Bring Your Own Device Policy

Policy Approval Authority President
Responsible Division Division of Information Technology
Responsible Officer(s) Director of Information Security and Operations
Contact Person Bob Barton
Primary Audience Faculty
Staff
Administration
Status Comments-Only
Last Review Date 05-13-2025
Policy Category/Categories Finance / Risk Management
Information Technology

Purpose

The purpose of this policy is to outline the acceptable use of personal devices by employees, students, and contractors at Northern Illinois University (NIU) using NIU resources. This policy ensures the protection of the University’s data and technology infrastructure, while enabling the use of personal devices for university-related activities.

Intended Audience

This policy applies to all University employees, student workers, and contractors (part or full-time).

Scope

This policy covers all the technology used for university purposes. Limited exceptions to the policy may be granted due to variations in devices and platforms. Exceptions need to be requested and documented. Please send a request to the IT Service Desk at 815-753-8100 or servicedesk@niu.edu.

The policy defines personal device as a cell phone, smartphone, tablet, laptop, USB drives, or other portable computing device not managed by the University. Please see the NIU Asset Management Policy for more information on personally owned property.

The Division of Information Technology provides minimal (limited) support for personal devices.

Related Policies/Reference Documents

  • Visit NIU policies for more information.
  • View NIU’s data classification guidelines for specifics on data, it's handling and on what constitutes private or restricted data. The guidelines define institutional data. Any reference to data within this document refers to institutional data.
  • No matter the device in use, all NIU students, faculty, guests, contractors, and staff must abide by NIU’s Acceptable Use Policy.
  • View the Asset Management Policy.

Acronyms/Definitions

Term/Acronym Definition
DoIT Division of Information Technology
BYOD Bring Your Own Device
NIU Northern Illinois University
OIS Office of Information Security within the Division of Information Technology

Policy Details

Any violation of this policy will refer to the appropriate manager, supervisor, or director. Violations of this policy may result in an appropriate level of corrective action consistent with university policy and/or collective bargaining agreements.

Security Measures

  • Password Protection: All personal devices must be password-protected in accordance with the University’s password policy. The device should auto-lock with a password or PIN if it is idle for ten minutes or more. Multi-factor authentication must be used whenever available.
  • Encryption: Devices accessing sensitive University data must support and enable encryption.
  • Anti-Malware: Devices must have up-to-date anti-malware software installed and actively running.
  • Software Updates: Users must ensure their devices run the latest (stable) versions of operating systems and installed applications.
  • Device Integrity: Devices that are jailbroken, rooted or have security protections disabled are prohibited from accessing University systems or data.
  • Personal Information: It is the employee’s responsibility to take additional precautions, such as backing up email, contacts, photos, or music, for all personal information. The University takes no responsibility for personal data.

Access and Usage

  • Data Access: University data must only be accessed through university-approved applications and services. University data may not be intentionally stored, backed up, or transferred to personal applications or storage locations that are not University managed or University approved. Use of approved University services on personal devices may result in limited local storage or caching as part of normal application functionality.
  • Network Access: Personal devices may only connect to the University network through secure, University-managed connections such as VPN.
  • Monitoring: When a personal device is used to access campus systems or the University network, the user understands and agrees that activity on those systems may be monitored to keep University data and services secure.
  • Devices or users that do not comply with this policy may have their access restricted or removed immediately to protect University systems and data.

Privacy

While the University does not access personal content on a user’s device, data accessed through university systems may be subject to monitoring and audit for security or legal purposes.

Loss or Theft

  • Reporting: Users must immediately report the loss or theft of any personal device used to access University systems to the Office of Information Technology and the NIU Police Department (depending on how and where it was lost or stolen). Data may have been accessed or stored in Outlook, locally, accessed via SharePoint or OneDrive, or various other applications. The loss may need to be reported for regulatory reasons.
  • Remote Wipe: The University reserves the right to remotely remove University managed applications, accounts, or data from lost, stolen devices or devices of non-NIU personnel, where technically feasible.

