Quick answer: Cyber Essentials BYOD & mobile device requirements UK 2026: MDM enrolment vs blocking, Intune compliance settings, BYOD policy template & common pitfalls.
Last updated: April 2026 | Reviewed by: Connection Technologies team
Cyber Essentials BYOD & Mobile Device Requirements UK 2026
BYOD (Bring Your Own Device) and personal mobile phones are the single most common reason businesses fail Cyber Essentials in 2026. The default IASME position is clear: any device that can access organisational data — including a personal iPhone receiving work email — is in scope and must meet the same five technical controls as a corporate laptop. There are two routes to compliance: enrol BYOD into MDM, or technically prevent BYOD from accessing org data at all.
This guide explains the BYOD and mobile device requirements in detail, the two compliant approaches, what the assessor will ask you to evidence, and the most common mistakes. For wider context see our requirements guide and the M365 / Azure config guide.
What counts as a “mobile device” under Cyber Essentials?
Any device that:
- Can access organisational data — email, OneDrive, SharePoint, Teams, your CRM, your file shares
- Has its own internet connection (mobile data, Wi-Fi)
- Is portable (smartphones, tablets, laptops used outside the office)
This includes corporate-owned phones, BYOD phones with work apps, and tablets used for any work purpose. Smart watches that pair with phones generally don’t fall in scope on their own (they consume from the phone, which is in scope). Laptops are always in scope, BYOD or otherwise.
The two compliant approaches to BYOD
| Approach | What you do | Best for |
|---|---|---|
| 1. Bring BYOD into scope | Enrol every personal device that touches org data into MDM (Intune, Jamf, Workspace ONE) and apply CE-equivalent controls | Most SMEs — easiest to evidence, gives you control |
| 2. Block BYOD access to org data | Use Conditional Access + app protection to make personal devices unable to download or cache org data — web-only access | Privacy-conscious cultures, regulated sectors |
Approach 1 — Enrol BYOD in MDM
Most UK SMEs choose this route. With Microsoft Intune (included with M365 Business Premium and most enterprise SKUs):
- Stand up an Intune compliance policy for iOS and Android (see settings below)
- Stand up a Conditional Access policy requiring “device marked as compliant” for org data access
- Roll out enrolment to staff via the Intune Company Portal app — guided process, takes the user 5-10 minutes
- Apply work profile separation on Android (work apps and data sit in a managed container)
- Deploy app protection policies (MAM) — these enforce data leak prevention even if the OS-level controls fail
The legal nuance: enrolling a personal device gives the employer some control (remote wipe of work data, enforcement of passcode, blocking of jailbreak). It doesn’t give the employer access to personal photos, messages or app data. Make this clear in the BYOD policy you ask staff to sign — IASME wants to see it documented.
Intune iOS compliance policy that satisfies CE
- Minimum OS version: latest N-1 (e.g. iOS 17.0+ in early 2026)
- Maximum OS version: not configured
- Jailbreak detection: block
- Passcode required: yes, min length 6, max grace period 5 minutes, max failed attempts 10
- Encryption: enforced (default on iOS)
- Bluetooth pairing: not blocked, but require approval
Intune Android compliance policy that satisfies CE
- Minimum OS version: latest N-1 (e.g. Android 13+)
- Block rooted devices
- Require Play Protect, signal must be active
- Passcode required: yes, min length 6, complexity high
- Encryption: enforced
- Threat scan on apps: required
- Use work profile (BYOD specifically): yes
Approach 2 — Block BYOD from org data
If you’d rather keep personal devices entirely out of scope:
- Conditional Access policy requiring “compliant device” for all org data — only corporate-managed devices can access
- Conditional Access “session control” forcing browser-only access on unmanaged devices, with no download permitted
- Disable native Outlook / Mail app access — only Outlook Web Access via browser (no offline cache)
- Block syncing of OneDrive / SharePoint to unmanaged devices
- Document this in the BYOD policy: “personal devices may not download or cache organisational data”
This works for many businesses but is restrictive. Staff used to phone email find it inconvenient. Plus the assessor will probe — “if a user opens Outlook Web on their personal phone, can they actually save attachments?” — and you need to demonstrate the controls hold.
What about laptops used at home?
