Endpoint Security Glossary
BYOD (Bring Your Own Device)
A company policy that allows employees to use their own smartphones, tablets, and laptops for work purposes. BYOD reduces hardware costs but significantly increases security risks—personal devices are harder to control than company-owned ones.
BYOD (Bring Your Own Device) refers to the practice of employees using their personal devices—smartphones, tablets, laptops—for work purposes as well. In the post-COVID era, BYOD has become standard practice at many companies. The security challenges are significant.
The BYOD Security Problem
Company Device (Full Control):
✓ MDM agent installed
✓ Disk encryption enforced
✓ Only approved apps allowed
✓ Remote wipe possible
✓ Centralized patch management
✓ Separate work data
BYOD Device (Limited Control):
✗ Unknown apps installed (games, shopping, etc.)
✗ May be jailbroken/rooted
✗ Personal data and corporate data mixed
✗ Patch status unknown
✗ Family members may also use the device
✗ Remote wipe also deletes private data → conflictsComparison of BYOD Models
| Model | Description | Security Level | Employee Acceptance |
|---|---|---|---|
| BYOD | Personal device for work | Low | High |
| COPE | Company device, available for personal use | High | Medium |
| CYOD | Employee selects from company devices | High | Medium-High |
| Corporate Only | Company devices only | Very high | Low |
Technical BYOD Solutions
MDM (Mobile Device Management)
Full device management – problematic with BYOD:
- IT department has access to the entire device
- Remote wipe deletes private photos, contacts, apps
- Employees often resist → high opt-out rate
- Recommendation: Only for company-owned devices (COPE)
MAM (Mobile Application Management) - BYOD recommendation
Only apps are managed, not the device:
Corporate app container:
[Outlook] [Teams] [SharePoint] ← MDM-controlled, encrypted
────────────────────────────────────────────────────
[Instagram] [WhatsApp] [Games] ← Personal, no IT controlMAM Features:
- Corporate apps encrypted separately
- Copy-paste between business apps and personal apps blocked
- App-specific remote wipe (business apps only, not photos)
- No personal data visible to IT
Technology: Microsoft Intune App Protection Policies, VMware Workspace ONE, Jamf
App-based VPN
Instead of device-based VPN, only business apps tunnel through the corporate network:
Browser (private) → Internet directly
Teams (business) → Corporate VPN → Microsoft 365
OneDrive Business → Corporate VPN → SharePointBYOD Policy: What Needs to Be Regulated?
Minimum Requirements for BYOD Approval
□ Device: at least iOS 16 / Android 12 (up-to-date and patchable)
□ Screen lock: PIN/biometrics enabled
□ Disk encryption: enabled (iOS/Android: automatic with screen lock)
□ MAM app installed: Intune Company Portal or similar
□ Device not jailbroken/rooted (detected automatically)
□ No "Store apps" from unknown sources (Android)
□ Employee consent for business data processing on personal devicesLabor Law Aspects (Germany)
Important: Monitoring of personal devices is strictly limited in Germany:
- §87 BetrVG: Works council has the right of co-determination regarding BYOD policies
- GDPR: Work-related data stored on personal devices is also the company’s responsibility
- Cost issue: Employer must pay a proportionate share for professional use (data plan, etc.)
BYOD Security Risks
Main risks:
1. Lost/stolen device → unencrypted business data
2. Malware on personal device → attacks business apps
3. Employee leaves company → data remains on personal device
4. Screenshot/photo of screen → uncontrolled data leakage
5. Family members use device → accidental data access
6. Jailbreak → MDM/MAM protection bypassedRecommended BYOD Strategy for SMBs
Step 1: MAM instead of MDM
→ Microsoft Intune App Protection Policies for M365 (free in M365 Business)
→ Outlook, Teams, SharePoint on personal devices with container protection
Step 2: Conditional Access
→ Device compliance check: App protection policy must be active
→ Login from BYOD without MAM policy → blocked
Step 3: MFA everywhere
→ Every login to business apps requires MFA
→ Even if password is compromised: Access without device is not possible
Step 4: DLP Rules
→ No copy-paste from business apps to personal apps
→ No forwarding of business emails to personal email addresses
Step 5: BYOD Policy + Consent
→ Written BYOD policy
→ Employee consent form (GDPR-compliant)
