This article provides an overview of the NHSmail Bring Your Own Device (BYOD) security controls solution and is intended as a guide for Local Administrators. If you are a user with questions about the BYO device security controls, please contact your Local Administrator.

The NHSmail BYOD solution provides security controls for BYO devices that access NHSmail Office 365 (O365) services.

What is ‘Bring Your Own Device’?

‘Bring Your Own Device’ (BYOD) is the practice of allowing employees to use personal / unmanaged devices for their work. For NHSmail, this means allowing users to access NHSmail O365 services from personal or unmanaged corporate devices.

What Counts as a ‘Bring Your Own’ Device?

The devices in scope for this solution are mobile devices (Android, iOS and iPadOS) and desktop / laptop devices (Windows, MacOS and Linux) that access NHSmail O365 services and are:​

• Personally owned by users and unmanaged
• Corporate owned by organisations but unmanaged, i.e., unknown to the NHSmail tenant, not enrolled to the NHSmail Intune service

Devices not in scope include:

• Any managed devices
• Any devices that do not consume NHSmail O365 services

Why is This Important for NHSmail Organisations?

Whilst BYOD presents many benefits, it also presents key security and data protection risks. By adding security controls to BYO devices, this will help to mitigate these risks, whilst ensuring users are still able to work together online in a secure manner. Aligned with industry best practice, the controls will help keep user and patient data in a more protected environment and provide increased protection against cyber-attacks.

The security controls are available to all NHSmail organisations, regardless of whether the organisation has onboarded to the NHSmail Intune service.

How do the BYO Device Security Controls Work? 

The BYO device security controls come in the form of Conditional Access Policies (CAPs). Conditional Access (CA) is a tool used by Entra ID to bring signals together to make decisions. CAPs are “if / then” statements. For example, “if” a user is trying to access an O365 service from a personal laptop, “then” prompt the user for Multi-Factor Authentication.

Organisations will be able to select from a range of Conditional Access Policies (CAPs) to apply security controls and restrict access to NHSmail O365 services based on, for example, device type, device location and operating system. Local Administrators will be able to opt-in or opt-out users in their organisation for different controls.

How Can Users Be Added To BYO Security Controls?

The security controls apply to users, not to devices. Therefore, no device enrolment is required for this solution. The primary component to allow organisations to scope users for the security controls are Entra ID Security Groups. The CAPs are mapped to these Security Groups. Once a user is added to a Security Group, relevant access controls will be applied. Once a user is removed from the Security Group, all controls will cease to apply.

However, the BYO device solution CAPs will not apply to users in all circumstances as there are certain exceptions.

• The security controls will not apply to users’ devices that are enrolled in Intune and are compliant.
• Most of the security controls will not apply if the user is accessing NHSmail O365 services from a BYO desktop or laptop device from a ‘Trusted Location’.

A Trusted Location is a set range of IP addresses. When a user is connected to the internet via that IP range, the security controls will not be applied to that user.  When a user is accessing NHSmail O365 services from an ‘Untrusted Location’, such as their home Wi-Fi or through a VPN which routes internet traffic via the local connection, the relevant security controls will apply.

For the NHSmail BYO device security controls, the Health & Social Care Network (HSCN) is currently included in the BYO Trusted Location solution. This means that when a user is accessing NHSmail O365 services via the HSCN, the security controls will not apply.

If an organisation is not using the HSCN, Local Administrators can enquire about including additional IP addresses in the BYO Trusted Location solution range. This can be done by raising a query via the ServiceNow (SNOW) Raise a Request form. Please note that such requests will require a security review and will be assessed on a case-by-case basis.

What are the License Requirements?

For enhanced organisations with the national license, all licence requirements for conditional access are include by default.

What Security Controls can be Applied to BYO Device Users?

Local Administrators will be able to scope the users in their organisation and opt them into different security controls. Different security controls can be applied depending on the device type (e.g. desktop / laptop or mobile) and the licences users have been assigned. This section provides an overview of the available security controls, depending on the users’ license type.

Device- All-CompliantOrHybrid-Browser-Restricted

What this policy is for

This policy allows users to access NHSmail services from a personal desktop or laptop device using a web browser, while applying controls that prevent local data loss.

It is designed to let users read and work with emails and documents without allowing files to be downloaded, printed, or saved locally when the device is not trusted.

This ensures NHS data remains protected when accessed from unmanaged devices.