Acceptance

There should be one approval round every three years while the document is active. An email or committee approval should be noted on the lines above, with the original email or meeting notes being maintained for future reference by OIS (do not add to policy). If the policy is in the University Policy Library, that will be used as the approval of the policy.

Comments

"Under Loss or Theft" and subtitle "Remote Wipe" perhaps the statement ". . . or devices of non-NIU personnel, where technically feasible" may not be appropriate if the non-personnel is departing NIU or a retiree in this area and therefore it is not a "Loss or Theft" of their equipment. For example, a departing/retiring employee's device should be subject to "remote wipe" but treated differently, such as being notified their personal device may be wiped of specific software and access to ensure it does not compromise their device.

- Monique Bernoudy

"Bring Your Own Device" sounds like a simple convenience policy. Upon reading the proposed policy, I found myself less concerned by what is stated than by what is left undefined.

Given the authority granted within the policy, I would expect the following items to be explicitly addressed:

  • Personal devices will not be subject to full-device monitoring.
  • Personal devices will not be subject to full-device remote wipe.
  • Employees will not be required to provide personal device passcodes, PINs, biometric access, or other device credentials.
  • Any remote removal will be limited to university-managed accounts, applications, and institutional data.
  • Mobile Device Management (MDM) enrollment, such as Microsoft Intune or similar software, will not be required without separate written notice and consent.
  • Employees will be notified before and/or after any removal of university-managed applications, accounts, or data from a personal device.
  • The policy should identify who is authorized to approve or initiate such removals.
  • The policy should describe any appeal, review, or dispute resolution process available to employees.
  • The policy should define how the University determines what qualifies as "University managed" applications, accounts, or data.
  • The policy should explain what steps will be taken if removing university-managed applications, accounts, or data affects an employee's ability to perform assigned job duties.

I would also recommend adding language such as:

"Except in cases involving security incidents, lost or stolen devices, or legal requirements, users will be notified before university-managed applications, accounts, or data are removed from a personal device."

In addition, I recommend including:

"The University will provide notice describing what was removed and the reason for the removal."

The term "monitoring" also requires clarification. Monitoring may refer to logging successful login attempts, failed login attempts, file downloads, email activity within university systems, or device compliance information. It may also be interpreted much more broadly.

As written, employees are informed that monitoring may occur, but the policy does not define what information may be collected, how it is collected, who has access to it, how long it is retained, or whether monitoring extends beyond university-managed applications and services.

Clarifying the scope and limits of monitoring would improve transparency, reduce confusion, and help employees understand both their responsibilities and their privacy expectations when using personal devices to access university resources.

As written, the policy grants the University discretion to act, but it creates no explicit obligation to inform affected employees, define the limits of monitoring, or describe the safeguards protecting personal devices and personal information. Additional clarity in these areas would strengthen the policy and increase employee confidence in its implementation.

Policies should define authority, limits, notice requirements, and employee rights. As currently written, this draft defines authority but leaves the limits largely unstated.

- Rave Meyer

It would be helpful to have more details on what monitoring is conducted of personal devices, either in this policy or in another location. How is activity monitored, what activity is monitored, and for how long is activity monitored (i.e., does the university utilize any technology that will monitor activity when the device is not connected to the university network or when it is not used for university purposes)? Who has access to that data, and under what circumstances? How is that data protected to provide reasonable privacy to faculty, staff, and students? If that is detailed somewhere else, such as the acceptable use policy or a terms of use for the NIU network, that location should be listed here for transparency.

This policy should also address circumstances in which the university has not issued a device to someone who is an employee of the university but needs a device to conduct university business. For example, an instructor who is hired to teach a single course often has to do so from a personal device because the university does not provide one. Is it fair or equitable to subject their personal devices to monitoring when there was no other viable choice for them?

- Stephanie Richter

We should add that support of any personal device does not fall into NIU to work on personal devices. I believe we need to hit that because it does happen. DoIT is not responsible for personal items. Something like that.

- Tim Schwartz

Contact Us

Policy Library
815-753-5560
policy-library@niu.edu 

Back to top