BYOD Security and Policy Guide for UK Businesses
It is 9am on a Tuesday and you are three weeks away from your Cyber Essentials audit.
Your IT infrastructure is in good shape. Your Macs are enrolled in Jamf, your security policies are configured, your firewall is solid. You have done the work. You are ready.
Then your auditor sends over the pre-assessment questionnaire.
One question stops you cold.
“How many personal devices currently have access to your company email, Slack, or business applications?”
You stare at it. A new tab opens. Closes again. The honest answer is: you have no idea.
You think about your sales team. Three of them check Slack on their personal iPhones on the weekend. Your Head of Engineering accesses the company GitHub on his personal MacBook when he is travelling. Your CEO has had company email on her personal phone since the day she joined. Nobody ever set this up formally. It just happened, one device at a time, over years of rapid growth.
And now, three weeks before your Cyber Essentials audit, you are realising that your carefully managed Apple fleet is only part of the picture. The other part the unmanaged, unseen, uncontrolled part is sitting in people’s pockets right now.
This is the BYOD problem. And if you are reading this, there is a very good chance it is your problem too.
You Are Not Alone
A 2024 survey by Cisco found that over 70% of employees use personal devices to access company data at least occasionally. In fast-growing UK scale-ups, that number is almost certainly higher. When companies grow quickly, formal IT policies struggle to keep pace with the reality of how people actually work.
Personal devices creep into the workflow gradually. Someone checks their work email on their personal iPhone during a bank holiday. A developer pushes a hotfix from their home MacBook. A new starter connects to company Slack before their work laptop arrives. Each of these moments feels harmless. Collectively, they create a sprawling, invisible attack surface that your IT team has no visibility over and no control of.
The problem is not your people. The problem is the absence of a framework that allows personal device use to happen securely, with the right boundaries in place.
That framework is called BYOD. And getting it right is one of the most important things a growing UK business can do.
What BYOD Actually Is
BYOD stands for Bring Your Own Device. It describes any situation where employees use personally owned devices, iPhones, Android phones, personal MacBooks, iPads, to access company systems, data, or applications.
BYOD is not inherently risky. In fact, when managed correctly, it can reduce hardware costs, improve employee satisfaction, and give your team the flexibility to work the way they want to work. The problem is not BYOD itself. The problem is unmanaged BYOD personal devices accessing company data with no security policy, no visibility, and no controls in place.
Managed BYOD means:
Your IT team knows which personal devices have access to company systems. Security policies are applied to those devices without invasive monitoring of personal content. Employees can use their personal devices freely for personal use, with company data kept separate and protected. If a device is lost or stolen, company data can be remotely wiped without touching personal photos, messages or apps. If an employee leaves, company access is revoked instantly, without affecting anything personal on the device.
This is the goal. A clear separation between work and personal, enforced by technology, understood by everyone.
Why BYOD Matters More Than Ever
Three forces have converged to make BYOD one of the most pressing IT challenges for UK scale-ups right now.
The first is hybrid working. Since 2020, the boundary between work devices and personal devices has blurred significantly. People work from home, from coffee shops, from airports. They switch between devices constantly. The idea that company data only lives on company-owned hardware is no longer realistic for most organisations.
The second is Cyber Essentials. The UK government’s Cyber Essentials certification scheme, which is increasingly required by enterprise clients, investors, and regulated industries, now explicitly includes personal devices in scope if those devices access company data. This is the question that stopped you cold in your audit questionnaire. If personal devices are accessing your systems and they are not enrolled in your MDM, you cannot certify. It is that simple.
The third is the talent market. Top candidates, particularly in tech and fintech, expect flexibility. A rigid “company devices only” policy is increasingly seen as a red flag. A well-designed BYOD programme lets you offer flexibility without compromising security.
When It Goes Wrong: The Story of a Leak That Changed Everything
In 2020, one of the most significant social media security breaches in history was traced back partly to compromised contractor devices. The attackers used social engineering to gain access to internal tools, eventually taking over high-profile accounts. The investigation revealed that the attack surface included personal and contractor devices that were not under centralised security control.
But you do not need to look at headline breaches to understand the risk. The more common story is quieter and closer to home.
Picture this. A sales manager at a London fintech resigns after three years. She has been a high performer, well-liked, no bad blood. Her company laptop is wiped and collected on her last day. Standard offboarding, done properly.
What nobody checks is her personal iPhone. For two years, she has had the company CRM accessible through a mobile app on her personal phone. She has company email in her native mail app. She has the shared Slack workspace. None of it was formally enrolled or managed because it was her personal device and nobody thought to include personal devices in the offboarding checklist.
Three months later, a competitor wins a pitch using detailed knowledge of your pricing structure, your client relationships, and your sales methodology. The information was accurate. It was recent.
You will never be able to prove what happened. But you know.
This is not a hypothetical. Variations of this story happen across UK businesses every week. The device that walks out the door on an employee’s last day is rarely their work laptop. It is the personal phone in their pocket that nobody ever enrolled, monitored, or offboarded.
The Privacy Question: What Can Your Company Actually See?
This is the question every employee asks when BYOD is mentioned. And it is a completely reasonable one.
The short answer is: when BYOD is set up correctly using MDM, your company cannot see your personal data. Full stop.
Here is what that means in practice when nDuo sets up BYOD MDM enrolment for personal devices using tools like Jamf, Intune, Kandji, FleetDM:
What your company CAN see and manage on a personal device enrolled in BYOD MDM: whether the device has a passcode set, whether the operating system is up to date, whether the device is encrypted, which work apps are installed, and the status of work-related security policies.
What your company CANNOT see: your personal photos, messages, emails, browsing history, personal apps, location outside of work hours, or any personal data on the device.
