The NHSmail Bring Your Own Device solution provides security controls for an organisation’s Bring Your Own (BYO) devices that access NHSmail Office 365 (O365) services.

The target audience for this guidance is Local Administrators. If you are a user with questions about the BYO device security controls, please contact your Local Administrator.

This article is intended to give an overview of the security controls solution. For more information, please refer to the Bring Your Own Device Security Controls guidance article for Local Administrators.

What is ‘Bring Your Own Device’?

‘Bring Your Own Device’ (BYOD) is a practice of allowing employees to use personal and unmanaged devices for their work. For NHSmail, this means allowing users to access NHSmail O365 services from personal or unmanaged corporate devices. Whilst Bring Your Own Device presents many benefits, it also presents key security and data protection risks. To mitigate these risks, we are introducing security controls for BYO devices accessing NHSmail O365 services. The BYO device security controls are available to all NHSmail organisations, regardless of whether the organisation has onboarded to the NHSmail Intune service.

What counts as a ‘Bring Your Own’ device?

The devices in scope for the BYO device security controls are mobile devices (Android, iOS and iPadOS) and desktop / laptop devices (Windows 10/11, MacOS and Linux) that access NHSmail O365 services and are:​

• Personally owned by users and unmanaged
• Corporate owned by organisations but unmanaged, i.e. unknown to the NHSmail tenant, not enrolled to the NHSmail Intune service

Devices not in scope include:

• Any devices managed by the NHSmail Intune service
• Any devices that do not consume NHSmail O365 services

Why is this important for NHSmail organisations?

Adding security controls to BYO devices will help manage the risks associated with unmanaged devices and will ensure users continue to be able to connect, work and meet together online in a secure manner. These security controls will help keep user and patient data in a more protected environment and are aligned with industry best practice. The security controls will also provide increased protection against cyber attacks and will ultimately help protect the reputation of the NHS.

What are the benefits?

• Reducing security risks on your organisation’s BYO devices that access NHSmail O365 services
• Giving Local Administrators the responsibility to secure their organisation’s BYO devices
• Providing better data protection for the NHSmail users using personal or unmanaged devices

How will this work?

The BYO device security controls come in the form of Conditional Access Policies (CAPs). Organisations will be able to select from a range of Conditional Access Policies (CAPs) to apply security controls and restrict access to NHSmail O365 services based on, for example, device type, device location and operating system. Local Administrators will be able to opt-in or opt-out users in their organisation of different controls.

Please note that the security controls apply to users, not to devices. Therefore, no device enrolment is required for this solution.

The primary component to allow organisations to scope users for the security controls are Azure AD Security Groups. The CAPs are mapped to Security Groups. Once a user is added to a Security Group, relevant access controls will be applied. Once a user is removed from the Security Group all controls will cease to apply.

Users become eligible for different security controls depending on their licences. The minimum licence requirement is the Azure Active Directory Premium P2 (AADP2) licence. For more information about the licence implications, please see the Local Administrator Guidance here.

Where can I find out more about the BYO device security controls?

For more information about the BYO device solution and how it works, including details regarding the security controls, please see the Local Administrator Guidance here.