TL;DR

A bring-your-own-device (BYOD) program without minimum endpoint controls is an open door to your business data. This checklist covers the six non-negotiable controls every 10–50 headcount Australian SMB needs — no full MDM budget required — plus a sample policy section you can adapt today.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌‌‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

Why BYOD Hygiene Is No Longer Optional

Most Australian SMBs now run on a mix of personally owned laptops, phones, and tablets. That is operationally convenient but creates an endpoint hygiene gap that attackers exploit relentlessly. In 2026, the attack surface has shifted: adversaries increasingly target identity and sessions rather than infrastructure. OAuth token theft, consent phishing, and adversary-in-the-middle (AiTM) attacks bypass multi-factor authentication entirely once a single unmanaged device is compromised. A personal phone used for work becomes the weakest link — and attackers know it.

The good news: you do not need a six-figure MDM deployment. Six minimum controls, consistently enforced, close the gap for SMBs.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌

​​‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌‌‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

The 6-Point BYOD Endpoint Hygiene Checklist

1. Device Compliance Policy — The Four Non-Negotiables

Every device accessing company data must meet a written compliance baseline:

  • OS version minimum: iOS 16+ / Android 13+ / Windows 11 23H2+ / macOS 14+. Unsupported OS versions receive no security patches.
  • Disk encryption enabled: FileVault (macOS), BitLocker (Windows), or device encryption (iOS/Android) must be active.
  • Screen lock enforced: Auto-lock at 5 minutes maximum, minimum 6-digit PIN or biometric.
  • No jailbreak or root: The device must pass platform integrity checks. Jailbroken devices are blocked outright.

Document these four requirements in your acceptable use policy and verify compliance at onboarding. No exceptions.

2. MDM-Lite: Baseline Enforcement Without the Price Tag

Full MDM (Workspace ONE, full Intune suite) is overkill at 10–50 seats. Use the lightweight tier that ships with your existing stack:

  • Microsoft 365 Business Premium: Includes Intune Plan 1 for device compliance policies, conditional access, and basic app protection.
  • Google Workspace Business Plus: Includes endpoint management for Android and iOS with work profile enforcement.
  • Apple-only fleet: Kandji or Jamf Now for zero-touch deployment starting around AU$5–8/device/month.

Configure one conditional access rule immediately: require a compliant device before granting access to Microsoft 365 or Google Workspace. That single rule blocks 90% of opportunistic access.

3. Separate Work Data: The Container Approach

Personal apps and work data must never share the same sandbox. The two paths:

Platform Mechanism
Android Work Profile — creates an isolated container with separate apps, encryption, and lifecycle. Work data is wiped independently of personal data.
iOS / macOS Managed Apple ID with User Enrolment — separates work data into a managed volume. Personal Apple ID remains untouched.

Do not allow users to access company email, Teams, or SharePoint through personal app instances. Push the Outlook and Teams apps into the managed container and block copy-paste between work and personal profiles.

4. Remote Wipe Capability — Without Touching Personal Data

Every BYOD device must be enrolled such that you can selectively wipe only company data when someone leaves — or when a device is lost. On Android, the Work Profile wipe removes the container and all corporate apps in under 30 seconds. On iOS, User Enrolment allows Managed Apple ID de-provisioning without touching the personal photo library, messages, or apps. This is the single requirement that makes employees willing to enrol — they keep their privacy, you keep your data.

Test the wipe process on a volunteer device during onboarding. If you discover at termination that it does not work, it is already too late.

5. No BYOD for Privileged or Admin Accounts

This rule is absolute: privileged accounts — domain admin, global admin, finance system superuser, root — must never authenticate from a personally owned device. Those accounts live on company-issued, fully managed hardware only.

Why it matters: a compromised personal laptop with cached admin tokens gives attackers the keys to the kingdom without a single exploit. As Mandiant documented in early 2026, attackers use stolen sessions from unmanaged endpoints to move laterally across SaaS platforms silently. One personal device housing admin credentials undoes every other control on this list.

6. Monthly Mini-Audit Checklist (15 Minutes)

Print this or drop it into a recurring calendar invite. Run it the first Monday of every month:

  • Review device compliance report in Intune / Google Admin — any non-compliant devices?
  • Check for new enrolments. Any device that joined without authorisation?
  • Verify conditional access policy is still active (policies silently break during tenant changes).
  • Confirm remote wipe test passed against at least one test device.
  • Review the privileged account list — any BYOD device still showing admin sign-ins?
  • Check OS version compliance: any devices running an unsupported version? Block them.

Fifteen minutes. Miss it twice and you have a breach condition, not a checklist.

