BYOD Quick Reference — Platform User Guide
Audience: All staff (BYOD users)
Purpose: A quick reference for what you can and cannot do on your personal device
Document type: Operational reference (not an ISMS artefact)
Last updated: 2026-02-25
This document is a user-facing summary of the BYOD Security Policy (SEC-POL-BYOD-002). Refer to the source policy for full details.
What the Company Can and Cannot See
| What the company CAN see ✅ | What the company CANNOT see ❌ |
|---|---|
| Work app versions, compliance status | Personal app list |
| OS version | Personal photos, messages, files |
| Device compliance state (Compliant / Non-compliant) | Personal browsing history |
| Work data (inside Managed Volume / Managed Edge) | Location / GPS |
| Phone calls / texts |
This boundary is enforced at the OS level by Apple User Enrollment and Android Work Profile. The company cannot technically cross this boundary.
macOS BYOD
Enrolment method: ADUE (Account-Driven User Enrollment) — Managed Volume created automatically
✅ What You Can Do
- Use Outlook, Teams, Edge, OneDrive, Word, Excel, PowerPoint — native apps auto-installed via VPP
- Use personal apps freely (personal and work areas are separated at the OS level)
- Use personal browsers (Safari, Chrome, etc.) for personal internet use
- Work over personal Wi-Fi or mobile data
❌ What You Cannot Do
- Copy/paste work data into personal apps (prohibited by policy — not technically blocked, but audit-logged)
- Access M365 work services via personal browsers (Safari, Chrome)
- Disable or bypass Intune enrolment or Compliance Policy
⚠️ Things to Know
- A Managed Volume (separate APFS volume) is created on your device — work app data is stored here
- On offboarding, Selective Wipe deletes the entire Managed Volume. Your personal area (photos, personal apps, etc.) is preserved, but all data stored inside the Managed Volume is deleted regardless of ownership (e.g. personal files downloaded through work apps)
- 💡 Recommendation: Use personal SaaS through a personal browser (Safari, Chrome) so that no data lands in the Managed Volume
- FileVault encryption and passcode policies are enforced
- You must keep OS and apps up to date — non-compliance may result in access being blocked
Windows BYOD — Default Path (Edge Only)
Enrolment method: Entra Registered (no MDM enrolment) — web app access via Managed Edge
✅ What You Can Do
- Use M365 web apps in Managed Edge:
- Outlook Web (outlook.office.com)
- Teams Web (teams.microsoft.com)
- SharePoint, OneDrive Web
- Word, Excel, PowerPoint Online
- Use personal apps and personal browsers freely
- Copy/paste work content within Edge (allowed — same policy as macOS)
❌ What You Cannot Do
- Use desktop apps: Teams Desktop, Outlook Desktop, Word/Excel/PowerPoint Desktop
- If you need desktop apps → apply for the Full MDM Exception Path (see section below)
- Download files from Edge (local save blocked)
- Save as to unmanaged storage from Edge
- Print from Edge (alternative: forward as PDF via Outlook)
⚠️ Things to Know
- Edge is the only work browser — M365 sign-in is blocked on Chrome, Firefox, and other browsers
- No company control over the device itself (no MDM enrolment)
- OS updates are your responsibility, but non-compliance may result in access being blocked
Windows BYOD — Full MDM Exception Path
Enrolment method: Entra Join + Intune Full MDM — opt-in path for desktop app access
This path is not applied automatically. You must request it, receive Security Director approval, and sign the Consent Form before it takes effect.
✅ What You Can Do
- Use all desktop apps: Outlook, Teams, Word, Excel, PowerPoint, OneDrive
- Use personal apps (installable via Microsoft Store)
- Use the internet freely for personal purposes
- Effectively the same work experience as a company-issued device
❌ What You Cannot Do
- Use local administrator privileges (enforced as Standard User)
- Disable BitLocker encryption
- Disable OneDrive KFM (Desktop/Documents/Pictures folder cloud sync)
- Modify or bypass security policies (Intune, BitLocker, KFM)
⚠️ Things to Know
- Consent Form required — you must acknowledge:
- Consent to Entra Join + Full MDM enrolment
- Consent to BitLocker encryption + recovery key stored by the company
- Awareness that if Selective Wipe fails on offboarding, a Full Wipe (factory reset) may be performed
- Waiver of liability for personal data loss
- Desktop, Documents, and Pictures folders are automatically synced to the company OneDrive
- Personal apps can be installed via Microsoft Store (no admin rights required)
Mobile — iOS / Android
Enrolment method: iOS = ADUE (Managed Volume) / Android = Work Profile (container separation)
✅ What You Can Do
- Use Outlook, Teams, Edge, OneDrive, Word, Excel, PowerPoint mobile apps
- Use personal apps freely (work and personal areas are fully separated)
❌ What You Cannot Do
- Copy/paste from work apps to personal apps (technically blocked)
- Screenshot or screen record work app screens (technically blocked)
- Download work files to personal storage
- Back up work data to personal cloud services
⚠️ Things to Know
- Mobile has the strongest protection model — both app-level and OS-level DLP are enforced
- On offboarding, Selective Wipe removes only work apps and data; personal data is preserved
- Jailbroken or rooted devices are immediately blocked from access
Platform Comparison
| macOS | Windows (Default) | Windows (Full MDM) | Mobile | |
|---|---|---|---|---|
| M365 access | Native apps | Edge web apps only | Native apps | Native apps |
| Desktop apps | ✅ | ❌ | ✅ | — |
| Copy/paste blocked | Policy-prohibited | Allowed | — | ✅ Technically blocked |
| File download blocked | Volume isolation | ✅ Technically blocked | — | ✅ Technically blocked |
| Screenshot blocked | ❌ | ❌ | ❌ | ✅ Technically blocked |
| On offboarding | Managed Volume deleted | Edge org data removed | Selective → Full Wipe possible | Work apps/data removed |
| Admin rights | Retained | Retained | ❌ Standard User | Retained |
Need Help?
- Device enrolment / troubleshooting: Contact the Security Director (Lucas)
- Exception requests (e.g. access to a blocked app): Email or Teams message to the Security Director
- Security incident: Report to the Security Director within 24 hours