BYOD | FAQ

If you already use private IT devices for business purposes or want to use business IT devices for private purposes in the future, discuss this with your supervisor first.

This mixed use of IT devices must be agreed to by both parties (supervisor and employee) by signing the supplementary agreement "Application and authorisation form for the use of private devices for business purposes".

The supplementary agreement can be found on the TU Braunschweig info portal.

Yes, the use of private IT devices for business purposes is only effective with the mutual consent of both parties and the associated supplementary agreement.

For technical questions, please contact the CISO staff unit by e-mail at soc(at)tu-braunschweig.de.

For legal questions including labour law, please contact the legal department of the TU (Dept. 11 / Labour Law: Dept. 12).

For questions regarding data protection, please contact the Data Protection Officer by e-mail at datenschutz(at)tu-braunschweig.de, and / or the Data Protection Management by e-mail at dsmgmt(at)tu-braunschweig.de or in Dept. 11 (Legal Department).

No, the directive does not generally apply to all students.

However, the guideline does apply to students who, in addition to their studies at TU Braunschweig, are in an official position, e.g. as a student assistant, and want or need to use private devices to carry out official activities.

Professional data is all data that is generated during the performance of professional activities or is required for these activities.

This includes personal data, research data, financial data, emails, documents, records, contacts and calendar data.

Business IT devices are end devices provided by the employer for the fulfilment of work tasks, such as laptops or business mobile phones.

No, you don't have to.

You will be able to carry out all work tasks without using private devices for work purposes.

If a mobile phone or smartphone is absolutely necessary for work-related reasons and the employee does not wish to use a private device for this purpose, a device must be provided by the department.

It must be carefully checked whether there really is a compelling business need. Furthermore, it must be checked whether it really has to be a smartphone or whether a mobile phone without smartphone functions is not also sufficient (only telephone calls and text messages), which is the case in many cases, such as on-call duty. In this case, simple mobile phones are preferable. For on-call duties, for example, only a single device can be purchased that is given to the person on call for the duration of the on-call duty.

Yes, as long as you use a web browser and read emails via your OWA access (https://mail.tu-braunschweig.de/). This is not a use case of the guideline.

However, if you use an app that stores your emails on your smartphone, this is a use case of the policy and requires the mutual consent of both parties to the supplementary agreement.

Yes, in principle it is possible for you to work on your private smartphone in the web browser and thus access web applications of the TU Braunschweig, e.g. OWA-Webmail or the cloud.TU Braunschweig.

However, if you permanently store business data on your private smartphone, e.g. by downloading a document, this is a use case of the guideline and requires the mutual consent of both parties through the supplementary agreement.

Yes, it is generally possible to use Element Chat on your personal device (smartphone or laptop).

However, please note that the use of the desktop client or the app is a use case of the Directive and the supplementary agreement must be signed for this purpose.

Alternatively, you can use the element chat in the web browser (https://chat.tu-bs.de/); this is not covered by the policy and does not require the signing of the additional agreement.

Yes, forwarding to your private telephone, mobile phone or smartphone is not restricted by this policy. You do not need to sign an additional agreement for this.

However, please note that if you call or call someone back from your private device, your private mobile phone number may be displayed (depending on the smartphone settings).

Yes, establishing remote desktop connections (e.g. via the RDP protocol) does not count as business use of a private device, as no data is stored on the private device.

The prerequisite is, of course, that the connection is secured by using the VPN tunnel.

This is actually an unresolved data protection issue.

However, as long as you do not permanently store any data on your private device used for business purposes, but restrict yourself to working in the browser, there is no data that could cause problems when backing up to the cloud.

Make sure that encryption is activated for backups. You can find further information at https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Basisschutz-fuer-Computer-Mobilgeraete/, for example

For mail apps, please note that you must not use any mail apps that store access data in the provider cloud (unfortunately, Outlook apps do this on both Android and iOS). Using the built-in browser to access https://mail.tu-braunschweig.de/ is not critical.

Suitable mail apps are, for example, Apple Mail on iOS and Nine Folders Mail or FairMail on Android.

Pure "virus scanners" are no longer state of the art and practically no longer exist; current applications and apps are endpoint protection solutions.

State-of-the-art endpoint protection not only scans for malware, but also monitors which websites are accessed and which files are downloaded, for example, and warns of dangers or blocks these accesses. This also applies to smartphones, including Apple iOS (companies such as Sophos and Eset also offer solutions for iOS and Android, but there are of course other providers).

If the origin is known and trustworthy, the connection of such input devices poses no problem. A trustworthy origin can be, for example, the GITZ, the institute's own IT or its IT centres or a relevant dealer. However, caution should be exercised with third-party or purchased used devices.

Bluetooth in itself is not a secure technology (however, an attacker must be able to get within a few metres of the device), so wireless devices (usually 2.4 GHz) with encrypted data transmission are preferable.

No, you don't have to; alternatively, authentication can be carried out using a corresponding token.  

If two-factor or multi-factor authentication is introduced at TU Braunschweig, it will be possible to use an authenticator app on a private device. In this case, no official data is permanently stored on your private device and is therefore not a use case of the policy. You do not need to sign the additional agreement for this.

The basic ideas are:

1. TU must ensure that only state-of-the-art devices are connected to the TU network in order to minimise the omnipresent cyber threats. From an IT security perspective, it is irrelevant who owns the devices.
2. Data protection laws require that the department must be able to access and delete all processed personal data at any time, including on private devices used for official purposes and privately used official devices.
3. The general principles of proper administration require that official data is adequately protected, even if it is located on private devices used for official purposes or on privately used official devices.

For legal reasons, all three points require corresponding regulations and, in some cases, an additional agreement.