When this policy applies

This policy is triggered when all of the following conditions are met:

• The user is accessing NHSmail services from:
  • A personal (BYOD) desktop or laptop
  • Using a web browser (e.g. Edge, Chrome)
• The device is not:
  • Intune compliant
  • Hybrid Azure AD joined
• The user is not connecting from a Named Trusted Location (HSCN)
• The user is included in the relevant BYOD security group (E3R)

When these conditions are met, access is granted with restrictions.

What services are covered

This policy applies to browser access for:

• Outlook on the web
• SharePoint Online
• OneDrive for Business
• Exchange Online
• Office 365 web applications

Desktop Office applications are not controlled by this policy.

What users will experience

When accessing NHSmail services under this policy, users can expect the following behaviour:

Allowed

• Sign in using MFA
• Read and send emails in Outlook on the web
• View documents in SharePoint and OneDrive
• Edit documents in Office web apps (where supported)
• View content directly in the browser

Restricted

• Downloading files is not available
• “Save As” options for files and attachments are disabled
• Printing from Outlook on the web is blocked
  • If printing is attempted, the page may print with no content rendered
• Printing attachments from Outlook is blocked
• Local saving of documents is not supported

These restrictions are enforced automatically and cannot be overridden by the user.

Printing behaviour explained

Users may notice different printing behaviour depending on how content is accessed:

• Printing emails or attachments from Outlook on the web
  → Print job starts, but the output is blank
• Printing the visible browser page
  → Page may print, but document content is restricted

This is expected behaviour under this policy.

OneDrive sync – important note

While downloads are restricted in the browser:

• The OneDrive setup prompt may still appear
• Users may be able to configure local sync

This policy does not block OneDrive client sync.

If full sync restriction is required, this must be enforced using:

Device- All-CloudApps-Browser-SessionRestricted

What users should do

Users accessing NHSmail from personal devices should:

• Use the browser experience only
• Expect reduced functionality compared to NHS‑managed devices
• Avoid attempting to download or print sensitive content
• Use an NHS‑managed or compliant device if full Office functionality is required

Additional notes

• This policy is commonly deployed alongside session‑control and E5 policies to provide layered protection.
• The experience is consistent across supported browsers.
• Restrictions are applied dynamically and may change if the user’s device or location changes.
• Depending on the BYO device Operating System (OS), there may be minor differences in the error messages between the expected user behaviour stated below and the actual user behaviour.

Device- All-Session- Reauthentication Browser

 What this policy is for

This policy controls how long users stay signed in when accessing NHSmail services from a personal desktop or laptop using a web browser.

It does not block access, but instead enforces regular re‑authentication to reduce the risk of unattended or long‑running browser sessions on unmanaged devices.

When this policy applies

This policy is triggered when:

• A user accesses any NHSmail cloud service
• From a desktop or laptop browser
• On a device that is not:
  • Intune compliant
  • Hybrid Azure AD joined
• The user is not connecting from a Named Trusted Location (HSCN)

This policy is typically applied alongside other BYOD browser policies.

What services are covered

• Outlook on the web
• OneDrive for Business (web)
• SharePoint Online
• All Microsoft 365 cloud services accessed via browser

Desktop Office applications are not the primary target of this policy.

What users will experience

Allowed

• Normal browser access to NHSmail services
• Silent usage while the session is active
• Access continues while the browser remains open and active

Re‑authentication behaviour

• Users are prompted to sign in again after 12 hours
• MFA may be required again depending on risk signals
• Closing the browser forces re‑authentication
• Silent token refresh is not provided for this session

This behaviour is intentional and expected.

What users should expect

Users may feel they are being “logged out more often” than usual.

This is expected on personal devices and helps protect NHS data.

To reduce interruptions:

• Keep browser sessions open
• Use NHS‑managed or compliant devices where possible

Additional notes

• This policy does not restrict downloads or printing on its own
• It works in combination with:
  • Browser enforce restriction policies
  • Devices-All-CloudApps-Browser-SessionRestricted

Device- All-Cloud Apps-Browser- Session Restricted

What this policy is for

This policy provides the highest level of browser‑based protection for BYOD users by enforcing Conditional Access App Control via Microsoft Defender for Cloud Apps.

It allows access while fully preventing data exfiltration actions such as download, print, and copy/paste.

When this policy applies

This policy is triggered when:

• A user accesses NHSmail services via a browser
• From a desktop or laptop
• The device is not trusted or compliant
• The user holds an E5 or equivalent licence
• The session is outside a Trusted Location (HSCN)

What users will experience

Allowed

• Read and edit documents in the browser
• Send and receive emails
• Collaborate within NHSmail tenant

Fully blocked

• Downloading files
• Printing documents or emails
• Copying and pasting content
• OneDrive local sync

Users will see Defender for Cloud Apps banners explaining the restriction.

