Any mobile phone, tablet, laptop, or Internet of Things device (smart speakers, wearables, and so on), including devices subsidized by the university.
U-M recognizes that those who do work on its behalf may need to access or maintain sensitive university data on their own devices.
Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) guides this use. Departments and units have discretion to prohibit this use or impose additional requirements beyond those outlined in the policy.
Michigan Medicine, for example, requires those who wish to use their personally owned devices to access Michigan Medicine resources and networks to enroll those devices in the Intelligent Hub mobile device management service. See Intelligent Hub - Enrollment Instructions (Michigan Medicine KnowledgeBase) for details.
- If you have not been informed about implementation of SPG 601.33 within your department, do not use your own devices to work with university data without first checking with your department.
- If your department or unit has informed you that you may work with university data using your own devices, it is your responsibility and obligation to properly manage and secure your personal device(s) to reduce the risk of unauthorized access to, or disclosure, of university data.
- Institutional PCI data is not allowed on personally owned devices because it must only be processed on U-M PCI compliant networks and systems.
- Export control data is not allowed on personally owned devices due to the risks associated with it being transported abroad, or accessed by unauthorized persons. This determination was made by the Delegated Data Steward.