BYOD Full MDM Consent Form
Document Number: ISMS-FORM-BYOD-01
Version: 0.1.0
Parent Policy: BYOD Security Policy (ISMS-POL-BYOD-01) §3.2
Parent Procedure: Device Lifecycle Procedure (ISMS-PROC-BYOD-01) §2.4
Author: Lucas Shin — Security Director
Effective Date: February 20, 2026
BYOD Full MDM Consent Form
Windows Desktop App Access — Opt-in Agreement
This form must be completed and signed by any employee requesting Office desktop app access on a personal Windows device under the BYOD Full MDM Exception Path (BYOD Security Policy §3.2).
Employee Information
| Name | |
| Position | |
| Date | |
| Device Make / Model | |
| Device Serial Number | |
| Windows Version |
1. Entra Join + Full MDM Enrolment
By signing this form, I acknowledge and consent that my personal Windows device will be:
- Bound to the organisation's directory (Entra Join / Azure AD Join) — the device becomes a known entity in the company's identity system
- Enrolled in Microsoft Intune Full MDM — the device will be subject to company security policies, compliance checks, and Microsoft Defender protection
- Subject to device-level Conditional Access — access to M365 services (including Office desktop apps) will require the device to maintain a "Compliant" status at all times
2. BitLocker Full-Disk Encryption
I consent to the following:
- BitLocker encryption will be enabled on my device's storage drive
- The recovery key will be stored in Entra ID (escrowed to the company)
- The company retains "Final Say" authority over the encrypted storage, including the ability to lock or wipe the device using the escrowed recovery key
- I understand that this recovery key gives the company the technical capability to access or reset the device's storage
3. Full Wipe Acknowledgment
I understand and accept that:
- Upon offboarding (termination, role change, or my voluntary opt-out), a Selective Wipe (removal of corporate apps and data only) will be attempted first
- If Selective Wipe fails for any reason (device offline, local account recovery, tampering, etc.), a Full Wipe (factory reset) WILL be performed using the escrowed BitLocker recovery key
- A Full Wipe will erase ALL data on the device, including:
- Personal files, photos, and videos
- Personal applications and their data
- Device settings and configurations
- Any data not backed up to an external location
- The company is NOT responsible for any loss of personal data resulting from a Full Wipe
- I am solely responsible for maintaining backups of my personal data
4. Standard User Enforcement
I accept that:
- Local administrator rights will be revoked on my device via Intune policy
- I will operate as a Standard User at all times
- Personal application installation is permitted via Microsoft Store only
- I will not attempt to circumvent, bypass, or elevate privileges beyond Standard User
- Attempts to tamper with security policies may result in immediate access revocation and disciplinary action
5. OneDrive Known Folder Move (KFM)
I understand that:
- My Desktop, Documents, and Pictures folders will be redirected to the corporate OneDrive
- Work files stored in these locations will be synced to the company's cloud storage
- I should store personal files outside of these redirected folders to avoid them being synced to corporate storage
- Files synced to corporate OneDrive are subject to the company's data retention and deletion policies
6. Personal Use
I understand that:
- Personal use of the device is permitted — consistent with BYOD principles
- The company will not monitor my personal browsing or personal app usage
- However, the device is subject to company security policies (BitLocker, Compliance Policy, Standard User) at all times while enrolled
- If I wish to fully remove all company controls, I may opt out per Section 8 below
7. Privacy Boundary — Differences from Standard BYOD
I understand that the Full MDM exception path changes the company's visibility and control compared to standard BYOD:
| Area | Standard BYOD | Full MDM (this agreement) |
|---|---|---|
| Device management scope | Edge browser only (MAM) | Entire device (Full MDM) |
| Data wipe capability | Selective Wipe only (work data) | Selective Wipe first; Full Wipe if needed |
| Disk encryption | Not enforced | BitLocker enforced; key escrowed to company |
| Admin rights | User retains admin | Standard User enforced |
| Folder redirection | None | Desktop / Documents / Pictures → corporate OneDrive |
| Desktop app access | Blocked | Enabled (Teams, Outlook, Word, Excel, etc.) |
8. Opt-out Right
I may revoke this consent at any time by submitting a written request to the Security Director. Upon opt-out:
- The Full MDM offboarding procedure will be executed (Selective Wipe → Full Wipe if Selective Wipe fails)
- My device will revert to standard BYOD (Entra Registered + MAM) or be fully unenrolled, at my choice
- Desktop app access will be revoked immediately upon unenrollment
- I understand that opting out may trigger a Full Wipe as described in Section 3
Declaration and Signatures
Employee Declaration:
I have read and understood all sections of this consent form. I voluntarily agree to the terms described above. I understand that this consent is separate from and in addition to the standard BYOD User Consent Form.
| Employee Signature | |
| Date |
Security Director Approval:
| Approved By | |
| Date | |
| Exception Register Reference |
Document Retention: This signed form must be retained in SharePoint (HR folder) for the duration of the employee's employment plus 12 months, per Device Lifecycle Procedure §6.
[End of Consent Form]