Sample BYOD Policy Section (Adapt for Your Handbook)

Bring Your Own Device (BYOD) Policy — Extract

  1. Eligibility: BYOD is permitted for standard-access roles only. Privileged account holders (IT admin, finance system admin, executive with unrestricted access) must use a company-issued device.
  2. Enrolment: Before accessing any company system, the device must be enrolled in [Microsoft Intune / Google endpoint management] and pass the compliance baseline: current OS within one major version, disk encryption active, screen lock of 6+ digits or biometric, and platform integrity check passed.
  3. Work Data Separation: All company data must reside within the managed Work Profile (Android) or Managed Apple ID volume (iOS/macOS). Storing company data in personal apps, local downloads, or unmanaged cloud storage is prohibited.
  4. Remote Wipe Consent: The company reserves the right to remotely wipe only company data and the managed container upon termination of employment, reported device loss, or confirmed security incident. Personal data, apps, and media will not be affected.
  5. Audit: Devices are subject to monthly compliance review. Repeated non-compliance (two consecutive months) results in revocation of BYOD access.
  6. Incident Reporting: Lost or stolen devices used for work must be reported to IT within 4 hours.

FAQ

Q: Does the Essential Eight require MDM for BYOD? The ACSC's Essential Eight Maturity Level 1 does not explicitly mandate MDM, but it requires multi-factor authentication, patched operating systems, and application control — all of which become unverifiable on unmanaged personal devices. At Maturity Level 2, you need to centrally manage device configuration. MDM-lite satisfies that requirement.

Q: Can we just use a written policy without enforcing it technically? No. A written policy without conditional access enforcement — blocking non-compliant devices at the identity provider — is a piece of paper. Attackers do not read your policy.

Q: What if an employee refuses to enrol their personal device? They do not access company data from that device. Issue a company-owned handset or restrict them to webmail on a managed browser only (session-only, no offline data). The business decides the risk appetite; the employee does not get a veto.

Q: Is Intune included in Business Premium or do we pay extra? Microsoft 365 Business Premium (~AU$33/user/month) includes Intune Plan 1 with device compliance policies, conditional access, and app protection. No additional licence required for the controls in this checklist.

Conclusion

BYOD endpoint hygiene is a process, not a purchase. Start with the four compliance non-negotiables, enrol every device into your existing MDM-lite tool, separate work data, lock down privileged accounts, and run the 15-minute monthly audit. Those six controls give a 10–50 headcount SMB 80% of enterprise endpoint security at a fraction of the cost.

Need help designing controls that fit your business — not a vendor's brochure? Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to Australian SMBs.

References

  1. ACSC — Bring Your Own Device (BYOD) Guidance
  2. Microsoft — Intune Device Compliance Policies for SMB
  3. NIST SP 1800-22 — Mobile Device Security: Bring Your Own Device (BYOD)
  4. Mandiant / The Hacker News — Vishing Attacks Stealing MFA to Breach SaaS Platforms (Jan 2026)
  5. Digital Biz Talk — OAuth Redirect Abuse Bypasses MFA (Mar 2026)

How Robots Can Answer Your Customers' Questions and Save You Lots of Money

TL;DR

  • Most customer questions are the same ones asked over and over — AI can answer those automatically, 24/7, for a fraction of what a human costs.
  • Between 40–70% of all support tickets are repeat, low-complexity questions AI can handle [1].
  • One business saved $47,000/year by letting AI handle repeat questions. Humans kept the tricky stuff.
  • The free and cheap options work great for small businesses — you don't need the expensive enterprise tools.

Imagine your shop had a really helpful assistant who worked 24 hours a day, never called in sick, never asked for a raise, and could answer 100 customers at the exact same time — all for about $300 a month.

That's what an AI customer support chatbot is. It's like having a night-shift worker who lives in your computer and never gets tired of answering "what time do you close?"

Why Do Businesses Spend So Much on Customer Support?

Think about what a shop assistant actually does all day. According to Gartner, between 40% and 70% of all support tickets are repeat, low-complexity questions — the kind a FAQ could answer [1]. They don't change. They just come in again and again.

The average fully-loaded cost of a support agent in Australia is $52,000–$68,000 per year [2]. That's a lot of money to answer "can I return this?" for the thousandth time.

Forrester Research found that 67% of customers actually prefer self-service for simple questions — they'd rather get an instant answer than wait in a queue [3]. So you're paying for something customers don't even want.

What Does an AI Chatbot Actually Do?

An AI chatbot is like a really smart notice board — except instead of making customers look for the answer, it lets them ask in plain English and gives the right answer instantly.

When a customer types "where's my order?", the chatbot:

  1. Understands what they're asking
  2. Looks up the answer (or connects to your order system)
  3. Replies instantly — no waiting, no queue

If the question is too tricky, it says "let me get a human for you" and passes it on. Your staff only deal with the stuff that actually needs a brain.

