How to Create a BYOD Policy for Remote Teams

At some point, every remote company faces the BYOD question. Can employees use their own laptops for work? Should they? What are the rules?

BYOD (bring your own device) is common at startups and remote companies because it's cheaper and easier than buying everyone a laptop. But without clear policies, it creates security gaps that are hard to close later.

Here's how to build a BYOD policy that protects your company without making your employees feel surveilled.

When BYOD makes sense

BYOD works best when three conditions are true:

You're small. Under 25 people, the cost of purchasing, configuring, and shipping a laptop to every employee is significant. BYOD reduces that upfront investment.

Your work is cloud-based. If all your tools are SaaS apps accessed through a browser, the device matters less than the account security. Google Workspace, Slack, Notion, Figma: these work the same on a personal laptop as a company one.

Your data sensitivity is moderate. If you're handling medical records, financial data, or classified information, BYOD probably isn't appropriate. For most startups building software or providing services, the risk is manageable with the right policies.

When BYOD doesn't work

BYOD becomes problematic when:

You need to guarantee device encryption across your fleet
You need remote wipe capability for all devices
You're subject to compliance frameworks (SOC 2, HIPAA) that require managed devices
Employees are handling highly sensitive customer data

In these cases, company-owned devices with full MDM enrollment are the better path. You can still allow BYOD for specific roles (like part-time contractors) while requiring company devices for full-time employees.

The core policies

A good BYOD policy covers five areas: device requirements, security controls, privacy boundaries, support scope, and what happens when someone leaves.

1. Minimum device requirements

Set a floor for what devices are acceptable:

OS version. Require a supported OS version. For macOS, the current major version or one version back. For Windows, Windows 11 with current patches. Unsupported OS versions don't receive security updates.
Disk encryption. Require FileVault (Mac) or BitLocker (Windows) to be enabled. This protects company data if the device is lost or stolen.
Passcode/password. Require a device login password or passcode. No device should be accessible without authentication.
Screen lock. Auto-lock after 5 minutes of inactivity.
Storage. Enough free storage to install required software and keep the OS updated. 20 GB free is a reasonable minimum.

These aren't aggressive requirements. Most modern devices meet them out of the box.

2. Security controls

MFA everywhere. Every company account must have multi-factor authentication enabled. On a BYOD device, MFA is your primary line of defense because you can't control the device the way you can with a company-owned machine.

Password manager required. All work passwords must be stored in the company password manager (1Password, Bitwarden), not in the browser's built-in password save. When someone leaves, you can revoke password manager access. You can't remotely clear saved passwords from their personal Chrome profile.

Company data stays in company tools. Employees shouldn't be downloading customer databases to their personal desktop. Work data lives in Google Drive, Notion, or whatever your cloud tools are. Not on the local device.

Managed browser profile (optional but recommended). If you use Google Workspace, have employees create a separate Chrome profile with their work account. This keeps work bookmarks, extensions, and saved data separate from personal browsing.

3. Privacy boundaries

This is where most BYOD policies fail. Employees are rightfully concerned about what their employer can see on their personal device. Be transparent.

What you can see:

Whether the device meets your minimum requirements (OS version, encryption status)
Which company apps are installed
Compliance status (is MFA enabled, is the password manager installed)

What you cannot see and will not monitor:

Personal files, photos, or messages
Browsing history
Personal app usage
Location data

Write this into the policy. Say it clearly. If you're using a lightweight compliance tool like Kolide, it checks device health without accessing personal data. Be specific about what the tool does and doesn't do.

4. Support scope

Define what IT will and won't help with on a personal device:

IT will help with:

Setting up company accounts and tools
Configuring MFA and the password manager
Troubleshooting access to company applications
Verifying device meets security requirements

IT will not help with:

Personal software issues
Hardware repairs or upgrades
Personal account problems
General device performance issues

This sounds cold, but it protects both parties. You're not responsible for fixing their personal laptop. They're not worrying that you'll poke around in their personal files while troubleshooting.

5. Offboarding

When someone with a BYOD device leaves the company:

Disable their SSO/identity provider account (cuts access to all connected tools)
Remove their password manager account (removes access to shared credentials)
If you're using a managed MDM profile (not full device management), remove it remotely. This deletes company data and configurations without touching personal data.
Ask them to remove their work browser profile and any company apps
Rotate any shared credentials they had access to

You cannot remote wipe a personal device the way you can a company-owned one. That's the tradeoff of BYOD. Proper SSO and credential management mitigates this by ensuring there's nothing useful left on the device once access is revoked.

The BYOD policy template

Here's a simple version you can adapt:

Scope. This policy applies to all employees and contractors who use personal devices to access company systems and data.

Device requirements.

Current or previous major OS version with all security patches applied
Disk encryption enabled (FileVault or BitLocker)
Device passcode or password required
Auto-lock enabled (5 minutes maximum)

Security requirements.

Multi-factor authentication on all company accounts
Company password manager installed and used for all work credentials
No company data stored locally outside of approved cloud tools
Report lost or stolen devices to IT immediately

Privacy.

The company does not monitor personal activity, files, messages, or browsing on personal devices
Device compliance checks are limited to: OS version, encryption status, and security software installation

Support.

IT supports company tool access and configuration on personal devices
IT does not support personal software, hardware, or non-work issues

Departure.

Company accounts and access will be revoked upon departure
Managed profiles will be removed remotely
Employees agree to remove company apps and work browser profiles

The hybrid approach

Many companies start with BYOD and transition to company-owned devices as they grow. Here's what I typically recommend:

Under 15 employees: BYOD with the policies above. The cost savings are real and the security gap is manageable.

15-50 employees: Start purchasing company devices for new hires while grandfathering existing BYOD employees. Offer to swap BYOD employees to company devices at their next hardware refresh.

50+ employees: Company-owned devices for everyone. At this scale, the security and management benefits outweigh the cost of purchasing hardware. Full MDM enrollment becomes practical and the compliance benefits are significant.

This isn't a hard rule. Some 100-person companies run BYOD successfully. But the trend is clear: as you grow, the risk-reward balance shifts toward company-owned devices.

Getting started

If you're running BYOD today without a policy, start with three things:

Enforce MFA. This is the single most impactful security control for BYOD environments.
Deploy a password manager. Get shared credentials out of Slack and into a proper vault.
Write down the policy. Even a one-page version sets expectations and gives you something to point to.

If you want help building a BYOD policy, setting up the security controls, and managing the transition to company-owned devices as you grow, that's part of what I do. Book a call and we can talk through your current setup.