1

Hello,

Admin is looking at possibly allowing company email on personal cell phones. I was wondering if anyone has any advice? do you get waivers from the employee indicating their personal cell phone could potentially get wiped? I am sure this is a sticky topic with many views. I would love to hear from anyone who has policies and forms to address this.

36 Spice ups
2

Not sure what state you’re in (or country), but you need to run this past your legal dept or legal advisor. In California, you can’t sign an agreement that waives your rights - or you can, but it doesn’t mean you can’t sue. That’s why you have to buy ski lift tickets in Nevada, for Tahoe ski slopes - or pay a hefty premium.

We’ve eliminated the vast majority of our BYOD because of this, from a tiny number of grandfathered in users to a miniscule number. We had a fired user (extremely unusual to be fired here) get extremely aggressive (explanation inbound) about his company phone being wiped. That’s a cut and dried “tough $#it” situation, and confirmed our anti-BYOD stance from a non-security perspective.

6 Spice ups
3

We had a AUP (Acceptable Use Policy) that was for using any device when you were hired. It did cover this particular issue. There was some lawyer speak in there and it was established long before I started and it covered email access and other types of access.

3 Spice ups
4

If possible, use mobile application management instead of device management. Can’t wipe a device you don’t manage.

9 Spice ups
5

Not done it myself but some MDM systems keep company data in a separate ‘compartment’ on BYOD so this can be wiped without affecting the user data.

9 Spice ups
6

I worked for a place for a while that would only let you put your email on your phone if you agreed to also install their MDM software. My attitude is that it’s my phone - I bought it with my own money and pay the monthly service myself, so they have no right to administrate it at all. Since it wasn’t mandatory to get my email on my phone, they weren’t willing to provide a phone.

Bottom line: I’d say BYOD is too big a can of worms to allow without MDM. If a user is willing to let the company restrict what they can do on their own device, fine. They must be willing to loose their data in the event the MDM software wipes it - many do. Otherwise, boo-hoo, they can cry about it all they want, but I wouldn’t allow them to access their email (or any other company data) with their own devices. Period.

7 Spice ups
7

Philosophically, permitting an org to have control over a personally owned device is contradictory to the concept of BYOD. A company having control over such a device means that it’s no longer the employee’s own device. In that case, the employee should be compensated in kind for essentially turning over ownership of that device to the organization, on principle of the organization’s demand to have control over it.

That’s like unpaid on-call.

If you want full control and management over a device, you provide the device. If you don’t want to provide the device, you can’t demand command-n-control over it. And then don’t expect staff to respond to messages off-hours or do other work via their own devices, whether it’s a phone or computer.

I bought a $1,200 laptop recently for my own personal use. I also happen to do some organizational work on it. If my org demanded to install their deployment and management app on my personal computer just because I happen to do work-related tasks on it, that’s four middle fingers rising into the air (mine plus my wife’s). In reality, however, I have another laptop that my organization did provide for me which does have all of the management & security components on it.

That’s expected and accepted. But I do work on both machines because my organization trusts me to do the right thing within the bounds of ethics, morals, and the law. I in turn trust that my organization won’t get paranoid on me by questioning and second-guessing my professionalism and allow me to do the work responsibly and maturely.

5 Spice ups
8

Really I don’t care how professional you think you are, if you want your personal device to connect to the work environment then there are requirements. I can’t even start to count the number of organisations where someone who thought they were professional when using their personal device in a work enivronment compromised the environment because they, or their family, had unknowingly installed something on their personal device.

We had a policy, your want to use your personal device, that’s great, you need to accept the policy which included software on the laptop, or remote wipe ability of a mobile device. If you don’t like that, then you will be carrying your business equipment as well as what ever personal equitpment you want when on call or travelling for work, and no, I didn’t care if it wasn’t the latest and greatest phone, or if it “embarrassed” you by having an older device.

10 Spice ups
9

We allow users to install email on their own device but it must be via the MDM software so we can remote wipe that segment of the phone should we need to. We are just about to role out conditional access and MFA to our office365 environment. So they will either have to use the authentication app or be on our network to access email. So far I’ve only had one user object to using his personal mobile phone for the authentication and he refuses to install and configure the VPN client on his phone. It’s my phone he states so why do I need all these work applications on it. As he said it’s his phone, so I deleted his office365 from the phone and removed the office suite from it. Which he moaned about also, saying he couldn’t check his email.

