I'm considering allowing some Bring Your Own Device (BYOD) options as a backup for when employees forget their company laptops. Is there a way to enforce a policy that only permits compliant devices that are supported and up to date? While I know this isn't a substitute for properly managed devices, it could act as a minimal protective measure. For instance, I could make a case against allowing a 12-year-old Mac to connect.
4 Answers
As others have pointed out, I wouldn't allow personal devices at all. We tackled this issue by requiring employees to have their work devices. If they forget, it leads to a chat with their manager, which has improved overall compliance.
The good thing is, you can define what compliant means for your devices however you prefer.
We would never consider that a safe move. You might register the personal devices, but it’s crucial not to allow exceptions to Conditional Access policies to minimize the risk of phishing attacks.
Honestly, registering personal devices doesn't really change the risk profile, it feels like just renaming the problem.
At minimum, devices need to have up-to-date virus and malware protection along with current patches. However, I really think allowing personal devices is risky, especially since I can't fathom why someone would forget their work laptop but still have their MacBook handy. It sounds like a slippery slope to me.
Actually, it might happen the other way around—like they leave their company device at work and then find themselves home with only their personal one. That could happen pretty easily.
For my situation, what settings should I choose? I'm thinking of creating a separate Conditional Access (CA) policy for this, so we're technically covered in both scenarios.
We didn't have any mandates until recently, and the newer managers are pushing back because they want the option to use their personal devices because it’s easier for them.