--- name: byod-policy-drafter description: Draft a Bring-Your-Own-Device policy for an SMB — device eligibility, MDM enrolment rules, data-separation model, acceptable use, stipend approach, leaver data-recovery, and a staff FAQ. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: IT Managers, DPOs, HR Managers, Compliance Leads, MSPs advising SMBs on mobile management output_format: Formatted Markdown policy document with scope, eligibility, enrolment procedure, data-handling rules, acceptable use, stipend model, offboarding, staff FAQ, and sign-off page. license: MIT last-reviewed: 2026-04 --- # BYOD Policy Drafter A Claude Code skill for drafting a Bring-Your-Own-Device policy that actually answers the questions staff and auditors ask — beyond the one-page "install Intune, we'll wipe your phone if you leave" note most SMBs started with. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/byod-policy-drafter`. Describe your organisation. Answer the clarifying questions. Receive a policy ready for legal and HR review. ## When to use this - You're rolling out MDM (Intune, Jamf, Workspace ONE) and need the policy before enrolment. - Cyber Essentials / ISO 27001 / an insurer has flagged BYOD as a gap. - Staff have started using personal phones for Teams / Outlook and you realised there's no policy. - A legal / accountancy firm in regulated sectors where client-data protection needs explicit BYOD rules. - You want a policy that staff will accept — not one so strict it drives shadow-IT. ## What you'll get A single Markdown document containing: - **Scope** (who it applies to, which devices, which data) - **Eligibility criteria** (roles, role-by-role data-access levels) - **Device requirements** (OS versions, patching, encryption, biometric lock, remote-wipe support) - **Enrolment procedure** (MDM steps, what the user sees, what happens if they decline) - **Data-separation model** (work profile / container / app protection / selective wipe) - **Acceptable use** (including how AI features on personal devices are handled) - **Personal-data on work accounts** rules (what the employer will and won't see) - **Stipend model** (how any financial contribution works) - **Leaver procedure** (selective wipe, personal data recovery, MFA reset) - **Incident handling** (lost/stolen device, compromise, resignation under stress) - **Staff FAQ** - **Sign-off page** with acknowledgement ## Clarifying questions I will ask you 1. **Organisation size and sector?** 2. **What's the driver for BYOD?** (cost, remote working, staff preference, contract flexibility) 3. **Which device types in scope?** (phones, tablets, laptops — often different policies per type) 4. **Which data will BYOD access?** (email only / email + Teams / full SaaS / access to client files) 5. **MDM platform in place?** (Intune, Jamf, Workspace ONE, Google MDM, none) 6. **Do you provide a stipend?** (yes — how much; no; mixed) 7. **Any regulator or client constraint?** (SRA, FCA, ICAEW, client contracts requiring device compliance) 8. **Staff preference so far?** (enthusiastic / reluctant / divided) 9. **Known edge-cases?** (field staff, bereaved employees' devices, stolen, employee in dispute) 10. **Tone target?** (permissive / balanced / cautious) 11. **Policy owner?** (IT Manager, DPO, HR) 12. **Target publication?** ## Output template ```markdown # Bring-Your-Own-Device (BYOD) Policy — **Version:** 1.0 · **Effective date:** · **Review date:** **Owner:** · **Approved by:** ## 1. Purpose This policy sets out how personal devices may be used to access systems and data, how the two are kept separate, and the rules both the employee and the employer agree to. ## 2. Scope Applies to all personal devices (phones, tablets, personal laptops) used to access email, calendar, Teams, SharePoint, or any business application. Does NOT apply to devices fully owned by (those are covered by the Company-Owned Device policy). ## 3. Eligibility | Role | BYOD allowed? | Data access level | Notes | |---|---|---|---| | Partners / Directors | Yes | Full | MDM enrolment required | | Fee earners / Professionals | Yes | Full | MDM enrolment required | | Admin / Support staff | Yes | Email + Teams + limited SharePoint | MDM enrolment required | | Contractors | Case-by-case | Per contract scope | MDM enrolment required; separate agreement | | New joiners | After 30 days / induction complete | Per role above | — | | Roles handling restricted data (HR, finance, privileged client files) | Yes, but with additional controls | Per role | Compliant device only, hardware-backed keys | ## 