BYOD Security Policy
Document Number: ISMS-POL-BYOD-01
Classification: L1 — Policy (Domain)
Version: 0.3.1
Effective Date: March 1, 2026
Author: Lucas Shin — Security Director
Approved By: Richard — CISO
Next Review Date: February 2027
Parent Policy: Information Security Policy (ISMS-POL-ISP-01)
Base Solution: Microsoft 365 Business Premium
Security Control Baseline: Entra ID P1 + Conditional Access + Intune + Defender
1. Purpose
This policy defines the security requirements, principles, and governance structure for the use of personally-owned devices (BYOD) to access corporate data and services.
It serves as the upper-level policy document that governs four subordinate operational procedures:
- Device Lifecycle Procedure
- Patch Management Procedure
- Access Control & Data Protection Procedure
- Monitoring & Incident Response Procedure
2. Scope
2.1 Applicable Devices
- macOS (MacBook, Mac Mini) — personal devices used for work
- Windows — personal devices used for work (subject to platform-specific restrictions; see §3.2)
- iOS / iPadOS — personal mobile devices (see §3.4)
- Android — personal mobile devices (see §3.4)
2.2 Applicable Users
- All employees assigned Microsoft 365 Business Premium licenses
- Contractors and temporary staff only if enrolled through the Device Lifecycle Procedure (see also: Human Resource Security Policy, ISMS-POL-HR-01)
2.3 Out of Scope
- Corporate-owned devices (covered under separate policy)
- Users on non-Premium licenses (Basic, Standard, Exchange P1) — governed by Security Defaults only; see M365 Workspace & Access Policy (ISMS-PROC-M365-01) for tier-appropriate controls
- Guest/external accounts (see: Supplier & Third-Party Security Policy, ISMS-POL-STP-01)
2.4 Asset Management Cross-references
- BYOD device asset scope: BYOD devices are not registered in the Information Asset Register. They are tracked for access control purposes (compliance, offboarding, audit, stale device cleanup). See Information Asset Identification — Standard Definition (ISMS-STD-ASM-01) §3 (scope exclusion) and §6.5 (BYOD/personal software rationale)
- Endpoint device discovery: Platform-specific inventory sources (Intune Devices for ADUE; Entra ID Registered Devices + APP reports for Windows MAM-only) are defined in Asset Management Policy (ISMS-POL-ASM-01) §3.3 and §4.3.2
- Device inventory review procedure: Device Lifecycle Procedure (ISMS-PROC-BYOD-01) §6
3. Security Architecture Principle
This policy adheres to the Zero Trust principle: security is enforced by controlling the gateway (App/Browser) that accesses corporate data, rather than controlling the entire device.
Key Design Decisions
- Logical isolation between personal and work data (User Enrollment on Apple, Work Profile on Android)
- No full device control — company cannot see personal apps, photos, browsing history, or location
- Conditional Access as the primary enforcement point — non-compliant devices are blocked at the authentication layer
- Compensating controls (Updatest screenshots) for apps outside Intune management scope
3.1 macOS BYOD — ADUE Architecture
macOS BYOD users access M365 via native desktop apps deployed to an isolated Managed Volume. App-level DLP (copy/paste blocking, save-as restriction) is not available on this platform — data protection relies on OS-level storage isolation, Conditional Access, and server-side controls.
macOS BYOD uses ADUE (Account-Driven User Enrollment) with a dedicated APFS Managed Volume for OS-level data isolation, and native M365 apps deployed via VPP. APP (App Protection Policy) is not supported on macOS — clipboard residual risk is accepted with compensating controls (user education, NDA, M365 audit logging).
Detailed platform architecture: See ISMS-CONF-BYOD-01 §2.1
3.2 Windows BYOD — Platform-Specific Restrictions
Windows BYOD users are restricted to Managed Edge for M365 web app access by default. Office desktop apps are blocked unless the user opts into the BYOD Full MDM Exception Path (§3.3).
