TL;DR

A bring-your-own-device (BYOD) program without minimum endpoint controls is an open door to your business data. This checklist covers the six non-negotiable controls every 10–50 headcount Australian SMB needs — no full MDM budget required — plus a sample policy section you can adapt today.

Why BYOD Hygiene Is No Longer Optional

Most Australian SMBs now run on a mix of personally owned laptops, phones, and tablets. That is operationally convenient but creates an endpoint hygiene gap that attackers exploit relentlessly. In 2026, the attack surface has shifted: adversaries increasingly target identity and sessions rather than infrastructure. OAuth token theft, consent phishing, and adversary-in-the-middle (AiTM) attacks bypass multi-factor authentication entirely once a single unmanaged device is compromised. A personal phone used for work becomes the weakest link — and attackers know it.

The good news: you do not need a six-figure MDM deployment. Six minimum controls, consistently enforced, close the gap for SMBs.

The 6-Point BYOD Endpoint Hygiene Checklist

1. Device Compliance Policy — The Four Non-Negotiables

Every device accessing company data must meet a written compliance baseline:

  • OS version minimum: iOS 16+ / Android 13+ / Windows 11 23H2+ / macOS 14+. Unsupported OS versions receive no security patches.
  • Disk encryption enabled: FileVault (macOS), BitLocker (Windows), or device encryption (iOS/Android) must be active.
  • Screen lock enforced: Auto-lock at 5 minutes maximum, minimum 6-digit PIN or biometric.
  • No jailbreak or root: The device must pass platform integrity checks. Jailbroken devices are blocked outright.

Document these four requirements in your acceptable use policy and verify compliance at onboarding. No exceptions.

2. MDM-Lite: Baseline Enforcement Without the Price Tag

Full MDM (Workspace ONE, full Intune suite) is overkill at 10–50 seats. Use the lightweight tier that ships with your existing stack:

  • Microsoft 365 Business Premium: Includes Intune Plan 1 for device compliance policies, conditional access, and basic app protection.
  • Google Workspace Business Plus: Includes endpoint management for Android and iOS with work profile enforcement.
  • Apple-only fleet: Kandji or Jamf Now for zero-touch deployment starting around AU$5–8/device/month.

Configure one conditional access rule immediately: require a compliant device before granting access to Microsoft 365 or Google Workspace. That single rule blocks 90% of opportunistic access.

3. Separate Work Data: The Container Approach

Personal apps and work data must never share the same sandbox. The two paths:

Platform Mechanism
Android Work Profile — creates an isolated container with separate apps, encryption, and lifecycle. Work data is wiped independently of personal data.
iOS / macOS Managed Apple ID with User Enrolment — separates work data into a managed volume. Personal Apple ID remains untouched.

Do not allow users to access company email, Teams, or SharePoint through personal app instances. Push the Outlook and Teams apps into the managed container and block copy-paste between work and personal profiles.

4. Remote Wipe Capability — Without Touching Personal Data

Every BYOD device must be enrolled such that you can selectively wipe only company data when someone leaves — or when a device is lost. On Android, the Work Profile wipe removes the container and all corporate apps in under 30 seconds. On iOS, User Enrolment allows Managed Apple ID de-provisioning without touching the personal photo library, messages, or apps. This is the single requirement that makes employees willing to enrol — they keep their privacy, you keep your data.

Test the wipe process on a volunteer device during onboarding. If you discover at termination that it does not work, it is already too late.

5. No BYOD for Privileged or Admin Accounts

This rule is absolute: privileged accounts — domain admin, global admin, finance system superuser, root — must never authenticate from a personally owned device. Those accounts live on company-issued, fully managed hardware only.

Why it matters: a compromised personal laptop with cached admin tokens gives attackers the keys to the kingdom without a single exploit. As Mandiant documented in early 2026, attackers use stolen sessions from unmanaged endpoints to move laterally across SaaS platforms silently. One personal device housing admin credentials undoes every other control on this list.

6. Monthly Mini-Audit Checklist (15 Minutes)

Print this or drop it into a recurring calendar invite. Run it the first Monday of every month:

  • Review device compliance report in Intune / Google Admin — any non-compliant devices?
  • Check for new enrolments. Any device that joined without authorisation?
  • Verify conditional access policy is still active (policies silently break during tenant changes).
  • Confirm remote wipe test passed against at least one test device.
  • Review the privileged account list — any BYOD device still showing admin sign-ins?
  • Check OS version compliance: any devices running an unsupported version? Block them.

Fifteen minutes. Miss it twice and you have a breach condition, not a checklist.

Sample BYOD Policy Section (Adapt for Your Handbook)

Bring Your Own Device (BYOD) Policy — Extract

  1. Eligibility: BYOD is permitted for standard-access roles only. Privileged account holders (IT admin, finance system admin, executive with unrestricted access) must use a company-issued device.
  2. Enrolment: Before accessing any company system, the device must be enrolled in [Microsoft Intune / Google endpoint management] and pass the compliance baseline: current OS within one major version, disk encryption active, screen lock of 6+ digits or biometric, and platform integrity check passed.
  3. Work Data Separation: All company data must reside within the managed Work Profile (Android) or Managed Apple ID volume (iOS/macOS). Storing company data in personal apps, local downloads, or unmanaged cloud storage is prohibited.
  4. Remote Wipe Consent: The company reserves the right to remotely wipe only company data and the managed container upon termination of employment, reported device loss, or confirmed security incident. Personal data, apps, and media will not be affected.
  5. Audit: Devices are subject to monthly compliance review. Repeated non-compliance (two consecutive months) results in revocation of BYOD access.
  6. Incident Reporting: Lost or stolen devices used for work must be reported to IT within 4 hours.

FAQ

Q: Does the Essential Eight require MDM for BYOD? The ACSC's Essential Eight Maturity Level 1 does not explicitly mandate MDM, but it requires multi-factor authentication, patched operating systems, and application control — all of which become unverifiable on unmanaged personal devices. At Maturity Level 2, you need to centrally manage device configuration. MDM-lite satisfies that requirement.

Q: Can we just use a written policy without enforcing it technically? No. A written policy without conditional access enforcement — blocking non-compliant devices at the identity provider — is a piece of paper. Attackers do not read your policy.

Q: What if an employee refuses to enrol their personal device? They do not access company data from that device. Issue a company-owned handset or restrict them to webmail on a managed browser only (session-only, no offline data). The business decides the risk appetite; the employee does not get a veto.

Q: Is Intune included in Business Premium or do we pay extra? Microsoft 365 Business Premium (~AU$33/user/month) includes Intune Plan 1 with device compliance policies, conditional access, and app protection. No additional licence required for the controls in this checklist.

Conclusion

BYOD endpoint hygiene is a process, not a purchase. Start with the four compliance non-negotiables, enrol every device into your existing MDM-lite tool, separate work data, lock down privileged accounts, and run the 15-minute monthly audit. Those six controls give a 10–50 headcount SMB 80% of enterprise endpoint security at a fraction of the cost.

Need help designing controls that fit your business — not a vendor's brochure? Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to Australian SMBs.

References

  1. ACSC — Bring Your Own Device (BYOD) Guidance
  2. Microsoft — Intune Device Compliance Policies for SMB
  3. NIST SP 1800-22 — Mobile Device Security: Bring Your Own Device (BYOD)
  4. Mandiant / The Hacker News — Vishing Attacks Stealing MFA to Breach SaaS Platforms (Jan 2026)
  5. Digital Biz Talk — OAuth Redirect Abuse Bypasses MFA (Mar 2026)

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation