How to Separate Company Devices From Personal Devices

QUICK ANSWER

Filter company and personal devices differently by assigning policy according to ownership and work risk, not merely the person using them. Put managed work devices on a managed protective profile. Give personal devices a narrower, clearly disclosed work profile only when needed, minimize retained activity, and keep sensitive systems unavailable to devices the team cannot adequately manage.

Published
November 24, 2025
Words
1,175 words
Reading time
6 min read

A small team does not need enterprise tooling to state a clear boundary: company-owned devices receive company-managed security; personal devices receive only the controls and access justified by their work. DNS profiles can help express that difference, but they are one layer. The durable outcome is a BYOD arrangement people understand, can actually follow, and can leave without surrendering their personal device. Budget for support and a managed-device alternative; otherwise the apparent hardware saving merely moves cost and frustration onto workers.

Veilty support for managed BYOD is planned as an enterprise capability. Until that capability is available, use the policy, privacy, and verification workflow as a provider-neutral planning model, not as a current Veilty deployment path.

Draw the line before choosing controls

Inventory device classes rather than every app first: fully managed company laptops, company phones with personal use, personal computers used regularly for work, and occasional personal devices. Then catalogue the work each class may perform. Payroll administration, production credentials, source code, customer records, and general collaboration do not carry equal consequences. Some services should remain limited to devices the company can update, recover, and investigate.

NCSC describes BYOD as an explicit balance between organizational data protection, usability, and the device owner's privacy. It stresses that management capability, not ownership alone, is decisive.2 NIST likewise treats BYOD as a security and privacy design problem, not merely permission to sign in from any phone.3 That framing prevents DNS filtering from becoming a substitute for a real device policy.

A proportionate two-track device policy
DecisionCompany devicePersonal device
Security profileManaged malware, phishing, and required business rulesAgreed work-risk categories only
UpdatesCompany enforces and verifiesOwner maintains a stated minimum
VisibilityNamed incident purpose and limited retentionAggregate first; shortest necessary detail
Sensitive accessAllowed when device health and role permitRestricted when assurance is insufficient
OffboardingRecover or wipe company device and revoke accessRemove work configuration and revoke access

Give each device class a contract

Write one page that answers what the organization configures, what it can observe, what the owner must maintain, which services are available, what happens after loss, and how work access is removed. Avoid the vague phrase “company may monitor the device.” Say whether DNS activity is retained, who may see it, for what purpose, and for how long. Personal browsing can generate domain lookups unrelated to work, including background application requests.

  1. Select the minimum supported operating-system versions, screen lock, encryption, update, and account-protection requirements.
  2. Decide which work resources are appropriate for personal devices and which require a managed company endpoint.
  3. Create separate DNS profiles for managed work devices and approved personal work access; do not infer ownership from a device name.
  4. Apply malware and phishing protection first. Add business categories only when a documented risk justifies them.
  5. Explain resolver changes, visibility, support, incident handling, and removal before enrollment.
  6. Provide a company-device alternative for people who cannot or do not want to accept the personal-device arrangement.

Control D's public documentation illustrates the useful implementation pattern: a profile is a collection of rules, an endpoint applies profiles, and different physical devices can receive different profiles.4 Cloudflare and Cisco similarly separate policy from the identity or network location to which it applies.56 A healthy product choice should make ownership, policy assignment, exceptions, and removal visible rather than forcing every device into one global rule.

Separate service access from DNS policy

A DNS profile and permission to use a business service are different decisions. A personal device might receive phishing protection yet remain unable to open payroll, production, or customer-record systems. A managed company device might use the same protective categories while gaining those services through device assurance, multifactor authentication, and a least-privilege role. Write the access matrix first, then attach DNS policy to each device class. This avoids treating a successful DNS lookup as proof that a device is trusted.

Keep device policy and business access as separate approvals
Device classDNS outcomeBusiness access decision
Managed company deviceRequired protective profileRole and device health decide access
Approved personal deviceDisclosed work-risk profileLimit to approved lower-risk services
Unknown or unsupported deviceNo assumed protectionDo not grant sensitive access

Run a two-device pilot

Pilot one company laptop and one voluntary personal device. From each, verify the resolver path at the office, at home, and on mobile data. Test sign-in, conferencing, document sharing, software updates, customer tools, and a provider-owned safe block-test domain. Confirm that personal services outside the agreed scope continue to work. If the pilot requires repeated broad exceptions, the profile or device class is wrong.

  • Check for browser Secure DNS, VPNs, private relays, and hard-coded fallback resolvers.
  • Use aggregate policy outcomes for routine review rather than inspecting every personal-device lookup.
  • Record exceptions by device class and business purpose, with an owner and review date.
  • Test offboarding: revoke work sessions, remove DNS configuration, and confirm the personal device remains usable.

Protect work without claiming the phone

DNS filtering can block or redirect domain lookups associated with known threats and policy categories. It cannot read page contents, search terms, in-app chats, voice audio, or full browser history. It also cannot separate work files from personal photos, prevent copying from an allowed application, attest device health, or replace access control. Operating-system work profiles, managed applications, multifactor authentication, endpoint protection, backups, and least-privilege roles solve different parts of BYOD security.

Treat privacy friction as a design signal. NCSC warns that an unusable BYOD scheme can drive people toward unapproved workarounds.2 Ask pilot users what disrupted personal use, which disclosures were unclear, and whether support assumed control the organization did not have. Adjust the supported work set before adding surveillance. A company-owned device is often cheaper than forcing a personal device into a management model neither side trusts.

BYOD separation questions

Should personal and company devices use the same DNS profile?

Not automatically. Company devices can accept stricter, managed rules. A personal-device profile should cover the agreed work risk with less visibility and fewer non-work restrictions, unless the owner has explicitly accepted broader management.

Can DNS filtering create a complete work container?

No. DNS policy controls domain lookups; it does not isolate files, accounts, application data, or clipboard activity. Use operating-system work profiles, application controls, and access policy where separation of work data is required.

What if a personal device cannot meet the minimum standard?

Do not improvise weaker access to sensitive systems. Offer a managed company device, a restricted browser or remote-work method, or access only to lower-risk services that the device can support safely.

Plan the enterprise BYOD boundary

Use the workflow above to document device ownership, work scope, consent, support, removal, and the least visibility required. Veilty support for applying that model to managed personal devices is planned for enterprise use. For current team deployments, account-scoped invitations add members, while Tenant roles limit access to company-managed Tenant resources and retained Tenant activity. Reusable baseline and enforced Tenant policies set the shared boundary: resources may override baseline policy, but never enforced policy.1

References

  1. DNS filtering for teams — Veilty
  2. Bring your own device guidance — NCSC
  3. Mobile Device Security: BYOD — NIST
  4. Profiles — Control D
  5. DNS policies — Cloudflare
  6. Get started with DNS-layer security — Cisco Umbrella

Related articles