Q&A
Unmanaged Devices: The Overlooked Endpoint Threat
Despite layers of security controls on corporate hardware, unmanaged devices remain a critical weak spot.
Enterprise IT teams spend considerable effort hardening their environments with patches, monitoring tools and compliance checks. Still, one of the greatest risks often comes from devices that fall outside these protections. Personal laptops, smartphones and other unmanaged endpoints can connect to enterprise resources without meeting security standards, leaving organizations vulnerable. Industry research has shown that the likelihood of compromise is significantly higher when work is performed on hardware that IT cannot monitor or control.
At Live! 360 Orlando, attendees will hear from Microsoft Security MVP Myron Helgering in a session focused on practical methods to close this gap. The talk will cover approaches for reducing exposure to unmanaged endpoints while preserving user productivity, including how Microsoft 365 security features can enforce policies and apply zero trust principles in mixed environments. Ahead of his session, he sits down to give a preview on what makes unmanaged devices such a headache for IT.
Redmondmag: What makes unmanaged devices one of the most dangerous blind spots in modern environments?
Helgering: In modern IT environments, organizations do a lot to secure their corporate devices --keeping them up to date, enforcing security configurations, deploying EDR and AV solutions, patching vulnerabilities and making sure access is granted only through device compliance. That's all standard practice.
But when unmanaged devices are allowed into the mix, we're basically flying blind. We lose visibility, and more importantly, we lose control. There's no way to confirm these devices are secure or that they follow our policies and configurations.
According to the Microsoft Digital Defense Report, users are 71 percent more likely to get infected when working from an unmanaged device. That number should be a wake-up call. Honestly, this doesn't get discussed enough -- and in my opinion, we need to start taking it a lot more seriously.
Can you summarize the six methods and when each is most effective?
Let's get the less effective (but still worth mentioning) ones out of the way first.
First, some organizations decide to just ignore the problem entirely and let unmanaged devices access the environment. That's a bad idea. It creates risk and zero control, but unfortunately, it still happens.
Next is enforcing device enrollment. This works fine for corporate-owned devices and helps us stay in control. The issue comes when people start enrolling personal devices -- either because it's allowed or by accident. My take? Personal devices aren't ours to manage. We end up with way too much control over something that isn't corporate property.
Now for the stronger methods.
One of the better strategies is putting the organization on a path toward eliminating unmanaged devices. If we could block them altogether and move on, great. That would fix the problem. But let's be honest, this isn't realistic for most organizations. Still, it's worth aiming for, or at the very least applying this approach to high-profile users like admins and execs.
Finally, we could implement solutions in Microsoft 365 that help us strike a better balance. Tools like Mobile Application Management, App-Enforced Restrictions and Session Policies give us a way to mitigate specific security risks while still providing secure access for people working from unmanaged devices. It's not perfect, but it's practical (and secure enough for most organizations).
How can organizations prioritize protection if they lack full device visibility?
First things first, identify user groups that you know are working from unmanaged devices. Maybe your marketing team is running on MacOS machines that haven't been onboarded into Intune yet. Maybe some users are still stuck working from outdated VDI environments. Or maybe you've got a pool of freelancers using their own personal devices, even though they could probably be just as effective -- and a lot more secure -- on a managed Windows 365 Cloud PC.
You won't be able to flip full visibility overnight. But if you can shift things so that unmanaged devices become the small exception, instead of a larger part of your environment, then you're already making serious progress. Fewer unmanaged devices means more visibility, tighter control, and way better protection across the board.
How can zero trust be extended to unmanaged endpoints?
Solutions like Mobile Application Management (MAM) for Android, iOS and Windows are key to sticking to our zero trust principles when we're dealing with unmanaged devices. They give us the ability to enforce device compliance, apply data protection controls, ensure secure authentication, and even do remote wipes. It's a way to put boundaries around access to corporate apps and data without touching the personal side of the device.
And if your organization is ready for it, you can take it a step further: use Conditional Access to completely block access from unmanaged devices and shut the door entirely. That's the cleanest route, but obviously not something every organization can pull off right away.
How do you measure the success of these protective methods?
I measure success based on a few things. First, what percentage of unmanaged devices are accessing the environment compared to managed ones? Then I look at whether we actually applied security policies or solutions to those unmanaged devices -- or did we miss a chunk that somehow slipped through?
At the end of the day, my job is to identify the risks and recommend the right solutions. But if those percentages are acceptable to my customer, and we've mitigated the risks we set out to address, then yeah, I consider it a success.