Jamf Blog
Person using BYOD iPhone enrolled in Jamf Pro
May 25, 2023 by Hannah Hamilton

5 things you need to know about BYOD security

Considering a BYOD program? In this blog, we’ll discuss a few ways BYOD affects your organization's security posture.

Bring your own device (BYOD) programs are becoming more popular, with 83% of companies with a BYOD policy of some kind. It makes sense, after all, since 67% of employees are using their own devices for work purposes anyway.

But there are very real concerns about device and data security surrounding these programs—for instance, how can organizations be sure that employees are safely using their devices for work purposes? What if the device gets lost or stolen? What about user privacy? In this blog, we’ll touch on a few factors to keep in mind when considering a BYOD program.

BYOD devices require different security policies than company-owned devices.

BYOD devices aren’t restricted to business hours—or business purposes. This makes securing these devices more difficult, as organizations have to anticipate how a variety of users will use these devices that have access to corporate data. In order to protect company and personal data, it’s critical to:

  • Strictly enforce user authentication when accessing company resources
  • Allow users to self-enroll into a BYOD program
  • Clearly and regularly communicate expectations to employees
  • Provide secure connections to business applications
  • Enforce data and network security protections
  • Respect user privacy

The strategy here is to give the user seamless access to the tools they need to work while providing device security and user privacy. Implementing this can be a challenge; we won’t fully dive into that in this blog.

Related reading: Jamf BYOD: Alleviate Security and Privacy Concerns

You don’t have to sacrifice user privacy.

Apple devices have a clear distinction between personal and company data—Apple’s User Enrollment workflow creates separate personal and business partitions and keeps each partition isolated from the other. This results in user information being kept private from their company while company data is controlled in its partition.

IT has more control over user devices once they enroll, but that doesn’t mean they’re omnipotent. Here are some of the actions organizations can’t take on employees’ devices:

  • See personal information, usage data or logs
  • Access inventory of personal apps
  • Remove any personal data
  • Access device location
  • Remotely wipe the entire device
  • Take over management of a personal app

Related reading: Mobile BYOD with Jamf and Apple

ZTNA provides secure access to corporate apps.

Since BYOD mobile devices are…well, mobile, they have to securely connect to your company network regardless of their location or local network. In the past, this was largely done with VPN, but VPN gives a device holistic access to your network after the user authenticates once within the allotted session duration. Zero Trust Network Access (ZTNA) instead creates encrypted micro-tunnels to specific apps separately, requiring the user to verify their identity each time. ZTNA combined with a Self Service portal gives employees quick access to apps pre-approved by IT, reducing the prevalence of shadow IT. Not only does this ensure that only trusted users can access company apps, it also provides a seamless experience for users as they do their work.

Related reading: Zero Trust Network Access for Beginners

BYOD policies formalize what employees are already doing.

With more than two-thirds of employees already using their personal devices for work—regardless of their company’s BYOD policies—implementing a formal BYOD program can prevent security issues. By requiring employees to enroll into your MDM, you prevent unauthorized and uncontrolled access to corporate apps and data. If a device gets lost or stolen, it’s much simpler for IT to disallow that device to connect to company resources since it’s a known, enrolled device.

As mentioned above, BYOD Apple devices enrolled via User Enrollment into your MDM separate apps and data into personal and business partitions. This keeps personal information personal and business data contained in its own partition subject to the security policies set by your MDM. IT admins can also set corporate configurations like Wi-Fi, per-app VPN, mail and passcode requirements; and add or remove restrictions that protect corporate data. Additionally, data loss prevention policies prevent company data from ending up in non-managed apps.

In other words, implementing a BYOD policy lets employees keep doing what they’re already doing while giving IT transparency into the devices that access company resources.

Related reading: Account-driven User Enrollment + Service Discovery

User devices enrolled in your MDM are more secure.

Maybe you’re worried about having devices that aren’t fully owned and managed by IT on your network. Following from the previous section, let’s take a closer look into why BYOD devices are more secure once they’re enrolled into your MDM.

  • Endpoint protection detects vulnerable or dangerous apps
  • Regular security checks monitor for out-of-date or vulnerable OS versions
  • Corporate configurations prevent user misconfigurations when connecting to resources
  • Connections to corporate apps are encrypted via ZTNA

The powerful combination of more secure devices, encrypted connections to the company network, user convenience and IT transparency ultimately helps with overall security posture; users have seamless access to the tools they need, reducing shadow IT, while devices and their connections are kept at their most secure with minimal user intervention.

Related reading: Discover a better way to BYOD.

Ready to start your BYOD journey?

Photo of Hannah Hamilton
Hannah Hamilton
Jamf
Hannah Hamilton, Copywriter.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.