How to write a BYOD policy

The federal government issues bring-your-own-device guidelines for the handling of mobile devices in agency work; lots for commercial enterprises to consider as well.

Should mobile devices and smartphones coming into the workplace be regulated or embraced?

The US federal government, good at both regulating and embracing things, urges that a balance be struck between the two. Don't fight the trend, advises the government's Digital Services Advisory Group, formed and directed by federal CIO Steven VanRoekel.  Rather, go with the flow, and recognize that BYOD can be an asset to organizations, if properly managed.

That's the gist of the advisory group's latest government-wide bring-your-own-device (BYOD) guidlines. The directives, considered voluntary, are based on lessons learned from successful BYOD programs launched at forward-leaning agencies.

While the report is targeted at helping federal agencies set up BYOD policies, the guidelines are instructive for commercial enterprises as well. Interestingly, there is a case study of one agency in which BYOD was smoothly integrated into a virtual desktop strategy.

Along with case studies, the federal report provides a working outline of what should go into a BYOD policy:

Technical approach

  • Virtualization
  • Walled garden
  • Limited separation

Roles and responsibilities

  • Agency
  • User
  • Help/service desk(s)
  • Carrier technical support

Incentives for government and individuals

  • Survey employees on benefits and challenges
  • Consider voluntary vs. mandatory participation in BYOD program and impact on terms of service

Education, use, and operation

  • Establish orientation, trainings, and user agreements
  • Establish associated policies collaboratively with union  representative
  • Ensure compliance with Fair Labor Standards Act (FLSA)  requirements (e.g., institute policies to ensure non-exempt employees do not conduct work after-hours unless directly uthorized/instructed)
  • Consider impact of connectivity and data plan needs for of  chosen technical approach (e.g., virtualization) on employee  reimbursement
  • Implement telework agreements consistent with the Telework
  • Enhancement Act and OMB implementation requirements


  • Assess and document risks in:
  1. Information security (operating system compromise due to malware, device misuse, and information spillover risks)
  2. Operations security (personal devices may divulge information about a user when conducting specific activities in certain environments)
  3. Transmission security (protections to mitigate transmission interception)
  • Ensure consistency with government-wide standards for processing and storing Federal information
  • Assess data security with BYOD versus the devices being replaced
  • Securely architect systems for interoperability (government data vs. personal data)


  • Identify the right balance between personal privacy and organizational security
  • Document process for employee to safeguard personal data if /when government wipes the device

Ethics/legal questions

  • Define “acceptable use” from both government and individual  perspective
  • Address legal discovery (including confiscation rights) and liability issues (e.g., through pre-defined opt-in requirements in terms of service)
  • Consider implications for equal rights employment (e.g.,  disparity in quality of personal devices)

Service provider(s)

  • Identify companies that could offer discounts to government  employees
  • Assess opportunities to leverage the Federal Strategic Sourcing Initiative
  • Assess tax implications for reimbursement

Devices and applications (apps)

  • Identify permitted and supported devices to prevent introduction of malicious hardware and firmware
  •  Define content applications that are required, allowed, or banned and consider use of mobile device management (MDM) and  mobile application management (MAM) enterprise systems to   enforce policies
  • Adopt existing app development best practices to support  device-agnosticism and data portability across platforms
  • Address app compatibility issues (e.g., accidental sharing of  sensitive information due to differences in information display between platforms)
  • Recommend approach to content storage (cloud vs. device)
  • Clarify ownership of the apps and data

  Asset management

  • Disposal of device if replaced, lost, stolen, or sold, or  employment is terminated (must remove government information  before disposal)
  • Reporting and tracking lost / stolen personal devices
  • Replacement of personal lost devices if employee chooses not to  replace with personal funds
  • Funding for service and maintenance