photos, contacts, messages, and apps untouched.
What employers cannot do: Execute a full factory reset of a personal device without explicit consent for that specific action, or without a documented emergency justification (confirmed active breach, theft with evidence of unauthorized access). Even with consent language in a BYOD agreement, a full wipe of a personal device that destroys personal data can create legal liability, particularly if the employee disputes whether the circumstances warranted it. Get legal review of your remote wipe consent language before deploying.
Separation of employment: When an employee leaves, voluntarily or not, the selective wipe of company data from their enrolled personal device should be immediate and documented. The MDM platform should log the wipe command, execution time, and success or failure status. This log is evidence that you removed company data from the device, which matters if the former employee later claims they were unable to access personal data as a result of company action.
Professionally written, fully editable policy documents covering all 8 sections above, ready to customize for your organization, align with CMMC requirements, and present to your cyber insurance underwriter.
Editable .docx · Instant download · 30-day guarantee
Yes, in fact, small businesses are where BYOD is most common and least managed. If even one employee checks work email on a personal phone, you have a BYOD exposure. A written policy and MDM enrollment are the minimum baseline regardless of company size. At 1–20 employees, the setup overhead is low (Intune is included in Microsoft 365 Business Premium) and the protection is immediate.
Yes, as a condition of using personal devices for work. MDM enrollment must be disclosed and consented to in writing, employees need to understand what the company can see and do on their device. Most MDM platforms support a 'work profile' container that keeps company and personal data separate, which limits the scope of corporate visibility. Refusing MDM enrollment is the employee's right; the consequence is that they cannot use their personal device for company resources.
BYOD (Bring Your Own Device) means the employee owns the device and uses it for work. COPE (Corporate Owned, Personally Enabled) means the company owns the device but allows personal use on it. COPE gives employers significantly more control because ownership is unambiguous, the company can fully manage the device, enforce any configuration, and perform a full wipe without legal ambiguity. The trade-off is upfront hardware cost and the administrative overhead of asset management.
Only if the employee has explicitly consented to remote wipe as part of MDM enrollment. Most MDM platforms offer two options: selective wipe (removes company data and apps only, leaving personal data intact) and full wipe (factory reset). A BYOD policy should clearly define which type of wipe is authorized and under what circumstances, typically loss, theft, or employment termination trigger a selective wipe, while a full wipe requires documented justification and management sign-off.
Yes, significantly. CMMC Level 2 practice AC.L2-3.1.18 requires organizations to control the connection of mobile devices to organizational systems. If personal devices access systems that process CUI, those devices must meet the same security requirements as company-owned endpoints, or CUI access must be restricted to managed devices only. Most C3PAO assessors will flag unmanaged personal devices accessing CUI systems as a NOT MET finding that must be remediated, not deferred.
Underwriters are asking about MDM explicitly on renewal applications. They want to know what percentage of devices accessing corporate data are enrolled in MDM, and whether you have a documented BYOD policy. Low MDM enrollment rates or a complete absence of a BYOD policy are increasingly cited as reasons for coverage exclusions or premium increases. A documented policy with technical enforcement (Conditional Access blocking unmanaged devices) is a measurable control that underwriters can price against.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.