There is no single policy template for every mobile device scenario, and different organizations' needs can vary greatly, even within the same vertical.
There are some bare minimum mobile policies, however, that provide the foundations for BYOD ownership scenario, a common approach to enabling mobile users. The following factors cover some essential areas for a BYOD mobile policy, but organizations will likely need additional specific policies for their unique practices and needs.
Before organizations implement any BYOD mobile policy, they should be aware of any regulations that apply. It is IT's responsibility to ensure that the mobile policies of an organization adhere to any such regulations. Organizations that are subject to data retention regulations such as the Sarbanes-Oxley Act or HIPAA's regulation of medical records, for example, must ensure business information does not reside locally on mobile devices that might be lost or wiped. Every sector of business is subject to numerous regulations, so IT pros should be familiar with laws that will determine the success of an organization's policies.
Security for BYOD mobile policy
At the very least, organizations must enforce encryption on BYOD mobile devices -- although almost every mobile device comes with encryption. If all devices are company-owned, then the ability to remotely lock and wipe them is great for security, but this isn't always possible or prudent for a BYOD mobile policy. With user-owned devices, it's important to prevent mobile administrators from inadvertently wiping these devices. Instead, IT should ensure that business data and personal information are segregated.
IT should also consider the additional attack surfaces that mobile devices present. Mobile admins should investigate the practicality of controlling network traffic, disabling third-party app stores and restricting access to undesirable sites. IT should also factor data egress points such as SD cards into the BYOD mobile policy.
Mobile user privacy
User privacy is an area of constant discussion for enterprise IT, and rightfully so. IT's approach should vary depending on company culture and the nature of information users can access and store on their mobile devices. Many organizations use data containers so they can audit business information while maintaining user privacy. This BYOD mobile policy ensures that organizations cannot see apps that might relate to health, personal communications or other aspects of the users' private lives.
BYOD application management
Finally, mobile admins must establish a BYOD mobile policy regarding the organization's ability to remove business applications and associated data, even if they do not retain the right to run a remote wipe on the device. IT could also deploy business instances of work applications to devices if the user also wants a personal copy of the same mobile app.
On Apple iOS devices, IT should check if it is possible to convert unmanaged applications into managed apps if the user has already deployed them. Mobile application management tool features such as "managed open-in" can prevent data from inadvertently opening in personal apps.
Communicate the BYOD mobile policy
Whatever mobile policies IT pros establish, they must communicate it to the employees ahead of rollout. Most issues arise when users don't fully understand the power IT departments have over their devices. If users know in advance that IT might wipe their phone, they might be less likely to seek compensation for any destroyed personal information or may choose not to store it locally. If everybody understands their roles and responsibilities in advance, it's less likely that friction could occur. User feedback in early stages can help admins ensure that a BYOD mobile policy doesn't sacrifice productivity in the workforce.