Zero Trust is only as strong as what it includes. And too many organisations are still leaving unmanaged devices out of the picture.
Personal laptops, contractor tablets, shared desktops at home – they’re accessing your network but skating under policy enforcement. That’s not a gap. That’s a welcome mat for attackers.
ZTNA was meant to shut down assumptions. But if your strategy only works for devices you own, it’s not Zero Trust. It’s wishful thinking.
What Happens When Devices Stay Unmanaged
Let’s not pretend these endpoints are rare. They’re everywhere, and ignoring them comes with consequences:
Security falls apart. Devices without proper patching, EDR, or hardening become silent entry points. You can’t defend what you don’t assess.
Operations spiral. Different access tools for different users create fractured environments. Policies get duplicated. Visibility gets lost. Support teams lose time.
User experience collapses. Slow, unreliable access methods frustrate legitimate users. That frustration leads to shortcuts, which in turn leads to shadow IT.
Compliance can’t keep up. If a device touches sensitive data, it falls under the same regulatory expectations. But without controls, you can’t log it, can’t monitor it, can’t prove a thing.
Stopgap Solutions Aren’t Solutions
VPNs, remote desktops, agentless bolt-ons – they’ve all been used to try and paper over the BYOD problem. But let’s be honest, these aren’t long-term fixes.
VPNs still rely on perimeter thinking.
VDI adds friction and overhead.
Agentless ZTNA fragments policy enforcement across multiple consoles.
What you end up with is more tools, more exceptions, and less clarity.
What Real Control Looks Like
The only sustainable approach is a single policy framework that applies uniformly to all devices, regardless of ownership.
Modern ZTNA is built to do just that. It doesn’t care if the session originates from a hardened corporate laptop or a contractor’s browser window. The controls are the same. The scrutiny is the same, and the audit trail is intact.
Here’s how that plays out:
- Access is granted based on posture, identity, behaviour, and location, not assumptions
- A single-engine enforces rules across managed and unmanaged endpoints
- Clients run where possible, browser portals where needed – all feeding into the same control stack
- Data loss prevention, inline inspection, and session recording apply consistently
- Everything is logged, everything is visible, and nothing gets a free pass
Practical Scenarios That Hit Home
- A contractor logs in from their own machine. They pass posture checks, complete MFA, and get access only to what’s required.
- A team member opens a session while abroad. Geolocation flags it, prompting re-authentication and automatic isolation of sensitive apps.
- A device connected to the hotel Wi-Fi accesses a finance portal. The session is containerised, leaving no data behind when the tab closes.
This is not theory. It’s happening every day, whether you’re ready for it or not.
Questions That Actually Matter
If unmanaged endpoints are interacting with your systems – and they are – then you don’t have the luxury of delay. You need to ask:
- Can we apply the same access logic to every user on every device?
- Is our policy enforcement centralised or stitched together from half-measures?
- Do we have audit-ready visibility into every access request regardless of the hardware behind it?
The organisations that can’t answer yes are already exposed. They just haven’t seen it play out yet.
Devices don’t need your permission to become part of your ecosystem. They already are. Whether they’re secured, controlled, and visible – that’s your call. And it’s one that matters.
