Acceptable Use Policy for workplace technology
Organizations use Acceptable Use Policies (AUP) to set forth guidelines for employees and company practices. This aligns expectations for the use of computers and mobile devices with industry best practices, laws and regulatory compliance.
What is an Acceptable Use Policy (AUP)?
Anyone who has ever owned (or worked in) a company of just about any size has come across an Acceptable Use Policy. Whether they were tasked with creating one— or more likely, asked to read and sign it as an acknowledgment that they understand the behavior and actions expected of the individual by their employer.
Aside from the employment aspect, AUPs are everywhere. From software licensing agreements to accessing information from websites, an acceptable use policy is commonplace and practiced by many organizations— even if they may sometimes go unnoticed as "the fine print" that has a tendency to be glossed over.
Nonetheless, whether given a cursory glance or a thorough deep-dive, AUPs are binding agreements between the providers of a product or service and the users of the product or service.
But before we get into the weeds of why AUPs are important or what’s included in one, let’s take a beat to define it, first.
Since there is no direct definition (in the dictionary, at least) for AUP, let’s break it down to its two basic terms: "acceptable use" and "policy."
The former is straightforward: pleasing to the receiver; satisfactory; agreeable; welcome.
The latter, policy: a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.
Put them both together and you arrive at the basic understanding that Acceptable Use Policy means: a set of rules applied that restrict the ways in which a product or service may be used while setting guidelines as to how it should be used.
What is covered by an AUP?
Often, AUPs may also include verbiage identifying specific behaviors and actions that restrict how their product should be used.
As it pertains to the use of technology policies in the workplace, AUPs are written for businesses, schools and service providers like ISPs, cloud-based applications and websites, often to:
- Reduce liability from legal action
- Maintain quality of service (QoS)
- Set expectations for usage
- Comply with regulatory oversight
- Enforce business practices and continuity
Need some extra help writing comprehensive acceptable use policies?
AUP example: data and streaming
An organization that recently migrated to a remote work environment relies on its employees to remain productive in order to continue business operations. To do so, the company has provided employees with organizationally-owned MacBook Pro laptops and Apple iPhones as part of a COPE ownership model allowing end users to use the devices for personal use, as well.
One common expectation associated with corporate cellular plans is that data pools will be shared among all employees. If one employee uses fifty percent of the allotted data for the month by streaming videos all day long, this could represent two issues:
- The employee may not be completing their assigned workload due to watching video streams instead of being productive during work hours;
- The excessive bandwidth use could be draining data pools sooner than expected, leaving little to no bandwidth available for other users trying to stay productive.
In this example, requiring all users to read and acknowledge understanding of the rules by signing an AUP helps to curb these actions from occurring by:
- Setting restrictions on accessing streaming platforms during work hours;
- Detailing how data pools work, and providing each employee with their theoretical limit.
What do you include in an AUP?
Everything! Ok, maybe not everything, but certainly everything that will serve to make your acceptable use policy for employees effective. There is no "one size fits all" solution that applies to AUPs. There are AUP templates that can help you get started, but AUPs will inadvertently differ from organization to organization just as their needs differ.
That being said, here are some guidelines for drafting concise, effective AUPs:
- Provide examples and/or permitted alternatives
- Cover both intentional and inadvertent violation types
- Explain how you monitor and enforce policy compliance
- Detail remediation actions and consequences for violations
- Include all user types — no exceptions
- Outline social media use do's and don'ts
- Make it unique to your organization
- Be crystal clear in wording — leave nothing to interpretation
Does AUP coverage differ between desktop computers and mobile devices?
Generally speaking, no. As it relates to coverages or allowances when keeping company data secure, AUPs are often written clearly to define what expectations the company has for the use and care of the data and systems used by users. This extends to users on personally-owned devices using them to work. Even if the employee may have a right to use a BYO device to work with company data, they are still expected to and bound to follow the stipulations outlined in the AUP to ensure that company data (which they do not own) is safeguarded.