The MDM profile creates a managed container for work data. Everything outside that container is invisible to your IT team. Your personal life remains entirely private.
This separation is not just a policy choice, it is a technical reality built into how modern MDM platforms work on iOS and macOS. Apple’s architecture specifically prevents MDM from accessing personal data. It is enforced at the operating system level, not just through company promises.
When we roll out BYOD MDM to employees, we always walk through exactly what is and is not visible. Transparency builds trust. Employees who understand the privacy boundaries re far more likely to enrol their devices willingly and maintain compliance going forward.
BYOD and Cyber Essentials: What You Need to Know
If your business is working toward Cyber Essentials or Cyber Essentials Plus certification, BYOD is not optional, it is in scope.
The Cyber Essentials framework requires that all devices accessing company data meet a minimum security standard. This includes personal devices. If an employee’s personal iPhone has your company email configured on it, that device falls within the scope of your Cyber Essentials assessment.
The practical implications are significant. Your personal devices must have a passcode or biometric lock enabled. The operating system must be up to date. The device must not be jailbroken or rooted. Access to company applications must be revocable by your IT team.
Without MDM enrolment, you cannot evidence any of this to your auditor. You are relying on self-reporting from employees, which is not sufficient for certification.
This is one of the most common reasons UK scale-ups fail their first Cyber Essentials assessment. Not because their core infrastructure is insecure, but because personal devices were not in scope and nobody had visibility of them.
nDuo has helped companies including Revolut, Kroo and BOXPARK navigate this exact challenge. Getting personal devices into scope, enrolled, and compliant before an audit is one of the highest-value things we do.
GDPR and Personal Devices: The Legal Dimension
If your employees access personal data, customer records, employee information, financial data on personal devices, you have a GDPR obligation to ensure that data is protected.
Under GDPR, your organisation is responsible for the security of personal data regardless of what device it sits on. If an employee’s unmanaged personal phone is lost or stolen and it contains customer data, you may have a reportable data breach on your hands. The ICO does not accept “it was on their personal phone” as a defence.
A proper BYOD policy with MDM enrolment gives you the ability to demonstrate to the ICO that appropriate technical measures were in place. Remote wipe capability, encryption requirements, and access controls are all things you can evidence with the right setup.
Without a BYOD policy and MDM enrolment, you cannot demonstrate any of this. And in the event of a breach, that absence will be noticed.
nDuo’s BYOD Discovery and Setup Process
When a new client comes to us with a BYOD challenge, here is exactly how we approach it.
Step 1: Discovery
We start by understanding the full picture. Which company systems can be accessed from personal devices? Which applications have mobile access? What does your current onboarding and offboarding process look like for personal devices? Are there any existing MDM policies in place? This discovery phase typically takes one to two days and involves conversations with IT, HR, and senior leadership.
Step 2: Risk Assessment
Once we know the landscape, we assess the risk. We identify which personal device access points represent the highest risk to your business, typically company email, messaging platforms like Slack, and any CRM or financial applications. We look at your Cyber Essentials and ISO 27001 requirements and map them against your current personal device posture.
Step 3: Policy Design
Before any technical implementation begins, we design your BYOD policy. This is a written document that sets out what personal device use is permitted, what security requirements apply, what employees consent to when they enroll, and what happens when they leave. Clear policy documentation is essential for Cyber Essentials certification and for employee trust.
Step 4: MDM Configuration
We configure your chosen MDM platform, such as Jamf, Intune, Kandji, FleetDM and more to support BYOD enrolment. This involves creating a separate enrolment profile specifically for personal devices, configuring the managed container for work applications, setting security policies including passcode requirements and OS update enforcement, and testing the enrolment flow on both iOS and macOS.
Step 5: Employee Communication and Enrolment
This is the step most companies underestimate. How you communicate the BYOD rollout to employees determines how smoothly enrolment goes. We prepare clear communications that explain what enrolment involves, what privacy protections are in place, and why it matters. We run a short walkthrough session for employees and handle any questions about privacy directly. Typically we achieve enrolment rates of 90% or higher when communication is handled well.
Step 6: Offboarding Integration
We update your offboarding checklist to include personal device unenrolment as a standard step. This is the gap that causes the data leak scenarios described earlier. With MDM in place, unenrolling a personal device on an employee’s last day takes 30 seconds and ensures company data is removed completely.
Step 7: Ongoing Monitoring
Once BYOD MDM is live, your IT team has a dashboard showing all enrolled personal devices, their compliance status, and any security issues. You can see at a glance which devices are up to date, which have outstanding issues, and which have been unenrolled. The invisible attack surface becomes visible.
What Good BYOD Looks Like in Practice
A well-run BYOD programme is one that employees barely notice day to day. They enroll their device once, they use their work apps as normal, and they have complete confidence that their personal data is untouched.
For your IT team, it means the question “how many personal devices have access to our systems?” has an immediate, accurate answer at any point in time. Your Cyber Essentials audit goes smoothly because personal devices are in scope, enrolled, and compliant. GDPR posture is defensible. Offboarding is complete
And when the next talented employee joins and wants to check Slack on their personal iPhone, the answer is not “we do not allow that” it is “here is how to enrol in two minutes.”
Ready to Get Your BYOD Under Control?
If reading this has raised questions about your own personal device posture, you are not alone, and the good news is that getting control of BYOD is straightforward when you have the right partner.
nDuo offers a free BYOD readiness review for UK businesses. We will assess your current personal device posture, identify your key risk areas, and give you a clear picture of what a managed BYOD programme would look like for your organisation.
No obligation. No jargon. Just a clear, honest conversation about where you stand.
Book your free BYOD readiness review today.