Ensure you know who is using personal devices for work purposes and that this has been authorised in writing, in advance, by their line manager and the IT department.
Access to applications
Decide what you will permit as a business for example you may wish to permit access to cloud-hosted business applications but not the ability to download software. Understand the risks associated with personal devices being connected directly to company networks and in most instances, access should not be permitted, users should use a restricted Guest network and access to on-premise applications should be achieved through a Remote Desktop service.
Ensure that the security of company information is your top priority, endpoint protection tools, including anti-virus/anti-malware and endpoint security is installed and monitored at all times. The software must be installed prior to using personal devices for work purposes.
Loss or theft
Any device that is lost or stolen is a risk and must be reported as soon as is practicably possible using the companies Information Security Incident Reporting procedures which should be communicated and understood by the team.
Monitoring and remote wipe
All devices should be monitored suspicious activity flagged and remediated often by a remote SOC. The same acceptable usage policy should be followed as with company-owned assets, in certain circumstances such as misuse, loss or theft the IT department may need to remotely wipe a device.