Windows BYOD operates under Managed Edge only (M365 web apps). Office desktop apps are blocked — Business Basic at licence level, Business Premium at CA level. Edge APP enforcement: download/save-as/print blocked; copy/paste intentionally allowed (macOS parity, pending CISO approval). Device registers as Entra Registered (no MDM).
Detailed platform restrictions and blocking conditions: See ISMS-CONF-BYOD-01 §2.2. For the Full MDM Exception Path, see §3.3 below.
3.3 BYOD Full MDM Exception Path — Windows Desktop App Access
This exception path remains within the COM Profile (BYOD). Device ownership stays personal. This is NOT a transition to DEF Profile (Corporate-Owned). It elevates management jurisdiction while preserving BYOD ownership principles.
3.3.1 Eligibility and Approval
- Available to Business Premium licence holders only (desktop app licence required)
- User must submit a written request to the Security Director with business justification
- Security Director evaluates and approves based on operational necessity
- Approval is recorded in the exception register (see Section 8)
3.3.2 Opt-in Consent Agreement
Prior to enrolment, the user must sign a BYOD Full MDM Consent Form covering:
- Entra Join + Full MDM enrolment: acceptance that the device will be bound to the organisation's directory and enrolled in Intune Full MDM
- BitLocker encryption: consent to full-disk encryption with the recovery key escrowed to Entra ID (company retains Final Say over storage)
- Full Wipe acknowledgment: understanding that if Selective Wipe fails upon offboarding, a Full Wipe (factory reset) will be performed using the escrowed BitLocker recovery key
- Personal data disclaimer: the company is not responsible for loss of personal data resulting from Full Wipe
- Standard User enforcement: acceptance that local administrator rights will be revoked
This consent is separate from and in addition to the standard BYOD User Consent Form referenced in Section 5.3.
3.3.3 Mandatory Technical Controls
Upon enrolment, the following controls are applied via Intune: Entra Join, Full MDM, BitLocker + Key Escrow, OneDrive KFM, Standard User enforcement, and CA Compliant Device grant.
Detailed control specifications: See ISMS-CONF-BYOD-01 §2.3
3.3.4 Personal Use
- Personal use of the device is permitted, consistent with BYOD principles
- The device remains personally owned; the company gains elevated management jurisdiction, not ownership
- Users may install personal applications via Microsoft Store
- Personal browsing and personal app usage are not monitored or restricted
3.3.5 Offboarding Procedure
Upon termination, role change, or user-initiated opt-out:
- Selective Wipe — remove corporate apps, accounts, and policies from the device
- If Selective Wipe fails (e.g., device offline, local account recovery) → Full Wipe using the escrowed BitLocker recovery key, as consented in the Opt-in Agreement
- Entra ID cleanup — remove device registration and purge BitLocker recovery key
- Exception register update — record the offboarding date and method
Policy clarification: The availability of Full Wipe in this exception path is a departure from the standard BYOD privacy boundary (Section 6), which limits remote actions to Selective Wipe only. This departure is justified by the user's explicit Opt-in Consent and is documented in the exception register.
3.4 iOS/iPadOS & Android BYOD — Mobile Platform Architecture
Mobile BYOD is the most complete protection model. APP (App Protection Policy) is fully supported on both iOS/iPadOS and Android, providing app-level DLP (copy/paste blocking, save-as restriction, screenshot prevention). Combined with ADUE (iOS) or Work Profile (Android) for OS-level data isolation, there are no platform-level control gaps.
Mobile platforms provide both app-level (APP) and OS-level (ADUE/Work Profile) data protection — the only platform combination where full DLP is available. APP enforces copy/paste blocking, save-as restriction, download prevention, and screenshot blocking. No residual clipboard risk on this platform.
