Developing effective mobile usage policies for BYOD and CYOD programs is a complex task, requiring clear organizational alignment, thoughtful planning and attention to detail. Different organizations have different expectations around mobile usage, the level of mobile device management control maintained by the organization, and who pays for devices and carrier connectivity, so there’s no one-sized-fits-all policy.

It’s important to find solid advice on how to write a BYOD policy. But it might also help to know what not to do. Here are four pitfalls to avoid when starting out.

Going It Alone and Delivering a ‘Done Deal’

There’s no easier way to alienate your coworkers and corporate stakeholders than by developing a policy in secret, without asking for input, and then announcing that everything is done and ready to go — at which point it’s too late for feedback or to rethink strategy.

Building a proper BYOD (or CYOD) policy means getting input from people up and down the line: the administrative side of the business, line-of-business managers and IT all need to be in the game from the beginning.

When it comes to smartphones, tablets and the enterprise, you’re talking about something that may represent the future of how IT is delivered to end users. A positive relationship — not a rigid declaration — will be the foundation of mobility in your company going forward.

True, the corporate device policy isn’t the last word on mobility, but it sets the stage for innovation, diffusion and integration. Get it wrong early on, and you could set yourself back by years.

Being Vague and Not Explaining the Details

A policy, no matter what the subject, is supposed to tell people what to do. If people know what is expected of them and why, they’ll usually do their best to match up to those expectations.

BYOD and CYOD policies need to be clear on specific on exactly what they cover: which devices, which applications and which users. They need to be direct in issues such as payment, device choice and device management. And they need to lay out precise lines of responsibility for the end user, and for the organization.

If you find yourself putting in some vague statements because of a particular user community or use case, stop immediately. You’re making a mistake in your policy definition. Instead, you have two possible choices: either explicitly put in the exception to the policy, so that it too is codified, or decide that the exception is a bad idea, and get rid of it.

Good policies need to be straightforward, clear and comprehensive, without excess verbiage. Review every paragraph. If it’s not policy, prune it. If it’s not clear, clarify it.

Treating Your Policy as Brand New

It’s true that a BYOD policy should cover new territory. But it’s wrong to treat BYOD as if no one has ever thought about these issues before. In fact, companies are full of existing policies that overlap with BYOD: acceptable use policies, data protection policies, policies on which devices can and can’t be connected to the corporate network, and more. The BYOD policy has to fit into the existing policy ecosystem in the organization.

Build a BYOD Plan for Your Business

White Paper

Get our comprehensive guide and template for developing a BYOD policy tailored to your organization. Download Now

Ignoring existing policy or, worse, contradicting existing policy on important issues is a sure way to create confusion and noncompliance. If you’re looking at policies with new eyes through the lenses of mobile devices and you’re finding things you don’t like, the right answer is never to ignore existing policy. Instead, you should be fixing what’s broken, or figuring out whether things have truly changed.

BYOD and mobility are natural evolutions of computing and a way to deliver IT services to the workforce. They have to fit in the context of what’s gone before, and policies have to make sense and be consistent — not just in BYOD but across other IT areas as well.

BYOD as a Kitchen Sink

A good BYOD policy should be short and concise, and it should be understandable to those who are directly affected by it: the user community. BYOD policies that turn into long operational documents detailing Mobile Device Management (MDM) security settings are aimed at the wrong audience and will cause more confusion then benefit. If end users have trouble reading through the policy without glazing over, something is wrong.

Yes, you definitely need to have a document somewhere covering how to configure patching and what the password complexity requirements are and how VPNs are going to be configured — but these don’t matter to end users. Keep them in a separate document.

It’s not just IT admins who make this error. The complex set of interlocking actions that happen with BYOD and CYOD, such as device ordering, stipends for carrier services, and upgrade policies all create a temptation to mix operational and policy elements in the same document.

A well-written policy should be between five and ten pages in length. Any shorter, and you’ve probably left out something important or ended up too vague or abstract. Any longer, and you’ve probably added too much detail or are mixing in non-policy elements.

Get the right team together to keep policies tight and to the point, clear and direct, and you’re on your way to mobility success.

Ready to get started? Download our free guide and template for a deeper dive into BYOD policy development.

Posts By

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

View more posts by Joel Snyder