Device Lifecycle Procedure
Document Number: ISMS-PROC-BYOD-01
Version: 0.1.3
Parent Policy: BYOD Security Policy (ISMS-POL-BYOD-01)
Author: Lucas Shin — Security Director
Last Modified: February 25, 2026
Change Summary (v0.1.3): §6 — Windows MAM-only device review sources clarified (Entra ID Registered Devices + APP reports). Cross-references to Asset Management Policy §3.3/§4.3.2 and Standard Definition §6.5 updated.
1. Purpose
This procedure defines the end-to-end lifecycle of BYOD devices — from initial enrollment through device changes to offboarding — ensuring that corporate data is protected at every stage while respecting the user's personal device ownership.
2. Enrollment Procedure
2.1 Pre-requisites
- User holds a valid Microsoft 365 Business Premium license
- User has signed the BYOD User Consent Form (per parent policy Section 5.3)
- Security Director has confirmed the device meets minimum OS requirements
2.2 Enrollment by Platform
| Platform | Enrollment Method | Isolation Mechanism | What Happens |
|---|---|---|---|
| macOS | User Enrollment via Apple Business Manager (ABM) | Separate APFS volume for work data | Work domain created; personal data untouched |
| iOS / iPadOS | User Enrollment via ABM | Managed apps run in isolated container | Company can manage/delete work app data only |
| Android | Work Profile enrollment | Separate "work space" container | Complete isolation from personal area |
| Windows (Default) | Entra Registered + MAM | Edge browser-level isolation (MAM) | M365 web app access via Managed Edge only; no desktop apps |
| Windows (Full MDM) | Entra Join + Intune Full MDM | Device-level management (no OS volume isolation) | Desktop app access enabled; BitLocker + KFM + Standard User enforced. Requires §2.4 procedure. |
2.3 Enrollment Steps
| Step | Action | Owner |
|---|---|---|
| 1 | User requests BYOD enrollment via email/Teams to Security Director | End User |
| 2 | Security Director verifies license assignment and consent form completion | Lucas |
| 3 | Security Director sends enrollment instructions (platform-specific) | Lucas |
| 4 | User completes enrollment on device (Intune Company Portal / Settings) | End User |
| 5 | Intune automatically deploys mandatory managed apps via VPP | Automated |
| 6 | Security Director verifies device appears as "Compliant" in Intune dashboard | Lucas |
2.4 Windows Full MDM Enrollment Steps (§3.2 Exception Path)
This procedure applies only to Windows users approved for the BYOD Full MDM Exception Path per parent policy §3.2.
| Step | Action | Owner |
|---|---|---|
| 1 | User submits written request for desktop app access with business justification | End User |
| 2 | Security Director evaluates request and approves/denies; records decision in exception register | Lucas |
| 3 | User signs BYOD Full MDM Consent Form (separate from standard BYOD Consent Form) | End User |
| 4 | Security Director provides Entra Join enrollment instructions | Lucas |
| 5 | User performs Entra Join (Settings → Accounts → Access work or school → Connect → Join this device to Azure Active Directory) | End User |
| 6 | Intune Full MDM enrollment completes automatically upon Entra Join | Automated |
| 7 | Security Director verifies: (a) BitLocker enabled + recovery key escrowed to Entra ID, (b) OneDrive KFM active, (c) Standard User enforced, (d) Compliance Policy reporting “Compliant” | Lucas |
| 8 | Security Director updates CA policy to grant device compliance-based access (Require Compliant Device) | Lucas |
| 9 | User confirms Office desktop apps (Teams, Outlook, Word) are accessible | End User |
Evidence: Signed BYOD Full MDM Consent Form, Intune device record, BitLocker recovery key confirmation, exception register entry.
3. Managed App Deployment
3.1 Mandatory Apps (Auto-deployed via VPP)
| App | Purpose | Deployment |
|---|---|---|
| Microsoft Teams | Communication & collaboration | VPP — Required |
| Microsoft Outlook | Corporate email | VPP — Required |
| Microsoft Edge | Managed browser for SaaS access | VPP — Required |
| Intune Company Portal | Device management interface | VPP — Required |
3.2 Optional Apps
- Additional apps may be deployed via VPP as needed
- Apps not available in VPP require an exception request per parent policy Section 7
4. Device Change Procedure
When an employee replaces or adds a new personal device:
| Step | Action | Owner |
|---|---|---|
| 1 | User notifies Security Director of device change | End User |
| 2 | Security Director initiates selective wipe on old device (work data only) | Lucas |
| 3 | Old device removed from Intune inventory | Lucas |
| 4 | User enrolls new device per Section 2.3 enrollment steps | End User |
| 5 | Security Director verifies new device compliance | Lucas |
4.1 Full MDM Device Change (Windows §3.2 Exception Path)
When a Windows Full MDM user replaces their device:
| Step | Action | Owner |
|---|---|---|
| 1 | User notifies Security Director of device change | End User |
| 2 | Security Director initiates Selective Wipe on old device; if fails, Full Wipe via BitLocker key | Lucas |
| 3 | Old device removed from Entra ID and Intune; BitLocker recovery key purged | Lucas |
| 4 | User enrolls new device per §2.4 Full MDM enrollment steps (existing Consent Form remains valid) | End User |
| 5 | Security Director verifies all controls on new device (BitLocker, KFM, Standard User, Compliance) | Lucas |
5. Offboarding Procedure (Termination / Departure)
| Step | Action | Owner | Timeline |
|---|---|---|---|
| 1 | HR/Manager notifies Security Director of employee departure | HR / Manager | As early as possible, minimum 1 business day before last day |
| 2 | Security Director initiates selective wipe (work data only) via Intune | Lucas | Employee's last working day |
| 3 | Disable user's Entra ID account (blocks all M365/SaaS access immediately) | Lucas | Employee's last working day |
| 4 | Remove device from Intune inventory | Lucas | Within 24 hours of last day |
| 5 | Revoke M365 license assignment | Lucas | Within 7 days |
| 6 | Confirm with departing employee that personal data is intact (optional courtesy) | Lucas | Last day |
Important (Standard BYOD): Only a selective wipe (work data only) is performed on standard BYOD devices. A full device wipe is never performed — the device belongs to the employee.
