Table of Contents

Policy – Personal Devices / Bring Your Own Device (BYOD)

Preamble

It is acknowledged that BYOD is a popular and effective way of augmenting the IT provision within the group, and that if properly managed can bring numerous benefits to the research output of the IPPP.  It is also a fact that poor management of personal devices can open up IPPP to numerous risks.  Poor management of personal devices can open up threats relating to security, excessive resource usage and virus threats.

IPPP grants its employees the privilege of purchasing and using smartphones and tablets of their choosing at work for their convenience. IPPP reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined below.

This policy is intended to protect the security and integrity of IPPP’s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms.

Members must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the IPPP network.

Definitons

The definition of a personal device is as follows:

  1. Any laptop, notebook or personal computer system where administrative access is not solely reserved for IPPP systems staff.
  2. Any smartphone or tablet computer which is able to connect to the IPPP research network via any method such as (but not limited to) wireless internet, wired ethernet, bluetooth, USB or firewire.
  3. Any virtual machine, whether provisioned by a user or adminstrator on a personal device or an IPPP system on which administrative access is delegated to a user (as opposed to an IPPP system administrator).
  4. Any device designated by an IPPP system administrator as a personal device.

The definition of an accessory is as follows:

Any item to be used with IT equipment which is either purchased by IPPP and personally issued or provided by an individual and used with any IT equipment within IPPP, whether personal or IPPP managed.  Examples include but are not limited to: Power adapters, storage devices, cases, bags, projectors, keyboards, mice and printers.

The definition of an IPPP system administrator (or ‘systems staff’) is as follows:

  1. Any person employed as a system administrator by the IPPP
  2. Any person having managerial responsibility for a person described in (1)
  3. Any person to whom system administration duties are delegated by any of the persons described in (1) or (2) above.

The definition of consumables include such items as (not limited to) blank (not rewritable) CD/DVD/BD media and printing consumables such as paper, toner and ink.

The definition of storage media includes (not limited to) tapes, hard disks both internal and external, USB ‘memory sticks’, solid state disks and storage servers.

For the purposes of this policy, equipment is defined as any personal device, accessory, consumable or item of storage media which falls under this policy.

For the purposes of this policy, a person will be deemed to have left IPPP if their contract of employment has ended or if they are a student when they are no longer under the supervision of a member of IPPP staff.

Ownership and Surrender of Equipment on Leaving Employment

Ownership of any equipment purchased with IPPP funds will always be assumed to stay with IPPP unless it is decided by a system administrator that a person can have ownership of it.  Where this is the case, ownership will pass only when written confirmation is provided from IPPP.

A personal device may still be a defined as such if it has been purchased with IPPP funds.  A personal device may be owned by IPPP and issued to an individual.  Where a device is owned by IPPP but issued to an individual, the individual must return it (with all accessories also owned by IPPP and issued to the individual) to the IT office at the request of a system administrator.

Leaving IPPP – IPPP-owned Equipment

When a person having been issued with IPPP-owned equipment leaves the group they must make available the device to system administrators who will decide whether the equipment will be kept by the IPPP or by the individual. 

Where it is decided that upon leaving, that the user will retain the equipment then ownership will pass to the individual and IPPP will have no responsibilities over the it.  Where it is decided that the equipment will be kept by IPPP, it will be surrendered by the individual in good condition (excluding fair wear and tear) and with all accessories originally supplied.

Consumables

Consumables are issued to an individual on request and anything used will not be required to be returned.  Any unused consumables will be made available for return to the IT office on leaving IPPP. 

Storage Media

Storage media used to store IPPP related data must be kept secure when not being used.  Loss or suspected theft must be reported to IPPP system administrators as soon as possible.  This applies to personally owned storage media as well as IPPP owned storage media.

Loss, Damage and Theft – IPPP owned equipment

Loss of IPPP-owned equipment will be reported to IPPP system administrators as soon as possible who will arrange a replacement where appropriate.

Damage to IPPP-owned equipment will be reported to IPPP system administrators as soon as possible who will arrange a repair or replacement where appropriate.

Suspected theft of equipment will be reported to local police as soon as possible and to IPPP system administrators as soon as possible who will arrange a replacement where appropriate.

Where loss or theft has occurred on Durham University premises, this should be reported to University Security promptly.

Responsibility of IPPP System Administrators for IPPP-owned Personal Devices

Where a personal device is provided by IPPP and owned by IPPP, then IPPP system administrators will take responsibility for its maintenance and proper function.  Users should return the item to the IT office for physical repairs and not attempt them themselves.  Systems staff will make sure the device can connect to the network (where appropriate) before issuing the device.

Users should consult with IPPP system administrators for support and advice on changing operating systems.  The IPPP system administrators will publish and maintain a list of supported operating systems.  Users should not install an operating system on their issued personal device which is not on this list without the express approval of IPPP systems staff.

Responsibility of IPPP System Administrators for non IPPP-owned Personal Devices

IPPP systems staff will provide limited support to personal devices.  Attempts will be made to connect these items to the network subject to this not taking up a disproportionate amount of time and subject to there being sufficient free IP address space available.

What amount of time is proportionate is decided by systems staff.

Support for these devices is provided on a best-effort basis.

Removal from Network

Any device may be removed from the network if it is deemed to be prejudicing the effective, safe and legal functioning of the IPPP network.

Unlicensed Software

It is expressly forbidden to install any software on any personal device, however owned, which is not legally licensed for use in the IPPP environment.  Unlicensed software may be removed without warning by IPPP systems staff.

Copyrighted Media

It is strictly forbidden to hold media illegally on IPPP-owned devices.  Users take full responsibility for what they hold on their own devices.  It is strictly forbidden to use IPPP systems or network infrastructure to transmit copyrighted material without the express consent of the copyright owner.

Security Updates

It is a requirement for the continuing connection of equipment to the network that OS and software is kept reasonable secure through the application of OS patches and updates.  This is the responsibility of the user.  Advice should be sought from the systems staff if support on this matter is required.

Equipment Belonging to Other Institutions

This shall be treated as a non-IPPP owned personal device and the responsibility for it shall lie with the person bringing it to IPPP.  It must comply with all provisions of this policy.

Miscellaneous Provisions

Regardless of ownership, devices may not be used at any time to:

  • Store or transmit illicit materials
  • Store or transmit confidential information unless the person has a genuine reason for holding it.
  • Harass others
  • Prejudice the effective operation of the IPPP or wider university network
  • Attack other computer systems
  • Behave in a manner which may be harmful to the image of the IPPP
  • Behave in a manner which may be harmful to the effective functioning of the IPPP

The following programs/apps are not allowed: Penetration testers, vulnerability exploits, portscanners or viruses/trojans/worms.  They must be removed before the device is connected to the network.

IPPP does not allow texting or emailing while driving and only hands-free talking while driving is permitted.

Unless expressly agreed in writing prior to costs being incurred, IPPP will not reimburse the member for the following charges: roaming, plan overages, app purchases, text messages, data usage or SMS/MMS messages.

Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.

The employee is expected to use his or her devices in an ethical manner at all times and adhere to the IPPP acceptable use policy as published by the IT staff.  Users are also required to adhere to the CIS policy on the acceptable use of IT as agreed with council.

The employee is personally liable for all costs associated with his or her personally owned device.

The employee assumes full liability for risks including, but not limited to, the partial or complete loss of IPPP and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.