A staff member at a childcare center in Ventura left her job last year. She had been using her personal iPhone for work for two years โ texting parents, accessing the management software, sending photos to families. When she left, nobody thought to remove her access or delete the business data from her device. Three months later, a parent called asking why they were still receiving messages from someone who no longer worked there. The director had no way to remotely remove those contacts, photos, or app access. She had no written policy that gave her that right.
This is not an unusual story. Most small businesses have no written device policy, and most don't realize they need one until a situation like this makes the gap obvious.
What a device management policy actually is
A device management policy is a written document that covers two things: what rules apply to devices used for work, and what rights the business has when it comes to work data on those devices.
It applies to company-owned devices (laptops, tablets, phones the business bought) and to personal devices used for work purposes. That second category โ often called BYOD or "bring your own device" โ is where most small businesses have the biggest gaps.
When someone uses their personal phone to check work email, access a management app, or store work contacts, business data lives on a device the business doesn't own and cannot control. A policy makes the rules clear from day one and gives the business a legal foundation to act if something goes wrong.
What a device policy needs to cover
A solid device management policy for a small business covers these areas:
1. Which devices are in scope
Be specific. The policy should clearly state that it applies to all company-owned devices and any personal device used to access business email, apps, files, or communication tools. If someone uses their iPhone to text parents or check the management software, that device is in scope.
2. Security requirements
At minimum: a PIN or biometric lock, automatic lock after 5 minutes of inactivity, and up-to-date operating system software. For company-owned devices, you can also require device encryption and enrollment in your MDM system. The policy should state clearly what happens if a device doesn't meet these requirements โ the standard response is that it loses access to business systems until the issue is resolved.
3. Acceptable use
Define what's permitted and what isn't. Company devices should generally not be used for personal social media, gaming, or downloading unknown apps. Personal devices used for work should not store business data locally if it can be avoided. Be specific rather than vague โ "no inappropriate use" is too vague to enforce.
4. What happens when a device is lost or stolen
The policy should require that lost or stolen devices are reported to management within a specified timeframe (usually 24 hours). It should also state that the business has the right to remotely wipe the device to protect business data. For personal devices, this is a conversation worth having with employees upfront โ MDM software can often wipe only the work container rather than the entire phone, which addresses most concerns about personal data.
5. Offboarding: what happens when someone leaves
This is the piece most businesses miss. The policy should state that on an employee's last day, all business apps are removed, all business accounts are deactivated, and all business data on personal devices is deleted. Company-owned devices are returned. If your business uses an employee lifecycle management system, this process can be run as a checklist to make sure nothing gets missed.
Why 2026 specifically matters for this
California's privacy laws have been tightening every year, and 2026 has brought stricter requirements around data subject rights โ including the right to know where personal data is stored and the right to have it deleted. For businesses that handle children's data (childcare centers, tutoring companies, after-school programs), the standards are higher still.
If parent or child information is sitting on a former employee's personal phone and that parent requests deletion, you're responsible for making sure it actually gets removed. Without a device policy and the technical tools to enforce it, you can't guarantee that.
Beyond compliance, cyber insurance underwriters are increasingly asking about device policies when businesses apply for or renew coverage. A business with no device policy, no MDM, and no offboarding process is seen as a higher risk and may pay more or find it harder to get coverage.
How MDM software makes the policy enforceable
A written policy on its own is better than nothing. But pairing it with MDM (Mobile Device Management) software turns the policy into something you can actually enforce rather than just promise.
With MDM in place, you can:
- See all enrolled devices in one dashboard and confirm they meet security requirements
- Push software updates automatically rather than waiting for employees to do it themselves
- Remotely lock or wipe a lost or stolen device within minutes
- Remove all work apps and data from a personal device when someone leaves, without touching their personal photos or contacts
- Block a terminated employee's device from accessing business systems the moment they leave
For most small businesses with 5-20 employees, MDM through Microsoft Intune (included in Microsoft 365 Business Premium) or a purpose-built tool like Jamf covers all of these bases. EDCON sets this up as part of our managed IT services for clients in Los Angeles, Oxnard, and the surrounding area.
How to get started without overcomplicating it
You don't need a 20-page legal document to start. A one-page written policy that covers the five areas above, shared with all staff and signed on hire, is a meaningful step forward. Keep it in plain language โ a policy nobody reads because they can't understand it doesn't help anyone.
From there, the technical side involves enrolling your devices in MDM, setting minimum security requirements, and building a simple offboarding checklist that your manager runs through every time someone leaves.
It takes a few hours to set up properly. It takes much longer to deal with the consequences of not having it when something goes wrong.
Common questions about device policies
What is a device management policy for a small business?
A device management policy is a written document that defines how company-owned and personal devices can be used for work, what security requirements apply, and what happens to work data when an employee leaves. It covers computers, phones, tablets, and any device that connects to your business systems or handles business data.
Do small businesses need a BYOD (bring your own device) policy?
Yes, if any employee uses a personal device for work purposes. Without a BYOD policy, you have no legal clarity about who owns work data stored on personal phones, whether you can wipe a device if it's lost, or what security standards apply. A policy protects both the business and the employee.
What is the difference between a device management policy and MDM software?
A device management policy is the written rule set โ it defines what is and isn't allowed. MDM software is the technology that enforces those rules automatically. The policy tells you what should happen; the software makes it happen. Most small businesses need both.
Need help building a device policy for your business?
EDCON creates device management policies and sets up MDM for small businesses and childcare centers across Southern California. We'll build the policy, enroll your devices, and make sure your offboarding process is airtight. Book a free consultation to get started.
Book a Free Consultation