Endpoint & Mobile Device Security¶
Your laptop and phone are where Holmes information lives day to day, and they're the things most likely to be lost or stolen. This policy keeps them locked, encrypted, patched, and managed, and sets out what happens to Holmes data on a device you own if you leave or lose it: we remove Holmes data, not your personal stuff. Most of it is handled automatically by device management. Your part is to lock it, report loss fast, and not disable the protections.
1. Managed devices¶
| Ref | Requirement |
|---|---|
| END.1 | Holmes laptops and desktops MUST be enrolled in device management and MUST NOT access CONFIDENTIAL or RESTRICTED information unless compliant: encrypted, patched, protected. |
| END.2 | Full-disk encryption (BitLocker or FileVault) MUST be enabled on all Holmes computers and portable devices. |
| END.3 | Devices MUST lock automatically after a short idle period and require a PIN, password, or biometric to unlock. |
| END.4 | Endpoint detection and response (Defender for Endpoint or equivalent) and application allowlisting (Airlock) MUST be active on Holmes computers, and users MUST NOT disable them. |
| END.5 | Local administrator rights MUST be minimised and elevated on request only (03 IAM.22). |
| END.6 | Rooted (Android) or jailbroken (iOS) devices MUST NOT access Holmes systems. |
2. Personal devices (BYOD)¶
Holmes permits limited use of personal devices for work, under app-based protection.
| Ref | Requirement |
|---|---|
| END.7 | Personal devices MAY access Holmes information only through managed or approved apps under app-protection (MAM) policies, not through native mail profiles or by storing Holmes files locally. |
| END.8 | Personal-device access MUST be subject to app-protection controls: require device lock, encrypt app data, block copy-out to unmanaged apps. |
| END.9 | Personal-device enrolment MUST be controlled by default, not left open-ended. |
3. Loss, theft, and departure¶
| Ref | Requirement |
|---|---|
| END.10 | Lost or stolen devices MUST be reported immediately (01 AUP.7, 12). |
| END.11 | Holmes MAY fully wipe a Holmes-owned device. For a personal device, Holmes will do a selective wipe that removes only Holmes information. |
| END.12 | On departure, Holmes data MUST be removed from personal devices. Managed devices are wiped or reset by IT. |
Selective wipe (END.11) removes Holmes information from a personal device without touching the owner's own data, which is both what the tooling does and what the law expects.
4. Removable media¶
| Ref | Requirement |
|---|---|
| END.13 | Using removable media (USB drives, portable disks) for CONFIDENTIAL or RESTRICTED information SHOULD be avoided. Where unavoidable, the media MUST be encrypted. |
| END.14 | Removable-media access SHOULD be controlled centrally, moving toward block-by-default with exceptions. |
5. Guidance for staff¶
Your Holmes laptop is meant to travel with you (see the off-site device note). Keep it locked and with you.
Using your own phone for Teams and Outlook is fine through the Holmes apps, which is the managed path. Don't set up Holmes mail as a native account on a personal phone.
If a device goes missing, tell IT before you do anything else. A fast report lets us protect the data. A slow one is how a lost laptop becomes a breach.
6. Legal & jurisdictional notes¶
Selective wipe (END.11) balances Holmes' need to protect information against employees' property and privacy interests across all four jurisdictions. The BYOD terms should be reflected in employment or BYOD agreements, so confirm with P+C and counsel.
Device encryption (END.2) is a primary mitigation and can decide whether a lost device is even a notifiable breach under NZ, AU, GDPR, or US-state law (12).
Related policies¶
00 Framework, 01 Acceptable Use, 02 Information Classification, 03 Identity & Access, 12 Incident Response.