Detailed mobile architecture: See ISMS-CONF-BYOD-01 §2.4
🏗️ System Architecture Overview
System architecture diagram: See Annex A below. Detailed platform-specific descriptions: ISMS-CONF-BYOD-01 §2.1–§2.4
4. Roles and Responsibilities
| Role | Person | Responsibilities |
|---|---|---|
| CISO | Richard | Policy approval, escalation decisions, annual management review, risk acceptance sign-off |
| Security Director / IT Security Lead | Lucas | Policy maintenance, Intune/CA configuration, compliance monitoring, incident coordination, escalation to CISO |
| End User (Employee) | All BYOD users | Enroll device per procedure, maintain OS/app updates, submit weekly Updatest evidence, report security incidents within 24 hours, comply with Acceptable Use terms |
5. Acceptable Use
5.1 Permitted
- Access corporate email, Teams, SharePoint, and approved SaaS tools via managed apps or Managed Edge
- Use personal apps and data on the same device (logically isolated from work domain)
- Perform work on personal Wi-Fi or mobile data networks
5.2 Prohibited
- Access corporate data via unmanaged browsers (Safari, Chrome, Firefox, etc.)
- Copy/paste corporate data into personal apps (enforced by APP on iOS/Android managed apps only; macOS: APP not supported — policy-enforced only, see §3.1; Windows BYOD: technically enforceable via Edge APP but intentionally allowed — same risk rationale as macOS, pending CISO approval, see §3.2)
- Screenshot or screen record corporate app content on mobile (enforced by MAM policy; see also: Communications & Media Security Policy, ISMS-POL-COM-01)
- Share corporate credentials with any third party
- Jailbreak or root a device enrolled in BYOD management
- Disable or circumvent Intune enrollment or Compliance Policy
5.3 User Acknowledgment
- All users must sign the BYOD User Consent Form prior to enrollment
- The consent form covers: scope of management, data visibility boundaries, remote wipe conditions, and acceptable use terms
- Consent must be renewed annually or upon significant policy change
For the full onboarding and consent management process, see Human Resource Security Policy (ISMS-POL-HR-01).
6. Privacy Boundary Definition
BYOD requires a clear boundary between what the company can and cannot see or control on a personal device.
6.1 What the Company CAN See / Control
| Area | Visibility | Control |
|---|---|---|
| Work apps (Teams, Outlook, Edge) | ✅ App version, compliance status | ✅ Deploy, update, remove |
| OS version | ✅ Version number | ⚠️ Cannot force update; can block access if non-compliant |
| Device compliance status | ✅ Compliant / Non-compliant | ✅ Block access via CA |
| Work domain data | ✅ Full visibility | ✅ Selective wipe (work data only) |
6.2 What the Company CANNOT See / Control
| Area | Visibility | Control |
|---|---|---|
| Personal apps | ❌ | ❌ |
| Personal photos, messages, files | ❌ | ❌ |
| Browsing history (personal browser) | ❌ | ❌ |
| Location / GPS | ❌ | ❌ |
| Phone calls / SMS | ❌ | ❌ |
Note: This boundary is enforced by Apple User Enrollment and Android Work Profile at the OS level. The company technically cannot bypass this isolation.
6.3 Data Ownership vs Management Jurisdiction
Data ownership is determined by the account context used to create or access the data — not by the storage location (Managed Volume). The ADUE Managed Volume and MAM policies define management jurisdiction (technical control scope), not ownership rights.
Detailed ownership framework and determination rules: See ISMS-CONF-BYOD-01 §3.1
6.4 MAM Control Scope
MAM prevents corporate data from leaving the managed boundary but does not prevent personal data from entering it. MAM cannot control which accounts a user signs into, block personal SaaS access within Managed Edge, or distinguish between corporate and personal accounts on the same SaaS.
Detailed MAM capability matrix: See ISMS-CONF-BYOD-01 §3.2
6.5 Selective Wipe and Personal Data Notice
Upon Selective Wipe, all data within the Managed Volume is deleted regardless of ownership. Users accessing personal SaaS through Managed Edge may lose cached personal data. This notice must be included in the BYOD User Consent Form (§5.3).
Detailed wipe behavior: See ISMS-CONF-BYOD-01 §3.3
7. Non-Managed Application Security (Non-M365 App Security Controls)
Scope: This section controls the access paths and methods for non-M365 apps that fall outside the direct control scope of APP (App Protection Policy) on BYOD devices. The core objective is to extend the gateway control principle of §3 (corporate information asset access through managed apps/browsers) to non-M365 apps. Per-app account operation policies, data context isolation, AI data sovereignty, and other app/data governance rules are defined in Application & Data Governance Policy (ISMS-POL-ADG-01).
