What is an Acceptable Use Policy (AUP)?
Anyone who has ever owned (or worked in) a company of just about any size has come across an Acceptable Use Policy. Whether they were tasked with creating one— or more likely, asked to read and sign it as an acknowledgment that they understand the behavior and actions expected of the individual by their employer.
Aside from the employment aspect, AUPs are everywhere. From software licensing agreements to accessing information from websites, an acceptable use policy is commonplace and practiced by many organizations— even if they may sometimes go unnoticed as "the fine print" has a tendency to be glossed over.
Nonetheless, whether given a cursory glance or a thorough deep-dive, AUPs are binding agreements between the providers of a product or service and the users of the product or service.
But before we get into the weeds of why AUPs are important or what’s included in one, let’s take a beat to define it, first.
Since there is no direct definition (in the dictionary, at least) for AUP, let’s break it down to its two basic terms: "acceptable use" and "policy."
The former is straightforward: pleasing to the receiver; satisfactory; agreeable; welcome.
The latter, policy: a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.
But them both together and you arrive at the basic understanding that Acceptable Use Policy means: a set of rules applied that restrict the ways in which a product or service may be used while setting guidelines as to how it should be used.
Often, AUPs may also include verbiage identifying specific behaviors and actions that restrict how their product should be used.
As it pertains to the use of technology policies in the workplace, AUPs are written for businesses, schools and service providers like ISPs, cloud-based applications and websites, often to:
- Reduce liability from legal action
- Maintain quality of service (QoS)
- Set expectations for usage
- Comply with regulatory oversight
- Enforce business practices and continuity
AUP example: data and streaming
An organization that recently migrated to a remote work environment relies on its employees to remain productive in order to continue business operations. To do so, the company has provided employees with organizationally-owned MacBook Pro laptops and Apple iPhones as part of a COPE ownership model allowing end-users to use the devices for personal use, as well.
One common expectation associated with corporate cellular plans is that data pools will be shared among all employees. If one employee uses fifty percent of the allotted data for the month by streaming videos all day long, this could represent two issues:
- The employee may not be completing their assigned workload due to watching video streams instead of being productive during work hours;
- The excessive bandwidth use could be draining data pools sooner than expected, leaving little to no bandwidth available for other users trying to stay productive.
In this example, requiring all users to read and acknowledge understanding of the rules by signing an AUP helps to curb these actions from occurring by:
- Setting restrictions on accessing streaming platforms during work hours;
- Detailing how data pools work, and providing each employee with their theoretical limit.
What do you include in an AUP?
Everything! Ok, maybe not everything, but certainly everything that will serve to make your acceptable use policy for employees effective. There is no "one size fits all" solution that applies to AUPs. There are AUP templates that can help you get started, but AUPs will inadvertently differ from organization to organization just as their needs differ.
That being said, here are some guidelines for drafting concise, effective AUPs:
- Provide examples and/or permitted alternatives
- Cover of both intentional and inadvertent violation types
- Explain how you monitor and enforce policy compliance
- Detail remediation actions and consequences for violations
- Include all user types – no exceptions
- Outline social media use do's and don'ts
- Make it unique to your organization
- Be crystal clear in wording – leave nothing to interpretation
Additional points to consider addressing in your AUP
Does your organization provide hardware to employees for work use? Is personal use permitted? If so, to what degree?
Are employee-owned devices expected to enroll with the company’s MDM? What kinds of commands will admins be able to perform on personally-owned devices?
How is end-user privacy treated? What data does the organization have access to? Where does it store that and for how long?
If your organization is fully remote, hybrid or planning to be, be sure to include how the policies apply if users are working from different physical locations and other countries. It’s important to acknowledge that some regions have stricter laws than others and this will directly impact the accuracy and effectiveness of your AUP.
If your organization works with data from Europe, for example, you may be subject to GDPR laws. If an employee uses a piece of software that is not GDPR-certified, this could result in compliance violations, regardless of where your company headquarters are located.
Your organization – and the employees that support it – may be subject to local, state, federal, and/or region-specific laws. This includes various regulations that may be region, country and/or industry-specific. Knowing the ins and outs of each is critical to stay clear of costly compliance violations that may include expensive civil and/or criminal punishments.
Why are AUPs important for employees?
The organization that manages a product or service writes AUPs, as mentioned above. This is done primarily to protect their interests. However, a properly written AUP consists of not just clear, concise language that explains the expectations surrounding the use of a product or service, but also provides a level of protection for the user (in this case, the employees).
AUPs are an integral part of a solid Information Security framework. Identifying what users can and cannot do and should and should not do helps users to keep away from actions that could potentially affect them (and the company) negatively. This helps them to avoid situations that may be deemed unfair and may even result in administrative and/or legal action.
How can my organization enforce AUPs?
Revisiting the scenario above, the employee signed a document detailing acceptable use. The guidelines are clear and easy to understand. But what now? Does an AUP really prevent the employee from streaming during work hours and using up the shared data pool?
In a word, no. However, as with most IT-related matters, there are multiple ways to piece controls together to enforce management policies. AUPs are no different, except that they provide the written guidelines explaining how end-users are expected to conduct themselves, and what to do and not do.
By pairing this with software that provides content filtering and enforces data caps, like Jamf Data Policy, IT admins have now implemented security controls that prevent what websites can be reached when enforcing acceptable use guidelines. Additionally, when the employee reaches a configured threshold – knowingly or unknowingly – admins will receive an alert. Then, the solution will automatically block access to Internet-based resources or perhaps simply throttle their cellular connection to a much lower speed.
What can software that enforces AUPs do for my company?
- Avoid “bill shock” due to bandwidth overuse
- Sets data caps for users to mitigate excessive usage
- Provide granular logging of usage
- Limit access to illicit/non-compliant websites
- Allow employees to remain productive
- Offer real-time alert notifications for users and admins
- Permit IT to modify configurations, as necessary
Ultimately, what you include in your AUP and how you choose to enforce compliance will depend solely on your organizational needs, the products and services you provide and how your employees are expected to conduct themselves. Give additional consideration to the location of all operating locations and the locations of where your end-users and customers or clients are based. Spend time considering any other details that are critical to the operation of your products and services or unique to your organization.
AUPs + Jamf = Happy, productive users!
With Jamf Pro, IT can keep performance optimal throughout a device lifecycle by enforcing organizational policies.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.