I’ve left it in the hands of his manager and HR to resolve, he can’t have it both ways.

12 Spice ups
10

At the last place I was at they allowed BYOD but you had to install MAM software on the phone. The MAM or mobile application management allowed them to control the apps that connected to company data. IE Outlook, Excel, Word, OneNote and OneDrive. I could access all of that from my personal phone, but I could only copy data from within those apps if I tried to copy something from Outlook into a text chat I could not. Then if the person did not have any security features enabled on their device the MAM would force a pin access to access apps with company data.

But now there are also other things to consider, if the employee is using a BYOD device is the company going to compensate a portion of their cell phone bill?

Then say the person is a higher up or in sales and a large number of customers contact that permission via their personal cell number. Now that person is fired but still has ways to contact the company’s customers. At my last place if you had a large interaction with our customers or vendors you by default had to use a company cell. This way we retain that communication channel.

4 Spice ups
11

Good question.

We are actually in the process of reviewing our usage policies with HR and legal for both company and personal devices.

12

IMO, you don’t need a waiver unless you already have a policy in place that says that BYOD isn’t allowed.

Otherwise, you build a new policy that allows BYOD with the caveat that the device will be managed by MDM/InTune/etc., and will be remotely wiped if lost or stolen. Don’t implement this policy until you have all the mechanisms in place, and take the time to have management/HR/lawyers to hash out the policy particulars.

Note: The above is for the situation where the staffer WANTS to use their personal phone for email. If your organization starts REQUIRING it, then there are many other things to consider.

3 Spice ups
13

BYOD is for the employee’s convenience. The tradeoff is BYOD relieves the employee from carrying 2 or more devices for work and personal. The data from work residing on the device is the property of the employer. Any compromise, theft, termination, etc. means the employer has the right and responsibility to cleanse its property from the BYOD device. Device management software may include the ability to track the location of the device which is handy for loss, theft or termination. We had a V.P. who intentionally compromised corporate data on a company phone, we caught him and started the termination process on a Friday afternoon. He was uncooperative saying he was on a fishing trip when we were able to track his location to his home. I wiggled the pointer on his phone to prove the point, with his GPS showing his current location as home. That escalated a simple termination to threat of immediate legal action requiring shipment of all corporate property by close of business or the Sheriff would stop by to assist. Had the phone been BYOD we were still within our right to wipe the device because he signed an agreement to do so, and that agreement was drafted by our legal department.

14

If going through Intune Company Portal, it will tell you what the company does and does not have access to. I always mention this to folks and that their phone could get wiped. Some back out and do not want to proceed. Imo, the company should provide a phone. I am not putting any of that on a personal device. But as long as the users are aware of what’s going on.

1 Spice up
15

Wiping is the least of the potential worries–If company data is on a personal device, the personal device becomes ‘discoverable’ should there be a legal incident involving the company, if the employee or data on their device is in any way potentially related to the case, even years after the incident that spawns the case. That means that not just the work-related apps, but potentially your entire personal device contents could become part of the record for the case…I don’t have anything I’m worried about on my device, yet the idea of all of my personal data being available for an opposing legal team to dissect is not one I want to see happen.

16

We also require MDM software be installed on BYOD devices. The employee must sign a consent form stating they agree to having MDM software installed on their personal device and that they understand the company has the right to enforce encryption/passwords/pins, restrict applications, and remotely destroy all data stored on the mobile device if it is lost or stolen.

After explaining all that most employees opt not to use their own device for 2FA and we issue them a hardware token instead.

17

With the new(ish) granularity in Outlook Mobile, it is no longer necessary for the entire device to be wiped to remove company email from a device.

18

We utilize IBM Maas360 where we manage devices, and anyone that has a BYOD policy we can do a selective wipe to remove all corporate related material. So we don’t need to fully wipe an employees BYOD.

19

Yes, have a BYOD Administrative Policy that needs to be signed. Although ensure you use a system that has MDM and MAM technical policies, like Microsoft InTune.

20

BYOD = Bring your own Disaster. What a myriad of rabbit holes. I would check into any regulations governing your industry too.

1 Spice up