7.1 Scope of Application
Defines security controls for non-M365 apps that hold or process corporate information assets but are not directly protected by Intune App Protection Policy (APP). (On macOS, APP itself is not supported on the platform; therefore all non-M365 apps — including VPP-deployed apps — are in scope.)
Examples:
- Knowledge management tools (Notion, etc.) — holds corporate documents, policies, project data
- Development asset management (GitHub, etc.) — holds source code, technical documentation
- Design tools (Figma, Adobe, etc.) — holds client deliverables, design assets
- Generative AI (Claude, Gemini, etc.) — data leakage risk when corporate data is entered
Exclusion: M365 apps (Teams, Outlook, Edge, etc.) are directly controlled by the platform-specific architecture in §3 (APP, CA, Managed Volume, etc.) and are therefore out of scope for this section.
7.2 Control Principles
- Enterprise App Registration and SSO — Prioritise SSO-capable products; register as Entra Enterprise App with Admin Consent
- Managed Edge Routing Principle — Corporate-account web access via Managed Edge; platform-specific DLP scope varies
- Native App Access Restrictions — SSO availability depends on authentication implementation (WAM broker vs embedded webview)
- Account Separation Principle — Separate Corporate and Personal accounts; detailed rules in ISMS-POL-ADG-01
- Information Asset Classification Linkage — Apply SaaS assessment criteria per ISMS-POL-STP-01 §3
Detailed control implementation and platform-specific DLP scope: See ISMS-CONF-BYOD-01 §4.1
7.3 Compensating Controls
Compensating controls include: quarterly account separation compliance verification, annual app security configuration checks, policy-enforced data leakage prevention, and mandatory Enterprise/Team plans for AI service corporate data input.
Detailed compensating control matrix: See ISMS-CONF-BYOD-01 §4.2
Cross-reference: For detailed per-app account operation policies, data context isolation, and AI data sovereignty, refer to Application & Data Governance Policy (ISMS-POL-ADG-01).
8. Exception Handling
8.1 When Exceptions Apply
- A user requires an app not available via VPP/managed deployment (see also: Supplier & Third-Party Security Policy, ISMS-POL-STP-01 for SaaS tool assessment)
- A device cannot meet compliance requirements due to hardware/OS limitations
- A temporary operational need requires deviation from this policy (see also: Business Continuity Policy, ISMS-POL-BCP-01)
8.2 Exception Process
| Step | Action | Owner |
|---|---|---|
| 1 | User submits exception request via email/Teams to Security Director | End User |
| 2 | Security Director evaluates risk and documents compensating controls | Lucas |
| 3 | CISO approves or rejects (required for any exception exceeding 30 days) | Richard |
| 4 | Approved exception recorded with expiry date and review schedule | Lucas |
8.3 Exception Constraints
- Maximum duration: 90 days (renewable with CISO re-approval)
- All exceptions must have documented compensating controls
- Exception register reviewed quarterly as part of management review
9. Compliance Mapping
| ISO 27001 Control | Requirement | Covered By |
|---|---|---|
| A.5.34 | Privacy and protection of PII | Section 6 (Privacy Boundary Definition, incl. 6.3 Ownership and 6.5 Wipe Notice) |
| A.6.2 | Terms and conditions of employment | Section 5.3 (User Acknowledgment) + Human Resource Security Policy (ISMS-POL-HR-01) |
| A.6.5 | Responsibilities after termination | Device Lifecycle Procedure (offboarding) + Human Resource Security Policy (ISMS-POL-HR-01) |
