BYOD (bring your own device) policy
A bring-your-own-device policy covering enrollment, security baseline, what the company can and can't see, and what happens at termination.
BYOD Policy
Effective
1. Scope
This policy applies to any personal device — phone, tablet, laptop — used to access systems or store Company data. Use of a personal device for work is voluntary and is offered as an alternative to a Company-issued device.
2. Enrollment
Before a personal device is used for work, it must be enrolled in the Company's device-management system: . Enrollment installs a work profile (containerized where the platform supports it) that separates Company data from your personal data. Personal photos, messages, and apps are not visible to the Company.
3. Security baseline
Devices used for work must: (a) require a passcode, biometric, or equivalent unlock; (b) have automatic OS updates enabled; (c) have full-disk encryption enabled; (d) have remote-lock and remote-wipe capability; (e) not be jailbroken or rooted; (f) install Company-mandated security apps (e.g. anti-malware where applicable).
4. What the Company can — and can't — see
Through the work profile / MDM, the Company can see device compliance status, whether the device is encrypted, OS version, the list of Company-managed apps and Company data within them, and physical device identifiers. The Company cannot see personal apps, browsing history, photos, messages, location data outside business hours, or content in personal apps. The Company will not access personal data and will not use MDM telemetry for performance management.
Page 1 of 3
5. Stipend / reimbursement
Some US states (notably California, Illinois) require employers to reimburse necessary work-related personal-device costs — the stipend is intended to satisfy that obligation in those states.
6. Lost or stolen device
Report a lost or stolen device to IT immediately. The Company will remote-wipe the work profile (Company data and managed apps only) — your personal data is preserved. Use the Company's remote-find tools to locate the device if appropriate.
7. Termination of employment
When your employment ends, the Company will remove the work profile from your device. This selectively wipes Company data and managed apps; personal data is untouched. You can then use the device entirely as a personal device.
8. Withdrawing from BYOD
You can withdraw from BYOD at any time and request a Company-issued device instead. The Company will remove the work profile and provision a corporate device within a reasonable timeframe.
Acknowledgement
I have read this policy, agree to enroll my personal device in the Company's MDM, and understand the limited visibility the Company has into the device. I confirm that BYOD is voluntary and that I may opt out at any time.
Page 2 of 3
Made with WalnutsHR Paper · Reviewed for Ontario · April 2026
Page 3 of 3
No compliance hints for this jurisdiction yet — your document looks good for the basics. Have a lawyer review before sending anything consequential.
About this template
BYOD policies are a privacy negotiation as much as a security one. Get the boundaries right and employees gladly use their own devices; get them wrong and you'll face complaints about over-monitoring or, worse, an employee with non-compliant access to Company data.
When to use it
- Employees regularly access Company email or systems on personal phones.
- You're rolling out MDM (Jamf, Intune, Workspace ONE, Kandji) for the first time.
- You operate in a privacy-sensitive industry (healthcare, financial services, legal).
What to include
- Voluntary, with a Company-device alternative.
- MDM enrollment requirement.
- Specific security baseline (passcode, encryption, updates).
- Explicit visibility section — what the Company can / can't see.
- Stipend or reimbursement clause (especially for California, Illinois).
- Lost / stolen device process — selective wipe.
- End-of-employment process — selective wipe, not full wipe.
- Withdrawal mechanism for employees who change their mind.
Frequently asked questions
Can we full-wipe a personal device at termination?
You can if the policy says so and the employee consented — but it's a privacy minefield and can constitute conversion if it deletes personal data. Best practice is selective wipe (work profile only). Most modern MDMs default to this.
Do we have to pay for the employee's phone bill?
In California (Cochran v. Schwan's Home Service) and Illinois, yes — at least the work-related portion, often satisfied by a flat stipend. Other US states and most Canadian provinces don't require it. Even where not required, a small stipend reduces friction and disputes.
What about jurisdictions where personal-device monitoring is restricted?
Quebec's Law 25 and some EU rules require explicit consent and minimization. The visibility section above is intended to satisfy that requirement, but if you operate in multiple jurisdictions verify with privacy counsel.
Legal disclaimer. BYOD intersects privacy law (Canada PIPEDA, Quebec Law 25, US state privacy laws), labour standards (reimbursement of necessary expenses in CA, IL, etc.), and discovery in litigation. Get the data-residency and privacy-protection details reviewed by privacy counsel — particularly in Quebec where Law 25 imposes specific obligations.
Related templates
Remote work policy & agreement
A combined policy and individual agreement for remote and hybrid work — hours, equipment, expenses, data security, and jurisdiction of employment.
OpenConfidentiality (NDA) agreement
A mutual or one-way non-disclosure agreement with IP carveouts and a jurisdiction-aware governing-law clause.
OpenSave it. Brand it. Sign it.
Sign up free to save your templates, brand them with your logo, and send for e-signature — all from your WalnutsHR dashboard.
Your primary HR database is hosted in a Canadian region. Subprocessors and cross-border processing are disclosed in our privacy policy.
30-day free trial · No credit card required