Skip to content

Remote Work and Mobile Device Management (MDM) Policy

Policy Status: Active

This policy is currently active.

Purpose

To secure remote access to Acme Corp's systems and data, ensuring consistent security standards across all work environments and mobile devices.

Scope

This policy applies to all employees, contractors, and authorized third parties who access Acme Corp's systems remotely or use mobile devices (smartphones, tablets, laptops) for work purposes.

Policy Statement

Secure Remote Access

Primary Access Method - Google Workspace SSO:

  • All approved company applications accessed via Google Workspace Single Sign-On (SSO)
  • Two-factor authentication (2FA) required for Google Workspace accounts
  • Context-aware access policies enforce device compliance and security requirements
  • Session management and activity monitoring through Google Workspace admin console
  • Applications must integrate with Google SSO where technically feasible

Network Security:

  • Cloud-based applications accessed securely via HTTPS
  • Public Wi-Fi use permitted when accessing SSO-protected applications
  • Home networks should use WPA3 or WPA2 encryption (recommended)
  • Firewall must be enabled on all devices
  • Suspicious network activity should be reported immediately

Device Security

Company-Owned Devices: - Must have IT-approved antivirus/anti-malware software (updated automatically) - Full disk encryption required (BitLocker, FileVault, or equivalent) - Screen lock enabled with maximum 5-minute timeout - Automatic security updates enabled - MDM software installed and active - Lost or stolen devices reported immediately

Personal Devices (BYOD): - BYOD permitted only with prior IT approval - Must meet minimum security requirements: - Current operating system (no unsupported versions) - Approved antivirus software - Screen lock with PIN/biometric (6-digit minimum) - Encryption enabled - Work data in containerized apps where possible - MDM enrollment required for email and company app access - IT reserves right to remotely wipe company data

Mobile Device Management

MDM Platform: - All mobile devices accessing company email/data must enroll in MDM - MDM policies automatically enforce security settings - Device compliance checked before allowing access - Non-compliant devices blocked from company resources

Remote Wipe Capabilities: - IT can remotely wipe devices if: - Device is lost or stolen - Employee separation - Device compromised or infected - Employee non-compliance with security policies - Employees must acknowledge remote wipe capability before enrollment - Personal devices: Only company data wiped (selective wipe) - Company devices: Full device wipe performed

Prohibited Devices: - Jailbroken or rooted devices - Devices with known malware infections - Devices running unsupported operating systems - Devices that cannot meet minimum security requirements

Data Handling on Mobile Devices

Permitted Activities: - Access company email through approved apps - Use approved collaboration tools - Access approved cloud applications - View and edit documents in secure containers

Prohibited Activities: - Storing sensitive data in personal cloud storage - Taking screenshots of sensitive information (blocked where possible) - Sharing company data through unapproved apps - Installing unapproved applications on company devices - Using personal email for work communications

Roles and Responsibilities

Role Responsibility
IT Team Configure and monitor remote access solutions, manage MDM platform, enforce security policies
IT Security Team Define security requirements, monitor for threats, respond to device compromises
Employees Adhere to security protocols, report lost or compromised devices immediately, maintain device security
Managers Ensure team compliance, approve BYOD requests, enforce policy requirements
Help Desk Provision remote access, assist with MDM enrollment, support device issues

Procedures

1. Remote Access Setup

  1. Submit access request through IT portal
  2. Complete security awareness training
  3. Google Workspace account provisioned with SSO access
  4. Enroll in 2FA for Google Workspace
  5. Acknowledge policy compliance

2. MDM Enrollment

  1. Download approved MDM app
  2. Follow enrollment instructions
  3. Accept MDM policies (including remote wipe)
  4. Verify device compliance
  5. Access granted upon successful enrollment

3. BYOD Approval Process

  1. Submit BYOD request with device details
  2. IT reviews device compatibility
  3. Device must pass security check
  4. Employee signs BYOD agreement
  5. Enrollment in MDM required before access

4. Lost or Stolen Device Reporting

  1. Report to IT immediately (24/7 contact available)
  2. IT disables device access remotely
  3. IT initiates remote wipe if necessary
  4. File police report for stolen devices
  5. Replacement device provisioned

5. Device Offboarding

  1. Return company devices to IT
  2. Personal devices un-enrolled from MDM
  3. All access credentials revoked
  4. Company data removed from personal devices
  5. Confirm data removal before separation

Exceptions

  • Executives may request exceptions for specific device types
  • Temporary visitors may use guest Wi-Fi (no access to internal systems)
  • Short-term contractors may use company-provided locked-down devices
  • All exceptions require CISO approval and documented compensating controls
  • Exceptions reviewed quarterly

Compliance and Enforcement

  • Device Compliance Monitoring: Automated daily compliance checks
  • Non-Compliant Devices: Blocked from access until remediated
  • Lost Device Response: Remote wipe within 4 hours of report
  • Policy Violations: May result in access revocation and disciplinary action
  • Audit: Quarterly review of remote access logs and device compliance
  • HIPAA Compliance: Remote access controls meet HIPAA Security Rule requirements

References

  • NIST SP 800-46 Rev. 2: Guide to Enterprise Telework, Remote Access, and BYOD Security
  • NIST SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices
  • HIPAA Security Rule - Access Control (ยง164.312(a))
  • SOC 2 Trust Service Criteria - Logical and Physical Access Controls
  • CIS Controls v8 - Controls 4, 6, and 12

Revision History

Version Date Author Changes
1.0 2025-11-08 IT Security Team Initial version migrated from Notion

Document Control - Classification: Internal - Distribution: All remote workers and mobile device users - Storage: GitHub repository - policy-repository