One of my favorite things about working in security, and tech in general, is the shared attitude that no problem is unsolvable. We transitioned virtually the entire Internet from "http" to "https" in the name of security. Clearly, we're not afraid of a challenge. But there's one problem that many companies haven't even tried to solve, and its very name seems to communicate a kind of surrender: unmanaged devices. 

By "unmanaged devices," we're talking about laptops, tablets, and phones that employees use at work but that aren't covered by a mobile device management (MDM) solution, and so are outside the visibility and control of security or IT, often because the company has no effective way to prevent personal devices from authenticating. These devices might belong to contractors, Linux users, or employees using personal devices under a bring-your-own-device (BYOD) policy. A 2022 Kolide study found that 47% of companies allow unmanaged devices to access company resources. That means nearly half let sensitive data disappear onto devices with no safeguards. 

Part of that problem is that, until recently, you could get away with having unmanaged devices — you can pass a SOC 2 audit or get through a security questionnaire without addressing them. But these details won't matter to your customers in the event of a breach stemming from an unmanaged device. Frankly, none of us imagine that our sensitive data is going home on the unencrypted hard drive of a developer who hasn't updated his OS in six months.  

Learning the Hard Way

Many companies have learned the dangers of unmanaged devices the hard way in the past few months and years. A single unmanaged device is a ticking time bomb. Whether it's running an outdated piece of software with known vulnerabilities, storing unencrypted credentials or SSH keys, or missing basic protections like screen lock, the list of serious risks that can be lurking on these devices goes on and on. Consider this: In 2024, Microsoft reported that a staggering 92% of ransomware attacks involved unmanaged devices. If that's not a wake-up call, I don't know what is. 

To be fair, security and IT leaders face real obstacles in dealing with unmanaged devices. Their traditional security tools, namely MDM, aren't built to handle these devices, leaving leaders unsure of how even to begin getting visibility into them, much less getting them compliant. Still, "hard" is not the same as "impossible," and forward-looking security leaders are proactively seeking out solutions to the unmanaged device problem.  

After all, we're used to taking on tough challenges. I remember years ago when the idea of zero trust started to take hold, and the industry had to rethink identity verification and authentication. This required us to aggressively go after the single most ubiquitous security tool of the time: the password. And today, while much work remains to be done, look how far we've come. Multifactor authentication (MFA) and single sign-on (SSO) are increasingly the norm, passwordless authentication methods — like passkeys — are gaining momentum, and encrypted password managers have raised the bar for credential security.  

Now, unmanaged devices represent the next frontier in zero trust, and it will take a similarly creative and layered approach to tackle this challenge. Each company will require various strategies to secure every employee, app, and device effectively.  

It's important to note that this doesn't mean we should abandon BYOD altogether. Allowing employees to use the devices they're most comfortable with has unleashed a wave of creativity and productivity that we should embrace and enable, not stifle. For example, a sales rep should be able to check emails on their personal phone without it being locked down by MDM and endpoint detection and response (EDR) software. However, it's critical to strike a balance: Companies must at least verify that these devices belong to approved users and prevent unknown endpoints from accessing company resources. Even seemingly "low-risk" apps like email can give bad actors a crucial foothold. 

Non-negotiable Scenarios

For higher-stakes scenarios, like a laptop that belongs to a developer with elevated access, stricter security measures should be non-negotiable. These devices certainly shouldn't be unmanaged — and on top of that, there's an important conversation to be had about whether "managed" devices are secure enough in the first place, given the inherent limitations of MDMs. 

At the end of the day, different companies will tackle unmanaged devices differently, depending on their risk tolerance and compliance requirements. However, no matter the strategy, we must approach the issue with sensitivity and respect for employee privacy. Let's not forget why MDMs are considered incompatible with personal devices — it's not because of technical reasons, but because employees are understandably uncomfortable with invasive tools on the same devices where they keep their family photos. 

Securing unmanaged devices won’t be simple or straightforward, but it’s a challenge we need to face head-on. It must start by recognizing the nuances and complexities of the problem — and most importantly, it must start now.