With mobile devices inherently designed as “single user”, this personal nature often carries with it additional concerns of user privacy. Even on a company-sanctioned mobile device, the user’s privacy comes into play when using the device for personal reasons, like connecting to a wireless network outside of the office or if using it to make a non-business-related phone call.
To side-step the see-saw effect of compromising privacy at the cost of maintaining security, or its inverse, using separate volumes provides organizations and users peace of mind. One volume is encrypted to store only company data; the other volume stores personal data to prevent the co-mingling of data types. This is a great addition to your acceptable use policy for mobile devices, ensuring that company data remains managed and secured while privacy is upheld without compromise to either regardless of who owns the hardware.
Additional points to consider addressing in your AUP
CYOD/COPE
Does your organization provide hardware to employees for work use? Is personal use permitted? If so, to what degree?
BYOD
Are employee-owned devices expected to enroll with the company’s MDM? What kinds of commands will admins be able to perform on personally-owned devices?
Privacy
How is end-user privacy treated? What data does the organization have access to? Where does it store that and for how long?
Work environments
If your organization is fully remote, hybrid or planning to be, be sure to include how the policies apply if users are working from different physical locations and other countries. It’s important to acknowledge that some regions have stricter laws than others and this will directly impact the accuracy and effectiveness of your AUP.
International considerations
If your organization works with data from Europe, for example, you may be subject to GDPR laws. If an employee uses a piece of software that is not GDPR-certified, this could result in compliance violations, regardless of where your company headquarters are located.
Compliance
Your organization — and the employees that support it — may be subject to local, state, federal, and/or region-specific laws. This includes various regulations that may be region, country and/or industry-specific. Knowing the ins and outs of each is critical to stay clear of costly compliance violations that may include expensive civil and/or criminal punishments.
Why are AUPs important for employees?
The organization that manages a product or service writes AUPs, as mentioned above. This is done primarily to protect their interests. However, a properly written AUP consists of not just clear, concise language that explains the expectations surrounding the use of a product or service, but also provides a level of protection for the user (in this case, the employees).
AUPs are an integral part of a solid Information Security framework. Automating the display of an AUP clearly identifies what users can and cannot do and should and should not do helps users to keep away from actions that could potentially affect them (and the company) negatively. By requiring users to acknowledge these terms helps them to avoid situations that may be deemed unfair and may even result in administrative and/or legal action.
How can my organization enforce AUPs?
Revisiting the scenario above, the employee signed a document detailing acceptable use. The guidelines are clear and easy to understand. But what now? Does an AUP really prevent the employee from streaming during work hours and using up the shared data pool?
In a word, no. However, as with most IT-related matters, there are multiple ways to piece controls together to enforce management policies. AUPs are no different, except that they provide the written guidelines explaining how end users are expected to conduct themselves, and what to do and not do.
By pairing this with software that provides content filtering and enforces data caps, like Jamf Data Policy, IT admins have now implemented security controls that prevent what websites can be reached when enforcing acceptable use guidelines. Additionally, when the employee reaches a configured threshold — knowingly or unknowingly — admins will receive an alert. Then, the solution will automatically block access to Internet-based resources or perhaps simply throttle their cellular connection to a much lower speed.
Enforcing AUPs in the enterprise using Jamf Pro
What can software that enforces AUPs do for my company?
- Avoid “bill shock” due to bandwidth overuse
- Sets data caps for users to mitigate excessive usage
- Provide granular logging of usage
- Limit access to illicit/non-compliant websites
- Allow employees to remain productive
- Offer real-time alert notifications for users and admins
- Permit IT to modify configurations, as necessary
Ultimately, what you include in your AUP and how you choose to enforce compliance with Jamf Pro policies will depend solely on your organizational needs, the products and services you provide and how your employees are expected to conduct themselves. Give additional consideration to the location of all operating locations and the locations of where your end users and customers or clients are based. Spend time considering any other details that are critical to the operation of your products and services or unique to your organization.
AUPs + Jamf = Happy, productive users!
Develop a strong Acceptable User Policy that keeps productivity optimal while ensuring data security and user privacy across your enterprise.