Documentation
Support
In this article
1.0 Purpose2.0 Scope3.0 Policy3.1 Technology and Security Requirements3.2 User Requirements3.3 Remote Wipe
Home
Policy Templates (Advanced)

Policy Template for Mobile Device Management

Edited

1.0 Purpose

This policy defines procedures and restrictions for any and all end users with legitimate business use connecting mobile devices to {{organization.name}}’s corporate network, digital resources, and data. The mobile device policy applies, but is not limited to, all devices and accompanying media that fit the following classifications:

Smartphones

Tablets

Portable media devices

Laptop/notebook/ultrabook computers

Wearable computing devices

Any other mobile device capable of storing corporate data and connecting to a network

The primary goal of this policy is to protect the integrity of the confidential client and business data that resides within {{organization.name}}’s technology infrastructure, including internal and external cloud services. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it could potentially be accessed by unauthorized resources. A breach of this type may result in loss of information, damage to critical applications, loss of revenue, damage the {{organization.name}}’s public image, breach our data privacy requirements, and violate data privacy laws. Therefore, all employees, contractors, or personnel using a mobile device connected to {{organization.name}}’s corporate network, and/or capable of backing up, storing, or otherwise accessing corporate data of any type, must adhere to this policy. Failure to do so will result in immediate suspension of that user’s account, disciplinary action, and possibly termination of employment.

2.0 Scope

All mobile devices, whether owned by {{organization.name}} or owned by employees that have access to corporate networks, data and systems are governed by this mobile device management policy. 

Exemptions: Where there is a business need to be exempted from this policy (too costly, too complex, adversely impacting other business requirements) a risk authorization by {{organization.name}}’s Senior Management must be obtained. 

Applications used by employees on their own personal devices that store or access corporate data, such as cloud storage applications, are also subject to this policy. 

3.0 Policy

3.1 Technology and Security Requirements

Devices must be updated on a regular basis and use the latest OS available. 

If the user is storing passwords in the device, an encrypted password store must be used. 

Devices must be configured with a secure password that complies with {{organization.name}}’s password policy. This password must not be the same as any other credentials used within the organization. Employees agree never to disclose their passwords to anyone.

Device must lock itself with a password or PIN if it’s idle for five (15) minutes.

Only devices managed by IT or authorized by IT will be allowed to connect directly to the internal corporate network. 

These devices will be subject to the valid compliance rules on security features such as encryption, password, key lock, etc. These policies will be enforced by the IT department using Mobile Device Management (MDM) software whenever possible.

Any attempt to contravene or bypass the MDM implementation will result in disciplnary action in accordance with {{organization.name}}’s overarching employment and security policies.

Management may request that personal mobile devices attempting to connect to the corporate network through the internet be inspected by {{organization.name}}’s IT department. Devices that are not supported by IT, are not in compliance with IT’s security policies, or represent any threat to the corporate network or data will not be allowed to connect. 

Devices may only access the corporate network and data through the Internet using a Secure Socket Layer (SSL) Virtual Private Network (VPN) connection.

3.2 User Requirements

Users may only load corporate data that is essential to their role onto their mobile device(s).

Users must report all lost or stolen devices to {{organization.name}} IT immediately. 

If a user suspects that unauthorized access to company data has taken place via a mobile device, they must report the incident in alignment with {{organization.name}}’s incident handling process. 

Devices must not be “jailbroken” or “rooted”* or have any software/firmware installed which is designed to gain access to functionality not intended to be exposed to the user. 

Users must not load pirated software or illegal content onto their devices. 

Applications must only be installed from official platform-owner approved sources. Installation of applications from untrusted sources is forbidden. If you are unsure if an application is from an approved source contact IT. 

Devices must be kept up to date with manufacturer or network provided patches. As minimum patches should be checked weekly and applied at least once a month. 

Devices must not be connected to a PC which does not have up to date and enabled anti-malware protection and which does not comply with corporate policy. 

Devices must be encrypted in line with {{organization.name}}’s compliance standards. 

Users must be cautious about the merging of personal and work email accounts on their devices. They must take particular care to ensure that company data is only sent through the corporate email system. If a user suspects that company data has been sent from a personal email account, either in the body text or as an attachment, they must notify {{organization.name}}’s IT immediately. 

The above requirements will be checked regularly and should a device be non-compliant that may result in the loss of access to email, a device lock, or in particularly severe cases, a device wipe. 

The user is responsible for the backup of their own personal data and the company will accept no responsibility for the loss of files due to a non-compliant device being wiped for security reasons. 

*To jailbreak/root a mobile device is to remove the limitations imposed by the manufacturer. This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software. 

3.3 Remote Wipe

By connecting to {{organization.name}} technology resources, mobile devices gain the capability of being wiped remotely by {{organization.name}} IT department.

When a remote wipe is initiated by the user or the IT department, the user’s mobile device will be wiped of all data and settings. Wiping data, documents, files, settings, and applications in the event a device is lost, stolen, or compromised in any way is critical to protecting our company and it’s confidential data.

If a user requests a remote wipe all data stored on that device will be deleted. It is recommended that users backup their personal data frequently to minimize loss if a remote wipe is necessary.

A remote wipe will only be initiated if IT deems it appropriate. Examples of situations requiring remote wipe include, but are not limited to:

Device is lost, stolen or believed to be compromised

Device contains an app known to contain a security vulnerability

Device is found to be non-compliant with company policy

Device inspection is not granted in accordance with company policy

Device belongs to a user that no longer has a working relationship with {{organization.name}}.

The user decides they no longer wish to participate in accordance with this Mobile Device Management Policy.

Termination of employment in which the user has not already cleared all {{organization.name}} data by another method approved by IT.