5.1 Full MDM Offboarding (Windows §3.2 Exception Path)
For Windows devices enrolled under the BYOD Full MDM Exception Path, the offboarding procedure includes escalation to Full Wipe as consented by the user.
| Step | Action | Owner | Timeline |
|---|---|---|---|
| 1 | HR/Manager notifies Security Director of employee departure | HR / Manager | Minimum 1 business day before last day |
| 2 | Security Director initiates Selective Wipe via Intune (remove corporate apps, accounts, policies) | Lucas | Employee’s last working day |
| 3 | If Selective Wipe succeeds: proceed to Step 5. If fails (device offline, tampered, etc.): proceed to Step 4 | Lucas | Within 24 hours |
| 4 | Full Wipe (factory reset) using escrowed BitLocker recovery key, as consented in Opt-in Agreement | Lucas | Within 48 hours of last day |
| 5 | Disable user’s Entra ID account | Lucas | Employee’s last working day |
| 6 | Remove device from Entra ID and Intune; purge BitLocker recovery key | Lucas | Within 24 hours |
| 7 | Revoke M365 license; update exception register with offboarding date and wipe method used | Lucas | Within 7 days |
Note: Full Wipe is a last resort and only executed when Selective Wipe has failed. The user’s prior Opt-in Consent (BYOD Full MDM Consent Form) provides the legal basis for this action. All wipe actions are logged in the Intune audit trail and recorded in the exception register.
6. Device Inventory Review
ISO 27001 Annex A.8.1 requires that endpoint devices accessing corporate data are identified and managed. For BYOD devices, the authoritative device inventory varies by platform enrolment type. This section defines the periodic review procedure to ensure the inventory remains accurate.
Platform-specific inventory sources:
- macOS (ADUE) / iOS / Android: Intune Devices inventory (장치가 Intune에 직접 등록됨)
- Windows MAM-only (Default): Intune Devices에 장치가 나타나지 않음 → Entra ID → Devices → Registered Devices + Intune → App Protection Policy (APP) reports 병행 확인 필요
- Windows Full MDM: Intune Devices inventory (Entra Joined 장치로 등록됨)
6.1 Review Schedule
| Frequency | Activity | Owner |
|---|---|---|
| Quarterly | Full Intune device inventory review (aligned with Risk Register quarterly review) | Security Director |
| On event | Review triggered by personnel change, security incident, or significant policy update | Security Director |
6.2 Review Steps
| Step | Action | Owner |
|---|---|---|
| 1a | Intune-enrolled devices: Export device list from Intune (Devices → All devices) — covers macOS ADUE, iOS, Android, Windows Full MDM | Security Director |
| 1b | Windows MAM-only devices: Export registered device list from Entra ID → Devices (filter: Registered). Cross-reference with Intune → Apps → App protection policies → [Policy] → User report to confirm active MAM usage | Security Director |
| 2 | Cross-check enrolled/registered devices against active employee list — identify devices belonging to departed users or unknown owners | Security Director |
| 3 | Identify non-compliant devices (Compliance Status ≠ Compliant) and devices inactive for 90+ days. For Windows MAM-only: check APP report for last sync date | Security Director |
| 4 | For stale or orphaned devices: initiate selective wipe and remove from Intune | Security Director |
| 5 | For non-compliant devices: contact user, set 14-day remediation deadline. If unresolved, block access via CA and escalate per BYOD Policy §6 | Security Director |
| 6 | Record review outcome: date, total devices, actions taken, unresolved items | Security Director |
6.3 Audit Evidence
When an ISO 27001 auditor requests the BYOD device inventory:
- Device list — Live export from Intune (Devices → All devices → Export)
- Compliance status — Intune Compliance dashboard screenshot
- Review record — Quarterly review log (date, findings, actions)
Note: Individual BYOD devices are not registered in the Information Asset Register. BYOD device inventory is maintained for access control purposes (compliance enforcement, offboarding, audit, stale device cleanup). See Asset Management Policy (ISMS-POL-ASM-01) §3.3 and §4.3.2 for discovery methodology, and Information Asset Identification — Standard Definition (ISMS-STD-ASM-01) §6.5 for scope rationale.
7. Evidence and Records
| Record | Retention | Storage |
|---|---|---|
| Enrollment confirmation (Intune device record) | Duration of employment + 12 months | Intune / Exported to SharePoint |
| Signed BYOD User Consent Form | Duration of employment + 12 months | SharePoint (HR folder) |
| Selective wipe confirmation | 12 months | Intune audit log / SharePoint |
| Offboarding checklist completion | 12 months | SharePoint |
| Signed BYOD Full MDM Consent Form | Duration of employment + 12 months | SharePoint (HR folder) |
| BitLocker recovery key escrow confirmation | Until device offboarded + 90 days | Entra ID / Exported to SharePoint |
| Full Wipe confirmation (if executed) | 12 months | Intune audit log / SharePoint |
| Exception register entry (Full MDM approval) | Duration of employment + 12 months | SharePoint |
[End of Procedure]