4. Device Requirements Before enrolment, the device must meet: | Requirement | iOS | Android | Windows | macOS | |---|---|---|---|---| | Minimum OS version | iOS or later | Android or later | Windows 11 22H2 or later | macOS or later | | Storage encryption enabled | Default on | Verified on enrolment | BitLocker | FileVault | | Screen lock / biometric | Required | Required | Required | Required | | Auto-lock timeout | ≤ 5 min | ≤ 5 min | ≤ 10 min | ≤ 10 min | | OS updates applied | Within 14 days of release | Within 14 days | Within 14 days | Within 14 days | | Remote-wipe support (selective) | Via MDM | Via work profile | Via Intune | Via Jamf/Intune | | Rooted / jailbroken devices | Prohibited | Prohibited | — | — | | Personal VPN / MDM bypass | Prohibited while accessing work data | Same | Same | Same | ## 5. Enrolment Procedure 1. Employee reviews this policy and signs the acknowledgement (§12). 2. Employee installs from the official app store / installer. 3. Employee enrols following the guide at . No admin rights handed over to employee. 4. MDM applies: - **Work profile / container / app-protection policy** separating apps and data from personal - Conditional Access requirements (compliant device) - Automatic compliance checks on OS version, encryption, lock 5. First-use test — employee signs in to Teams / Outlook and verifies it works. 6. Enrolment recorded in MDM, device added to IT register. **If enrolment fails / device ineligible:** - Alternative: employee uses company-owned device or web-only access from a managed session. - No employee is required to buy a new personal device for work. ## 6. Data-Separation Model We use — not full-device MDM. In plain English: - data lives in apps only (Teams, Outlook, Word, SharePoint via the iOS/Android app, etc.). - cannot see personal apps, personal photos, personal messages, personal email, personal browsing. - CAN see: which apps are installed, device compliance status (OS version, encryption, lock), MDM-scoped settings. - CAN do: remotely remove data and apps (selective wipe) without touching personal data. - CANNOT do: remotely wipe personal data; track location; read personal messages. ## 7. Acceptable Use on Personal Device When accessing data on a personal device, the employee agrees: - No copy-paste of data out of apps into personal apps (managed by app-protection where supported). - No screenshots of confidential / restricted material except where needed for legitimate work use. - No storing files on personal cloud (iCloud, Google Drive, Dropbox). - No letting family or friends use the device while data is accessible. - AI features on the device (Apple Intelligence, Gemini, Copilot+ PC features) must only be used on data per our AI Use Policy. - Personal mobile carrier messaging (WhatsApp, SMS) is not an approved channel for confidential data. ## 8. What the Employer Sees, What It Doesn't Full transparency — what the MDM console shows IT: - ✅ Device model, OS version, app inventory for apps only - ✅ Compliance status (encrypted? locked? OS current?) - ✅ Last check-in time - ❌ Personal apps' contents - ❌ Personal photos, messages, call history - ❌ Location (unless a specific incident-response requires consent — rare) - ❌ Browser history on personal browser ## 9. Stipend (if applicable) - Stipend: £/month, paid . - Covers: proportion of mobile data, basic device wear. - Does not cover: device purchase, accessories, repair of personal device damage. - Opt-out available for staff who prefer company-owned; no stipend for company-device users. - Reviewed annually. ## 10. Leaver / Role-Change Procedure When employment ends or role changes such that BYOD access is no longer needed: 1. IT initiates a **selective wipe** via MDM — removes data and apps only. 2. Personal data, apps, and media are untouched. 3. Employee retains personal device, personal content, personal settings. 4. MFA tokens tied to accounts are revoked. 