Corporate-supplied laptops used at home are in scope. They need:
- Host firewall (Windows Firewall or macOS Firewall) — replaces the boundary firewall function
- EDR / anti-malware
- Patching within 14 days of vendor release
- Disk encryption (BitLocker / FileVault)
- MFA on every cloud service accessed
The home router itself is generally not in scope, provided the laptop has a host firewall. Don’t list home routers in your asset register.
BYOD policy — what IASME wants to see documented
You don’t need an ISO-grade policy. A 1-2 page document covering:
- Which apps and data are permitted on personal devices
- What’s required of the device (MDM enrolment, OS version, passcode, encryption)
- What the employer can and cannot do (selective wipe of work data only)
- What happens when an employee leaves (remote work-data wipe, no personal data touched)
- What happens when a device is lost or stolen (immediate report to IT, remote wipe within 24 hours)
- Acceptable use restrictions (no jailbreak, no sideloaded apps that access org data)
Get the staff member to sign acceptance — paper or digital is fine. Keep the signed copies as evidence.
Common BYOD mistakes that fail Cyber Essentials
- “We let staff have email on personal phones, but we haven’t enrolled them in MDM.” Hard fail. Either enrol or block.
- “We block downloads but allow OneDrive sync.” OneDrive sync writes org data to the device — fails the same test as a download.
- “We have an MDM but only for the directors.” All staff with org-data access must be in scope.
- “We don’t enforce a passcode because the user can already unlock with Face ID.” Face ID is a biometric — that’s accepted, but it must be configured (not just available). The compliance policy must enforce a passcode requirement so that when biometric fails, the fallback is strong.
- “We allow jailbroken phones — we trust our staff.” Hard fail. Jailbreak / root detection must block.
Mobile device sample testing in Cyber Essentials Plus
For the Plus audit, the assessor samples your devices including a representative mix of mobile devices. They’ll:
- Check the OS version is current (within N-1)
- Verify the passcode policy is enforced — try to set a 4-digit PIN and see if it’s accepted (it shouldn’t be)
- Check the device shows as compliant in the MDM
- Try to install a sideloaded app and confirm it’s blocked
- Verify org data can’t be exfiltrated to personal apps (copy/paste from Outlook to personal Notes, for example)
If your mobile fleet is configured as above, you’ll pass cleanly. Most failures come from devices that drifted off-compliance and weren’t remediated.
Connection Technologies’ agent for mobile device compliance
Our managed Cyber Essentials service includes a lightweight agent that automates the mobile device controls — enrolment in Intune, ongoing compliance monitoring, automatic remediation of drift, and clean evidence packs for the assessor. Particularly useful for businesses that don’t have a dedicated IT lead to manage Intune day-to-day.
Get Cyber Essentials & Cyber Essentials Plus — fully managed
Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.
Skip the Cyber Essentials paperwork
We handle the five controls, the questionnaire, the audit and the renewal — RRP from £103/month.
Frequently asked questions
Yes, if they can access organisational data (work email, M365, Teams, file shares). The default IASME position is “in scope unless you can technically demonstrate the device cannot access organisational data”. Most SMEs enrol them in MDM rather than try to block access entirely.
You need a way to enforce passcode, encryption, OS update SLA and remote wipe on every mobile device that holds org data. MDM (Intune, Jamf, Workspace ONE, Google Workspace endpoint management) is the standard way to do this — but it’s not strictly mandatory if you can demonstrate equivalent control through other means.
Yes — that’s the second compliant approach. Use Conditional Access + app protection policies to require a compliant (corporate-managed) device for org data access, with browser-only / no-download restrictions on unmanaged devices.
Yes, provided BYOD devices are enrolled in MDM with CE-equivalent controls (passcode, encryption, OS updates, jailbreak detection, remote wipe). You also need a written BYOD policy that staff have signed.
Generally no, provided the laptop being used at home has a host firewall (Windows Firewall, macOS Firewall) which replaces the boundary firewall function. Don’t list home routers in your asset register.
Apps/data permitted on personal devices, device requirements (MDM enrolment, OS version, passcode, encryption), what the employer can and cannot do, lost/stolen device process, leaver process and acceptable use. 1-2 pages is enough.