| A.7.9 | Security of assets off-premises | Section 3 (Zero Trust architecture) + MAM controls |
| A.8.1 | User endpoint devices | Device Lifecycle Procedure + this policy |
| A.8.7 | Protection against malware | Monitoring & Incident Response Procedure |
| A.8.8 | Management of technical vulnerabilities | Patch Management Procedure |
| A.8.12 | Data leakage prevention | Access Control & Data Protection Procedure |
| A.8.15 | Logging | Monitoring & Incident Response Procedure |
| A.8.16 | Monitoring activities | Monitoring & Incident Response Procedure |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 0.1.0 | 2026-02-18 | Lucas Shin | Initial release — ISMS Level 2 format. Restructured from reference document into formal policy with cross-references to related policies. |
| 0.1.1 | 2026-02-19 | Lucas Shin | Added Section 6.3–6.5: Data Ownership vs Management Jurisdiction, MAM control scope clarification, Selective Wipe personal data notice. Updated A.5.34 compliance mapping. |
| 0.1.2 | 2026-02-20 | Lucas Shin | Added Section 7: Non-Managed Application Security (controls for apps outside MAM scope). Defines controls for apps outside MAM scope that hold corporate information assets (Notion, GitHub, Figma, AI tools). Cross-references to Application & Data Governance Policy and Supplier & Third-Party Security Policy. Renumbered Sections 7–10. |
| 0.1.3 | 2026-02-20 | Lucas Shin | L2 policy reordering (renumbered). Updated all cross-reference document numbers to reflect new P-numbering scheme. |
| 0.1.4 | 2026-02-20 | Lucas Shin | Added Windows to §2.1 Applicable Devices. Added §3.1 Windows BYOD — Platform-Specific Restrictions: Edge-only M365 access, desktop app blocking (licence-level for Basic, CA-level for Premium), Entra Join path for desktop app access (= Corporate-Owned transition). Cross-reference to M365 Policy §6.1. |
| 0.1.5 | 2026-02-20 | Lucas Shin | Added §3.2 BYOD Full MDM Exception Path — Windows Desktop App Access. Redefined Entra Join path as COM Profile exception (not Corporate-Owned/DEF Profile transition). Added: Opt-in Consent Agreement (§3.2.2), mandatory technical controls — BitLocker Key Escrow, OneDrive KFM, Standard User (§3.2.3), personal use policy (§3.2.4), and offboarding procedure with Full Wipe escalation (§3.2.5). Updated §3.1 callout to reference §3.2. |
| 0.1.6 | 2026-02-23 | Lucas Shin | §7 terminology correction: replaced generic "MAM" with precise "APP (App Protection Policy)" throughout §7. Added macOS platform caveat to §7.2.1 (Edge copy/paste blocking is Windows-only). Updated §7.2 item 2 to include macOS VPP apps in DLP-excluded scope. Aligned with Domain Context §1.7 findings (macOS APP not supported). |
| 0.1.7 | 2026-02-24 | Lucas Shin | Added §3.1 macOS BYOD — ADUE Architecture: OS-level data protection model (Managed Volume, VPP native app deployment, APP unsupported, residual clipboard risk accepted). Renumbered §3.1→§3.2, §3.2→§3.3. Updated all internal cross-references. |
| 0.1.8 | 2026-02-24 | Lucas Shin | Removed undefined "Tier C — Controlled" label from Base Solution header. Added iOS/iPadOS & Android BYOD — Mobile Platform Architecture (APP + ADUE/Work Profile, full DLP, no platform gaps). Reordered §3 subsections: §3.1 macOS → §3.2 Windows → §3.3 Full MDM Exception → §3.4 Mobile (computer-first, then mobile). Updated Mermaid diagram and all internal cross-references. |
| 0.1.9 | 2026-02-24 | Lucas Shin | §7.2 Control Principles rewritten: Added Enterprise App registration/SSO principle (item 1). Managed Edge routing principle updated with platform-specific DLP scope and policy-only enforcement for non-SSO apps (item 2). Added native app authentication broker (WAM vs Embedded Webview) restrictions and Category B compatibility notes (item 3). Existing account separation and information asset classification items retained (items 4-5). |
| 0.2.0 | 2026-02-25 | Lucas Shin | Windows BYOD APP final settings: copy/paste intentionally allowed (macOS parity — risk accepted, pending CISO approval). Download, save-as, print blocked. Updated §3.2, §5.2, §6.4, §7.2 to reflect platform-aligned DLP posture. Cross-ref: ISMS-PROC-BYOD-03 §3.1/§3.3, Decision Document Q5. |
| 0.2.1 | 2026-02-25 | Lucas Shin | Added §2.4 Asset Management Cross-references — BYOD device asset scope rationale (Standard Definition §3/§6.5), endpoint discovery sources (Asset Management Policy §3.3/§4.3.2), device inventory review procedure (Device Lifecycle §6). |
| 0.2.2 | 2026-03-01 | Lucas Shin | CA policy cross-reference 정합성: §3.1/§3.2/§3.3.3/§3.4 — generic CA references → 3-policy names (CA-Require-AllApps-CompliantOrAPP, CA-Restrict-SPO-Unmanaged, CA-Permit-Guest-MFA). §6.1 → §6.1–§6.3 references. Phase 2-5 ISMS 문서 매핑. |
| 0.3.0 | 2026-03-03 | Lucas Shin | Phase 4 슬림화: §3.1–§3.4 platform architecture details, §6.3–§6.5 data protection mechanisms, §7.2–§7.3 non-M365 app technical controls extracted to ISMS-CONF-BYOD-01. Policy retains summaries with cross-references. |
| 0.3.1 | 2026-03-03 | Lucas Shin | Annex A 추가: System Architecture Overview 다이어그램을 정책서 Annex로 복원 (스펙 참조만 남겼던 것을 다이어그램 + 참조 병행으로 변경). |
Review Schedule
- Quarterly: Exception register review, procedure effectiveness check
- Annually: Full policy review as part of ISO 27001 ISMS management review cycle
- Ad-hoc: Upon significant changes (new platform, licensing change, security incident)
Annex A — System Architecture Overview
The following diagram illustrates the end-to-end BYOD security architecture across all supported platforms. For detailed platform-specific technical descriptions, see ISMS-CONF-BYOD-01 §2.
graph TD
User["Employee Personal Device"]
subgraph "macOS BYOD — ADUE (§3.1)"
UE_mac["ADUE User Enrollment"] -->|"Managed Volume"| Apps_mac["Native M365 Apps (VPP)"]
Comp_mac["Compliance Policy"] -->|"Monitoring"| OS_mac["OS/App Version Check"]
end
subgraph "Windows BYOD — Default Path (§3.2)"
ER["Entra Registered + MAM"] -->|"Edge Only"| EdgeOnly["Managed Edge — M365 Web Apps"]
end
subgraph "Windows BYOD — Full MDM Exception (§3.3)"
EJ["Entra Join + Full MDM"] -->|"Opt-in + Approval"| FullCtrl["Desktop Apps Permitted"]
FullCtrl --> Controls["BitLocker + KFM + Standard User"]
end
subgraph "iOS/Android BYOD — APP + ADUE/Work Profile (§3.4)"
UE_mobile["ADUE / Work Profile"] -->|"Logical Isolation"| Apps_mobile["Managed M365 Apps"]
APP_mobile["App Protection Policy"] -->|"Full DLP"| Apps_mobile
Comp_mobile["Compliance Policy"] -->|"Monitoring"| OS_mobile["OS/App Version Check"]
end
subgraph "Access Control — Entra ID"
CA["Conditional Access"] -->|"Compliance Check"| Decision{"Compliant?"}
Decision -->|"Yes"| Access["M365 and SaaS Access Granted"]
Decision -->|"No"| Block["Access Blocked and Patch Prompted"]
end
subgraph "Self-Hygiene"
Updatest["Updatest App"] -->|"User Action"| Manual["Personal App Update"]
Log["Evidence Records"] -->|"Weekly Submission"| Admin["Security Audit Evidence"]
end
User --> UE_mac
User --> ER
User --> EJ
User --> UE_mobile
Apps_mac --> OS_mac
OS_mac --> CA
EdgeOnly --> CA
Controls --> CA
Apps_mobile --> OS_mobile
OS_mobile --> CA[End of Policy Document]