Most businesses hand out company phones long before they write down any rules about them - and then wonder why someone's racked up a roaming bill, why a leaver still has the company WhatsApp, or who exactly is liable when a phone is lost with client data on it. A company mobile phone policy is the unglamorous document that prevents all of that. It sets out what the phones are for, how they should be used and secured, and what happens when things go wrong. This guide explains what a good policy covers, the decisions you need to make, and - because the fastest way to write one is to start from a draft - a complete template you can copy and adapt. If you'd also like the phones, SIMs and management set up properly behind the policy, get a business mobile quote.
Why you need one (even for a small team)
It's easy to think a written policy is overkill when you hand out three phones. But the moment a company phone exists, so do the questions it answers:
- Can staff use it for personal calls, social media and their own apps?
- Who pays if someone goes over their data or runs up a roaming bill abroad?
- What security is required - and what happens if a phone is lost with company email on it?
- When someone leaves, how do you get the device, the number and the data back?
- Are staff allowed to touch the phone while driving for work, and who's liable if they do?
Without a policy, every one of these gets decided ad hoc, inconsistently, usually after something has already gone wrong. A clear, signed policy means everyone knows the rules in advance - which protects the business and is fairer to staff. It also makes your security posture defensible: if you handle client data, being able to show a documented, enforced mobile policy matters for things like Cyber Essentials and GDPR accountability.
Company phones vs BYOD: which policy do you need?
This is the first decision, and it changes which document you're writing:
- Company-provided phones - the business owns the connection and usually the handset, and issues phones to staff. That's what this guide and template cover.
- Bring Your Own Device (BYOD) - staff use their personal phones for work. That needs a different policy with extra care around privacy, separation of data and what you can and can't wipe. We cover that fully in our BYOD policy guide, which is the canonical reference for that model.
Many businesses run both - company phones for some roles, BYOD for others - in which case you need both policies, and they should reference each other. If you're still deciding which model suits you, our comparison of business mobile vs personal phones weighs up the trade-offs. The rest of this guide assumes company-owned devices.
What a good company mobile policy covers
A complete policy doesn't need to be long, but it should cover each of these areas. Use this as a checklist while you write or review yours:
| Section | What it should set out |
|---|---|
| Purpose & scope | Why the policy exists and who it applies to |
| Provision & ownership | That the device, SIM and number belong to the company |
| Acceptable use | What the phone is for; reasonable personal use limits |
| Security requirements | Passcodes, biometrics, encryption, updates, MDM enrolment |
| Apps & data | What may be installed; where company data may be stored |
| Costs & overage | Who pays for excess data, premium numbers, personal extras |
| Roaming & travel | Rules for using the phone abroad and avoiding bill shock |
| Driving | Legal duty not to use a handheld phone while driving |
| Loss, theft & damage | How to report it, and what the company will do |
| Monitoring & privacy | What the company can and can't see |
| Leavers & return | Returning the device, number and data on exit |
| Acceptance | A signature confirming the employee has read and agreed |
The clauses people are tempted to skip - security, lost-or-stolen, leavers - are precisely the ones that save you when something goes wrong. Don't.
The decisions you need to make first
A template only works once you've made a few policy decisions. Settle these before you fill it in:
- How much personal use is allowed? Most businesses permit "reasonable personal use" rather than banning it (which is unrealistic and unenforceable). Decide where the line is - and be specific about what isn't acceptable (premium-rate numbers, gambling, anything that runs up cost or risk).
- Who pays for overage and extras? Will you recover the cost of personal premium-rate calls, excess roaming, or in-app purchases? Pooled data (see our data pooling guide) reduces overage arguments, but you still need a stated position.
- What security is mandatory? At minimum: a passcode or biometric lock, device encryption, automatic OS updates, and enrolment in your MDM. Our mobile security best practices covers the baseline.
- How will you enforce it? A policy without MDM behind it relies on trust alone. MDM is what turns "phones must be encrypted and lockable" from a hope into a fact.
Once those are decided, the template below drops into place.
Company Mobile Phone Policy — template
How to use this template: copy the text below into your own document, replace anything in [square brackets], delete anything that doesn't apply, and have it reviewed by whoever handles HR and (where relevant) legal in your business. It's a practical starting point, not legal advice - adapt it to your circumstances.
---
[Company Name] — Company Mobile Phone Policy
Effective date: [date]. Owner: [role/name]. Review: annually.
1. Purpose and scope This policy sets out the rules for the use of mobile phones and SIMs provided by [Company Name] ("the company"). It applies to all employees, contractors and others issued with a company mobile device or SIM ("users").
2. Provision and ownership Company mobile devices, SIM cards and phone numbers are provided for business use and remain the property of the company at all times. They must be returned on request and when employment or engagement ends.
3. Acceptable use Company phones are provided primarily for business purposes. Reasonable personal use is permitted provided it does not: incur additional cost to the company; interfere with work; breach the law; or bring the company into disrepute. The following are not permitted: premium-rate or revenue-sharing numbers for personal use; gambling, adult or illegal content; and any use that creates a security or reputational risk.
4. Security requirements Users must: set a secure passcode or biometric lock; keep the device encrypted (default on modern phones); install operating system and app updates promptly; not jailbreak, root or disable security controls; and allow the device to be enrolled in and managed by the company's mobile device management (MDM) system. Devices must not be shared with family or third parties.
