Recently, our IT department has received a significant increase in requests to use personal mobile devices to access email on our system. Typically, we leave it up to the department head of the person making the requests, then we grant access if approved.

I need to come up with a formal policy. One thought is to request/require that users use an inactivity timeout password on their devices in the even they are stolen.

Anyone willing to share what policy you have in place?