What users should expect

• Experience is more restricted than E3 browser access
• Actions may appear clickable but are blocked after selection
• This is expected and enforced centrally

Additional notes

• Ideal for high‑risk or sensitive data access
• MCAS logs should be used for troubleshooting and audit purposes

Device- All-Trusted- Desktop Applications

What this policy is for

This policy blocks access to full Office desktop applications on personal devices unless the user is on a trusted or managed environment.

It ensures rich Office clients (Outlook, Word, Excel, Teams desktop) are only used when the device or location meets NHS security requirements.

When this policy applies

This policy is triggered when:

• A user attempts to access NHSmail using desktop Office applications
• From a personal desktop or laptop
• The device is not:
  • Intune compliant
  • Hybrid Azure AD joined
• The user is not connected from a Named Trusted Location (HSCN)

What services are covered

• Outlook desktop
• Word, Excel, PowerPoint (desktop)
• Teams desktop
• OneDrive sync client

Browser access is not blocked by this policy.

What users will experience

Blocked

• Desktop Office apps fail to sign in
• Users see:
  “You can’t get there from here.”
• OneDrive client does not sync
• Teams desktop sign‑in is blocked

Allowed

• Browser‑based access (OWA, Office web apps)
• Access from NHS‑managed or compliant devices
• Access from Trusted Locations (HSCN)

What users should do

• Use Outlook on the web and Office web apps on personal devices
• Use an NHS‑managed device for full desktop functionality
• Connect via a Trusted Location if desktop access is required

Additional notes

• This policy is often misunderstood as an “outage” — behaviour is expected
• Works in tandem with browser‑based BYOD policies

Device- All-AppProtection-Mobile-Enforced

What this policy is for

This policy ensures NHSmail data on mobile devices is only accessed through approved and protected applications, using Intune App Protection Policies (MAM).

It prevents NHS data from being accessed through personal or unmanaged mobile apps.

When this policy applies

This policy is triggered when:

• A user accesses NHSmail from a mobile device
• Using Outlook, OneDrive, Teams or Edge
• The device is not fully enrolled in Intune
• The user is licensed for EMS + E3/E5

What users will experience

Allowed

• Access via Outlook, OneDrive, Teams, Edge
• In‑app viewing and editing
• Secure data handling enforced automatically

Blocked

• Access via Gmail, Chrome, or other personal apps
• Saving files locally outside protected storage
• Access before Company Portal is installed

Users may be prompted to:

• Install Company Portal
• Restart apps to receive policies

What users should do

• Use Microsoft apps only
• Install Company Portal when prompted
• Avoid copying NHS data into personal apps

Additional notes

• Replaces legacy Approved Apps CA policies
• App Protection Policies remain active even if device is not enrolled

What Should Organisations Consider Before Adopting the BYO Device Solution?

Before organisations adopt any of the BYO device security controls, Local Administrators (LAs) must consider the following.

• LAs must review all relevant guidance to ensure a full understanding of the security controls that will be applied to users and the impact on their work.
• LAs must carefully consider which users they will be opting-in to the BYO device security controls. The impact on users’ work and access to NHSmail services should be considered. For example, some clinical staff may require access to the O365 desktop apps (rich clients) for their work on clinical systems.
• LAs must ensure all relevant stakeholders have been communicated to ahead of the BYO device solution implementation, including seeking relevant approvals.
• LAs must ensure users receive communications and advance warning ahead of this change.

How can Organisations Implement the BYO Device Solution?

The following steps can be followed to implement the BYO device solution:

1. Raise a request to onboard your organisation for the BYO device security controls via the ServiceNow (SNOW) Raise a Request form.  Please include the policies you would like to have applied.
2. Once the form has been submitted, a member of the EMS Live Service Team will reach out to help onboard your users to the BYO security controls.
3. Once the Security Group you have created via the NHSmail Portal has been added to the BYO device Global Security Groups by the EMS Live Service Team, you can manage the membership of your Security Group via the NHSmail Portal.

For information about how to update the membership and manage Security Groups via the NHSmail Portal, please review the Security Group Management guidance on the Support Site.

What if Organisations have a Question About or an Issue with the BYO Device Security Controls?

Local Administrators can raise a query about the security controls via the ServiceNow (SNOW) Raise a Request form.

Local Administrators can raise an incident related to the security controls via the ServiceNow (SNOW) Raise an Incident form.

Last Reviewed Date

07/05/2026