This week is basically a brief follow-up on one of my sessions at the Modern Endpoint Management Summit 2024. More specifically, my session about Protecting corporate data on personal Windows devices – Your options. During that session I went into a bit more detail about the discussion that I started earlier on Twitter/X around enrolling personal Windows devices. My opinion around that might be lightly biased from what I’ve seen over the years, but I do think that I can provide some insights into why I think that it’s not a good idea to enroll personal Windows devices. In this blog post, I’ll provide a short summary of what I’ve shared during my session. It’s good to have an opinion, but it’s even better to actually add some context to that opinion.
Why I think that enrolling personal Windows devices is a bad idea
There are actual multiple reason why I think that enrolling personal Windows devices is a bad idea. However, before starting with the actual reasons, it’s good to start with a little bit of context around personal Windows devices. What do I mean with a personal device and what type of enrollment am I talking about. So, to start with that. In this case I’m talking about a Windows device that is bought by the user, owned by the user, and configured with a personal account of that user. The user actually uses that device for personal activities and for storing personal data and apps. Theoretically, the user could enroll that device directly via the Settings app, or by downloading the Company Portal app and then start the enrollment process. In my opinion, whatever MDM enrollment the user would perform on that device, would be a bad idea. And that opinion is based on, but definitely not limited to, the following reasons (as also shown below in Figure 1, which is one of the slides that I used):
- Little control over the chosen device: As organization there is little control over the device that is bought by the user. That means less control over the specifications of the chosen device.
- Possibly less available security features: As their is little control over the device that is bought by the user, it can directly impact the security features that are available for that device. Some features have specific requirements.
- Management capabilities that don’t want: As the IT administrator you suddenly become responsible for devices with personal data and apps of users, and also possibly with different management capabilities.
- Ability to wipe the users’ personal device: As the IT administrator you can (accidently) wipe the device, including the personal data of the user, when you do chose to go for a similar enrollment as corporate devices.
- Insights and inventories that you don’t want: As organization you might get visibility in details of devices that might interfere with current processes within the organization. Those devices might under perform.
- Different versions of Windows: The user might be running a version of Windows that you don’t like. That might bring the device in a certain state, or the device might even miss some of the latest (security) features.
- Unpredictable behavior: Due to the different hardware, different Windows versions, and potentially different apps, you might run into unpredictable behavior and issues only for specific devices.
- Hard to control the data: All of that makes it difficult to manage those devices the same way as corporate devices. And that makes it harder to control the data on those devices.
Besides all of that, it is hard to explain that personal devices don’t require the same level of security that you require for the corporate devices. That would create a really weird balance within the environment. A balance in which we don’t require the same level of security for all of the devices within the environment, but we do give the same level of access to corporate data to all devices within the environment. And with that, it’s good to keep in mind that eventually the security is as strong as the weakest link. So, to give a short summary of my opinion (as also shown below in Figure 2, which is one of the slides that I used):
Ultimately, it’s a business decision. It will, however, be a security nightmare, as all personal Windows devices might be different. Besides that, it could come with potential legal challenges, due to the potential insights and the potential ability to wipe the devices. Or on a different level, with installing corporate apps on personal devices. Either way, the user experience will be suboptimal on those devices. It will never be the same as on a corporate devices that are Entra joined and Intune managed.
More information
For more information about the presentations that I did during the Modern Endpoint Management Summit, please refer to the following links that contain the slide decks that I used.
1 thought on “Why enrolling personal Windows devices might be a really bad idea”