5. Employee confirms in writing that data has been removed. Any discovered later: report within 7 days. 6. Employee removes any saved passwords for systems from personal browsers / password managers. Special cases: - **Involuntary termination:** selective wipe performed immediately by IT; employee informed within the same business day. - **Dispute:** legal review before any action on the device beyond selective wipe; HR lead. - **Bereavement:** family contacted to arrange selective wipe; no attempt to access personal content. ## 11. Incident Handling - **Lost / stolen device:** employee reports to IT within 1 hour where possible. IT executes selective wipe. If personal-data on apps, DPO assesses whether UK GDPR Art. 33 triggers. - **Compromise / malware suspected:** IT disables account access immediately; device quarantined; forensic review scope proportionate. - **Family / friend accessed data:** report to IT and DPO. Assess as per incident response. ## 12. Signature & Acknowledgement I confirm that I have read and understood this BYOD policy. I agree to the device requirements, data-handling rules, and the MDM enrolment process. I understand what can and cannot see on my device, and I understand the selective-wipe process at the end of my employment. Name: ____________________________ Date: __________ Role: ____________________________ Device(s): __________ Signature: ________________________ ## 13. Related Policies - Information Security Policy - Acceptable Use Policy - AI Use Policy - Data Protection Policy - Company-Owned Device Policy ## 14. Staff FAQ **Q: Will you wipe my personal photos if I leave?** — No. Selective wipe removes only apps and data. Personal photos, messages, apps are untouched. **Q: Can you see my personal WhatsApp / Instagram?** — No. We don't have visibility into personal apps. **Q: Can I opt out of BYOD and have a company phone instead?** — Yes. Request via . **Q: What if I don't want to install MDM?** — Then your personal device can't access systems. Web-only access from managed sessions may be available for limited roles. **Q: My spouse uses my iPad for games — is that OK?** — Yes, as long as data isn't accessible (biometric lock, separate app containers, auto-lock). Don't hand them the unlocked device with Teams open. **Q: If I get a new phone, what do I do?** — Enrol the new device first, then IT can remove the old. Don't let the gap leave data on an unmanaged device. **Q: What about Apple Intelligence / Gemini / AI features on my device?** — You can use them, provided it's consistent with our AI Use Policy. Don't send data to third-party AI services from personal-account AI features. **Q: What if my device fails the compliance check?** — You'll get a prompt explaining what's wrong (usually OS update needed). Fix it and you're back in. If it persists, contact IT. **Q: Does this apply to my personal Mac for weekend work?** — Yes — any personal device accessing data falls under this policy. **Q: Can I claim the stipend if I use a company phone too?** — Not typically; stipend is for personal devices in use for work. **Q: What data does see about my device?** — See §8 above. Full transparency. ``` ## Example invocation **User:** "35-person London law firm. Rolling out Intune next month. Previously staff used personal iPhones for Outlook with no management. SRA-regulated. Partners nervous about privacy." **What the skill will do:** 1. Ask 12 questions, drilling on: which data classes the iPhones access (privileged client material — yes), SRA guidance on remote working and client confidentiality, whether any staff travel abroad regularly. 2. Produce the policy with: - Work-profile / app-protection data-separation (because partners are privacy-sensitive, selective-wipe-only is critical) - Device requirements tightened: iOS 17+ (current support), ≤ 5 min auto-lock - Partner FAQ emphasising what can't see (directly addressing the stated concern) - SRA-aligned reference to client confidentiality and the selective-wipe approach - A stipend of £/month (optional — accountable for by choosing "proportion of data + wear" phrasing) 3. Flag that a 1-hour Partners' Q&A session the week before enrolment will resolve 80% of the privacy concerns. ## Notes for the requester - **Selective wipe, not full-device wipe.** The first thing staff ask about. Using work-profile / app-protection preserves their personal data and drops resistance dramatically. - **Show, don't tell, what the employer can see.** §8's transparency block is often the clause that turns sceptics into participants. - **Stipend is optional — but set the expectation either way.** Uncommunicated costs generate resentment; clear "yes, £X / no, but company alternative" is fine. - **Leaver procedures must be specific about bereavement and disputes.** These are the edge cases that go wrong under stress. - **Update when the MDM tool's capability changes.** Intune has changed selective-wipe behaviour multiple times; the policy must track reality. - **Good looks like:** 90% of eligible staff enrol voluntarily, leavers lose access cleanly, no privacy complaints, insurance / regulator questions answered by one policy PDF. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*