Skip to main content

BYOD Compliance

What It Means

In our case, “Off Cloud Devices” are the laptops and workstations our employees use that are not hosted in the cloud — for example, personal laptops (BYOD: Bring Your Own Device).

SOC 2 does allow BYOD, but only if we can show that strong security controls are in place to protect company and customer data.


What SOC 2 Expects for BYOD

Auditors don’t just check policies — they check evidence that these rules are actually enforced.
For BYOD devices, SOC 2 generally requires:

  1. Device Security Policy
    • Written BYOD policy that employees sign.
  2. Full-Disk Encryption
    • Example: FileVault (Mac), BitLocker (Windows).
  3. Strong Authentication (MFA)
    • Required for accessing company systems.
  4. Up-to-Date Operating System & Security Patches
    • Ensures vulnerabilities are minimized.
  5. Endpoint Protection
    • Anti-malware or EDR (Endpoint Detection & Response) installed.
  6. Remote Wipe Capability
    • Ability to remotely erase lost or stolen devices.
  7. Access Restrictions
    • No storing sensitive data locally unless encrypted.


How We Prove This to an Auditor

Auditors want both documentation (our policy) and technical evidence (proof these controls are active).

SOC 2 Control

Example Evidence

Full-Disk Encryption

Dashboard showing encryption status for all devices OR OS screenshots with device name + date.

MFA Enabled

Screenshot of MFA enforcement in SSO provider (e.g., Google Workspace, AWS IAM Identity Center).

OS Up-to-Date

Compliance report from MDM showing patch status.

Endpoint Protection

Dashboard from security tool (e.g., CrowdStrike, SentinelOne) listing protected devices.

Remote Wipe Capability

Screenshot from MDM showing wipe option per device.

Policy Acceptance

Signed BYOD policy acknowledgment in HR system.


Two Ways to Handle BYOD Compliance

1. Using MDM (Recommended)

  • What it is: Mobile Device Management tools like Kandji, Jamf, Intune, or JumpCloud.
  • Advantages:
    • Automates evidence collection (encryption, patching, antivirus)
    • Provides remote wipe capability
    • Auditor-friendly compliance dashboards
    • Reduces audit prep from weeks to hours
  • Estimated Cost:
    • $3–$6 per device/month (JumpCloud, Intune, etc.) for basic security and inventory
    • $6–$12 per device/month (Kandji, Jamf) for full compliance & endpoint security features
    • For 30 employees → ~$90–$360/month depending on vendor & features

2. Manual Evidence Gathering (If no MDM yet)

  • What it is: Employees manually provide screenshots and status reports during audit prep.
  • Advantages:
    • No monthly software subscription
  • Drawbacks:
    • Auditor may sample random employees, requiring screenshots for encryption, antivirus, and OS updates
    • Time-consuming (2–4 hours per device per audit cycle)
    • Higher risk of missing or inconsistent evidence, can lead to audit failure/delay
    • More employee disruption during audits


Back to top