Personally Owned Devices (phone, tablet, laptop, etc.)

Key: Permission Levels

  • Permitted
  • Permitted with Information Assurance (IA) Consultation
  • Not Permitted

For IA consultation, please contact the ITS Service Center

You are responsible for ensuring that your use of this service complies with laws, regulations, and policies where applicable. See Compliance below for details.

Permitted

Permitted with IA Consultation

Not Permitted

Service Description 

Any mobile phone, tablet, laptop, or other computing device that is personally owned, including devices subsidized by the university.

Compliance 

U-M recognizes that those who do work on its behalf may need to access or maintain sensitive university data on their own devices. Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) guides this use. Departments and units have discretion to prohibit this use or impose additional requirements beyond those outlined in the policy. Michigan Medicine, for example, requires those who wish to use their personally owned devices to access Michigan Medicine resources and networks to enroll those devices in the AirWatch mobile device management system. See AirWatch - Enrollment Instructions (Michigan Medicine KnowledgeBase) for details.

  • If you have not been informed about implementation of SPG 601.33 within your department, do not use your own devices to work with university data without first checking with your department. 
  • If your department or unit has informed you that you may work with university data using your own devices, it is your responsibility and obligation to properly manage and secure your personal device(s) to reduce the risk of unauthorized access to, or disclosure, of university data.
  • Institutional PCI data is not allowed on personally owned devices because it must only be processed on U-M PCI compliant networks and systems.
  • Export control data is not allowed on personally owned devices due to the risks associated with it being transported abroad, or accessed by unauthorized persons. This determination was made by the Delegated Data Steward.

 

Additional Resources