5. Apps and company data Only apps appropriate to business use, or permitted under this policy, should be installed. Company data (email, files, customer information) must be accessed only through approved apps and must not be copied to personal cloud accounts, personal email or unmanaged storage.
6. Costs, data and overage The company provides a [data allowance / pooled allowance] appropriate to the user's role. Users should use Wi-Fi where available to conserve data. The company reserves the right to recover from the user the cost of: personal premium-rate calls; personal in-app or content purchases; and excess charges caused by clear breach of this policy.
7. Roaming and overseas travel Before travelling abroad, users must check the roaming terms with [IT / line manager] and enable any required roaming bundle. Data roaming should be kept off unless a suitable bundle is active, to avoid unexpected charges. Personal use of the device while roaming is at the user's own cost where it incurs additional charges.
8. Use while driving It is illegal and strictly prohibited to use a handheld mobile phone while driving. Users who drive for work must not handle the device while driving and should use a compliant hands-free system only where safe and lawful, or stop in a safe place to take calls.
9. Loss, theft and damage Users must report a lost, stolen or damaged device immediately to [contact/role] and, if relevant, the police. On report, the company may remotely lock and/or wipe the device to protect company data. Users must take reasonable care of the device; repeated negligent loss or damage may be addressed under the company's disciplinary procedures.
10. Monitoring and privacy The company manages devices through MDM for security and support purposes. The company does not routinely monitor the content of personal communications, but reserves the right to access, manage or wipe company data and to inspect usage where there is a legitimate business or security reason. Users should have no expectation of privacy for company data held on the device.
11. Leavers and return of equipment On the end of employment or engagement, or on request, users must return the device, SIM and any accessories in good working order, and cooperate with the removal of company access and data. Company phone numbers remain the property of the company.
12. Acceptance I confirm that I have read, understood and agree to comply with this Company Mobile Phone Policy.
Name: ……………………… Signature: ……………………… Date: ………………
---
That's a complete, usable starting point. The two clauses worth tailoring most carefully are costs/overage (section 6) and monitoring/privacy (section 10), since both have HR and legal sensitivities - get them reviewed for your business.
Making the policy actually work
A signed policy in a drawer changes nothing. The policy works when it's wired into how phones are issued and recovered:
- Onboarding. New staff should agree the policy as part of getting their phone, with the device pre-enrolled in MDM and configured before they get it. Our onboarding new staff guide sets out the full checklist.
- Management. The security and cost rules only hold if someone owns the estate - tracking devices, allowances and renewals. Our guide to managing a business mobile fleet covers keeping it under control as you grow.
- Offboarding. The leaver clause is worthless if nobody actions it. Build device return and access removal into your standard exit process.
- Review. Networks, devices and risks change; review the policy annually and after any incident.
The bottom line
A company mobile phone policy isn't bureaucracy for its own sake - it's the document that decides, in advance and fairly, what happens with the phones your business depends on. Make the key decisions (personal use, who pays for what, mandatory security, how you'll enforce it), adapt the template above, and wire it into onboarding and offboarding so it's lived rather than filed. And if you'd like the phones, pooled data, MDM and management sitting behind the policy set up properly, get a business mobile quote - we'll handle the technology so your policy has something solid to stand on.
Frequently asked questions
What should a company mobile phone policy include?
At minimum: the policy's purpose and scope, confirmation that the device and number are company-owned, acceptable-use and personal-use limits, mandatory security requirements, rules on costs and overage, roaming and driving rules, a lost-or-stolen process, a monitoring-and-privacy statement, a leaver/return process, and a signature for acceptance. Our template above covers all of these.
Is a company mobile policy a legal requirement in the UK?
There's no specific law requiring a standalone mobile phone policy, but you do have legal duties around data protection, security and health and safety (including the law against using a handheld phone while driving). A clear, enforced policy is the practical way to meet those duties and is expected under schemes like Cyber Essentials. Have your version reviewed by whoever handles HR and legal.
What's the difference between a mobile phone policy and a BYOD policy?
A company mobile phone policy governs phones the business owns and issues. A BYOD policy governs staff using their own phones for work, with extra care around privacy and what the company can wipe. If you do both, you need both documents - see our BYOD policy guide for the personal-device side.
Can we monitor employees' company phones?
You can manage company devices for security and support, and access company data on them for legitimate business reasons, but you should be transparent about it and avoid intruding on genuinely personal communications. State clearly in the policy what you can and can't see, and get the monitoring clause reviewed - the privacy and HR sensitivities here are real.
Should we allow personal use of company phones?
Most businesses permit "reasonable personal use" because an outright ban is unrealistic and hard to enforce. The key is to define the limits - no cost to the company, nothing illegal or reputationally risky, no premium-rate personal calls - and state who pays for any personal extras. Pooled data reduces the friction around incidental personal use.
How do we enforce a mobile phone policy?
Tie it to technology and process: enrol devices in MDM so security rules are facts rather than hopes, agree the policy at onboarding before the phone is handed over, and action device return and access removal at offboarding. A policy with no MDM and no process behind it relies entirely on trust, which is exactly where things slip.
How often should we review our company mobile phone policy?
Review it at least annually, and again after any significant incident (a lost device, a roaming bill shock, a new regulation) or a change in your setup such as moving networks or adopting BYOD. Devices, threats and tariffs all move, and a policy that's never revisited quietly drifts out of date.