One business with three full-time support agents was paying $141,000 a year on customer service. After deploying an AI chatbot and smart ticket routing, their costs dropped to $94,000 — a $47,000 saving every year — with setup costs paid back in under three months.

Intercom, one of the leading AI support platforms, reports their AI resolves an average of 45% of conversations without human involvement [4]. Zendesk found that AI-assisted agents resolve tickets 40% faster than unassisted ones [5].

Does It Cost a Lot to Set Up?

Some tools cost a lot. Some cost nothing at all. Here's the honest version:

  • Intercom Fin — about $99+/month, best for big companies with thousands of questions [4]
  • Zendesk AI — about $50 per agent per month, good if you already use Zendesk [5]
  • Freshdesk Freddy AI — $15–$35/agent/month, great for smaller teams who want a productivity boost [6]
  • Chatwoot (free!) — $0 in licence fees, self-hosted, works great for smaller businesses

The free option isn't a toy — it's what lil.business uses for clients who don't need to spend a fortune. A small business handling 50–200 questions a month can save thousands of dollars a year with a tool that costs nothing to licence.

How to Know If It'll Save YOU Money

Here's the quick maths:

  1. How many customer questions do you get each month?
  2. How many are the same questions asked over and over? (Industry average: 55–65% [1])
  3. How long does each one take to answer? (Usually 5–10 minutes)
  4. Multiply the hours by your staff cost per hour

Example: 200 repeat questions × 8 minutes each = 27 hours a month. At $35/hour, that's $945/month — over $11,000/year in time you could save.

The Best Part: It Works While You Sleep

According to Salesforce's State of the Connected Customer report, 73% of customers expect 24/7 support availability [7]. With a chatbot, someone asking "where's my order?" at midnight gets an answer immediately — without you paying anyone overtime or penalty rates.

Your team comes in the next day rested and ready for the things that actually need them.

FAQ

Will a chatbot replace my staff? No — and you wouldn't want it to. AI handles the simple, repetitive stuff. Your team handles complaints, unusual situations, and anything that needs empathy. The combination is what saves you money.

What if the chatbot gets it wrong? A well-set-up chatbot only answers questions it has been given answers for. If it doesn't know, it hands off to a human. You control exactly what it says.

How long does it take to set up? A basic FAQ chatbot can be up and running in a week with the right help. A more complex system that connects to your order management or CRM takes 2–4 weeks.

Is my customer data safe? With self-hosted solutions like Chatwoot, your customer data stays on your own server — not in someone else's cloud. That's one reason lil.business often recommends open-source tools for privacy-conscious businesses.

What You Should Do Right Now

  1. Count your questions — look at your last month of emails, chats, or support tickets
  2. Find the repeat ones — what do customers ask again and again?
  3. Write down the answers — clear, accurate answers to your top 20 questions
  4. Talk to lil.business — we'll tell you exactly which tool fits your situation, and we won't recommend the expensive one if you don't need it

You don't need to spend a fortune to save one.

References

[1] Gartner, "AI for Customer Service: Benchmarks and Best Practices," Gartner Research, 2024. [Online]. Available: https://www.gartner.com/en/customer-service-support/insights/artificial-intelligence-customer-service

[2] SEEK, "Customer Service & Support Salary Insights 2025," SEEK Australia, Jan. 2025. [Online]. Available: https://www.seek.com.au/career-advice/article/customer-service-salary-australia

[3] Forrester Research, "Benchmark Your Customer Service Operations," Forrester, 2024. [Online]. Available: https://www.forrester.com/report/benchmark-your-customer-service-operations/

[4] Intercom, "Fin AI Agent: Performance Benchmarks and Customer Outcomes," Intercom Product Blog, 2024. [Online]. Available: https://www.intercom.com/blog/fin-ai-agent-benchmarks/

[5] Zendesk, "2024 Zendesk Customer Experience Trends Report," Zendesk, Jan. 2024. [Online]. Available: https://www.zendesk.com/blog/customer-experience-trends/

[6] Freshworks, "IT Service Management Benchmark Report 2024," Freshworks, 2024. [Online]. Available: https://www.freshworks.com/resources/itsm-benchmark-report/

[7] Salesforce, "State of the Connected Customer, 5th Edition," Salesforce Research, 2023. [Online]. Available: https://www.salesforce.com/resources/research-reports/state-of-the-connected-customer/

[8] Society for Human Resource Management (SHRM), "Retaining Talent: A Guide to Analyzing and Managing Employee Turnover," SHRM, 2022. [Online]. Available: https://www.shrm.org/hr-today/trends-and-forecasting/special-reports-and-expert-views/Documents/Retaining-Talent.pdf

Want to save money with AI? Let lilMONSTER show you how.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation