How to implement a successful BYOD policy amid Covid-19

Noel Rivera

Apr 27, 2020

10 min read

The COVID-19 pandemic might have brought the physical world into a literal standstill but this has only enhanced the activity in the online space. The major chunk of these participants who are involved in this enhance online space activity includes remote employees working to maintain business continuity. Work from Home policies was enacted for these employees to help them remain active and productive during the quarantine period. But since the instructions for the lockdown were given a little too suddenly, most organizations where caught blindsided. This became especially apparent when it came to providing devices to the employees who are working from home. That’s where a particularly efficient BYOD policy would work, well.

Now, if you don’t already have a BYOD policy in place it’s high time you create one. Your BYOD policy should be specific to your organization, it should factor in criteria which matter to you. To start you off on the right path, here are a few questions you should ask yourself while forming your BYOD policy.

Which all employees should be allowed to use a BYOD device?

This is a straight forward question. Which level of employees should be allowed to use their personal device as a work device? Our recommendation would be to go for a tiered approach based on risk. Employees you would want to give access to highly risky documents or content should not be included in the BYOD policy. It’s better that you provide them with a corporate-issued device on which you have more control. Employees with access to less risky content can be included in the BYOD Policy.

What devices and platforms can be managed through the BYOD policy?

One of the key shortcomings of BYOD is managing devices from heterogeneous platforms. The problem arises when the employees plan to use old devices with un-patchable OSs and probably can’t be covered by most enterprise-level device management suites. It is paramount that you exclude such devices from your BYOD policy as it becomes an oblivious chink in the armor.

What is your Device and app management strategy?

Now comes the part where you have to decide which areas of the personal device that your IT department can manage and monitor. What all apps should be deemed as work apps and how would you push certain mandatory apps to the personal devices held by the employee.

What level of technical support can your IT department provide to employees who opt for BYOD?

It is entirely possible that your staff may not be technically proficient. They may have doubts and issues with how their personal device is running. These doubts and issues need to be addressed and solved. Along with that several device-specific issues may arise. Your IT department should be able to help out the employees during such an occurrence. A faulty device is a security issue as far as your BYOD policy is concerned. The IT department has to find a way to prioritize and fix these issues in a timely manner.

How Hexnode MDM can help

An UEM solution like Hexnode can help you provide employees with secure access to corporate network and resources right from their own devices. The best part is that Hexnode offers truly unified management–all across mobile, desktop, and IoT. So, it doesn’t matter what type of devices employees use or what platforms they run on. Android phones and tablets; Windows laptops or PCs; Macs, iPhones, iPad, or even Apple TVs–you can quickly turn them work-ready. You don’t have to separate devices based on platforms for consistency. A single policy assigned across a fragmented group of devices can still accurately deploy the relevant configurations and security restrictions thanks to Hexnode’s underlying multi-platform policy architecture. For personal devices, you don’t have to opt for the fully-managed device approach. Configurations and restrictions centered around BYOD allow you to isolate corporate data in secure containers and manage their access without touching users’ personal apps or content. With flexible user-ended enrollment options, IT no longer needs to have physical access to onboard devices. Nor do they have to go through an elaborate staging process.


Integrating an identity provider like Windows Server AD, Azure AD or G Suite allows organizations to easily enroll the end-user mobile devices by authenticating users against their existing identity credentials. This way, users don’t have to create new email addresses or verify enrollments through one-time passwords. The whole process is easier and more secure. Better yet, Hexnode fetches the user groups in those directories so you can assign policies straight to a group. No need to create manual groups based on the organization structure.

Android BYOD management

BYOD management is possible on Android devices with the help of the Android Enterprise program. Formerly known as Android for Work, Android Enterprise is a program for building a mobile work container and separating work data/apps from personal data/apps. Android Enterprise also offers a wide variety of features that help the business step up its security capabilities. The steps involved in setting up Android Enterprise program are

1) Enroll your organization in the program

2) Enroll devices

3) Push apps and apply restrictions.

You can deploy Android Enterprise in two separate ways with Hexnode MDM. Either you can directly control the devices, or you can establish a separate work container on the device. These are known as device owner mode and profile owner mode respectively.

For a situation like COVID-19 pandemic, where most non-essential employees are opting for WFH, choosing a profile owner would be the best option. Why? It gives flexibility to the employee to use the device as his personal device and work device with work profile implementation. The restrictions, apps, and content pushed to the device by your IT department will only be accessible through the work container created in the device. Even in the event of a remote wipe, only the data in the container would be removed.

As for management, the BYOD management module of Hexnode provides several salient features like Managed Playstore, a customized app store where only pre-approved apps are available. Any inhouse which are developed within your organization for internal purposes can also be pushed. Apps can be silently installed on the device without user intervention and apps can be whitelisted/ blacklisted according to your requirement. The IT admin can also set custom app configurations and permissions for each app. Network configurations and VPNs can also be set up on devices.

Combined with these, Android Enterprise also provides some salient restrictions which can be implemented on target devices. These include basic device functionality restrictions, network settings restrictions, display restrictions, and many more.

As mentioned earlier, you can conduct a remote wipe when the need for the device is over and all the work data would be erased and with Hexnode MDM you can also de-containerize the device.

In-app configurations– Hexnode’s application configuration helps in pushing configurations to applications. This is a seamless way of managing BYOD remotely. The ability to configure applications to suit enterprise needs and the added bonus of leveraging OEMConfig capabilities should not be overlooked.

android for work

iOS BYOD Management

Hexnode MDM manages the data flow between personal and corporate space on iOS devices through unique advanced restrictions known as Business Container. It prevents unmanaged devices from opening attachments or documents from managed source, and vice versa.

Along with the business container, there are several advanced restrictions that can be added to your BYOD policy via Hexnode MDM’s console, which are especially relevant in a Work from Home scenario.

VPN: The Virtual Private Network (VPN) allows users to transfer data over a private network. It provides a secure and encrypted link over the Internet to another network. VPN increases security by redirecting network traffic into a virtual network. It can only route traffic to the authorized corporate apps. Hexnode helps the admin to set up iOS VPN configurations via the MDM console.

App Management: Under the app management section in Hexnode’s policy builder, you can address the various app management issues that you might encounter with an iOS device. The first being selecting the Mandatory Apps. These are apps that are required by an employee by default, you can select these apps and even choose to silently install them to avoid user intervention. Then similar to its Android counterparts there is the option to blacklist or whitelist apps, an app catalog that can be used to push inhouse enterprise apps and also an option to select permissions and configurations for each app.

Managed Domain: Hexnode enables you to configure Managed Domain for iOS devices. You may list those domains by e-mail. If you send an email to a domain that is not specified here, it will be highlighted as an out-of-domain in the mail app. In the same way, the MDM server can also identify documents downloaded from an unmanaged domain. This combined with the Business container ensures that unmanaged content is never opened in a managed device.

How to secure and manage mobile devices in healthcare

Windows OS BYOD management.

When asked to present their BYOD ready device, most employees would likely show up with a Windows PC. This something to be expected so, its better to be prepared for this through your BYOD plan. Fortunately, Hexnode MDM’s console has various Windows device Management options to help you through this. Some of the key features that are available in Hexnode and should be included in your BYOD policy is as follows.

Email Configurations: You can set Email configurations in Hexnode’s MDM console and then push these configurations to target devices. By doing this you can ensure that the employee doesn’t configure his personal email on the device, at least for work purposes.

App Deployment: With Hexnode MDM you can push apps directly from the Windows store to the devices. There is also a mandatory app criterion which makes sure that all the vital apps are installed in the device, else it is marked as non-compliant.

BitLocker Encryption: Hexnode comes with the BitLocker policy which is Microsoft’s inbuilt volume encryption tool used for data protection. In case the device gets stolen or falls into the wrong hands, BitLocker can prevent data from being stolen or lost.

MacOS BYOD Management

Being the second most widely used OS after Windows OS, you are bound to encounter at least few of your employees who would be using an Apple device with macOS. Not to worry though, Hexnode is highly capable of mac management. These are some of the features you should make sure is included in your BYOD policy regarding macOS.

VPN: Similar to iOS devices VPN configuration is also available in macOS but options like VPN On Demand, which provide VPN to only certain domains are not available for macOS devices.

Email Configuration: Email configuration can be set remotely through the Hexnode MDM console and these can be pushed over the air on to target devices. This adds to the security factor and ensures that email ids from unmanaged domains don’t get access to managed devices.

App Management: Policies for mandatory apps can be set so that critical apps are always present in the devices used by the employees. App configurations and other policies can also be set remotely and pushed to targeted devices.

mac management with hexnode mdm

Audit and Report supervision

You can collect high level device reports to app-based report from the Reports tab in the Hexnode MDM console. These include device reports, compliance reports, user reports, app reports and many more. They can be downloaded in either pdf or csv format. This helps you keep track of all the devices that were enrolled as BYOD ready devices. You can check whether they are compliant or if there is any anomaly you can track it down using these reports.

Noel Rivera

Existential and Curious.

Share your thoughts