- 05 Oct 2022
- 2 Minutes to read
Sanctioned Devices Only
- Updated on 05 Oct 2022
- 2 Minutes to read
A foundational requirement of Trusted Access is to ensure that only sanctioned devices are able to access and store company or sensitive data.
This is important for two reasons:
- Device Attestation: We have seen an increasing trend of hackers defeating MFA, enabling these attackers to login to systems without the need to break in. Identifying a device as "sanctioned" or not is a critical line of defense against these types of attacks.
- Data Security Controls: On sanctioned devices, IT can ensure that both data-in-motion (networking) and data-at-rest (storage) is properly encrypted, revokable, and auditable. It also ensures that the device meets required security and applicable compliance baselines before being able to access company data.
In most cases, a sanctioned device is an enrolled device within some form of management tool.
Classes of Devices
There are four classes of devices that any given device will fall into: Corporate Owned, Personally Owned, Contractor/3rd-Party Managed, and All Other Devices.
These are devices that have been purchased by an organization and issued to employees. Typically, such devices are entirely managed, meaning an IT department has complete remit and control over the entire device. These devices are device enrolled into a management service, such as Jamf Pro, enabling maximum control of the device.
See Corporate Owned Devices for details and supporting MDM device-wide management across endpoints.
Personally Owned (BYOD)
Personally owned devices – usually covering mobile devices – are owned by an employee or third-party individual, not the organization. Users bringing their own device want to be able to access company data and apps, but do not want their employer to have any control nor visibility over their personal data. Therefore, these devices end up partially managed, where the "work managed" portion of the device is fully managed by the organization, but there exists a strict barrier between this work portion of data and network and the user's personal data and network traffic.
See Bring Your Own Device (BYOD) to learn how to establish this clear separation between Work and Personal data via MDM user enrollment on iOS/iPadOS and Android devices.
Contractor Devices / 3rd Party Managed
Devices in this class are either unmanaged or managed by a third-party MDM server, but in either case, are not directly managed by your organization. Without such management, an IT organization is unable to ensure the device is compliant from an endpoint policy and security perspective.
However, in-spite of unknown management state, these devices still must be able to access specific data without enrollment. For such scenarios, these devices and their users are issued very narrow access to only the applications and data they need. To achieve this access, the user still must be able to strongly assert their identity via an identity provider, and their device must meet minimum hygiene requirements.
Check out our page on User-Only Enrollments to learn more about how to securely enable devices in this class.
All Other Devices...
... are denied access to sensitive applications and data.
Without the ability to distinguish a sanctioned from an unsanctioned device, it becomes impossible to ensure that basic data security controls are in place for all devices that are handling important company or sensitive data (HR records, source code, etc.). As a result, any entity with valid credentials – stolen, sold, guessed or otherwise – will be able to login to access such company data, as has happened in some major attacks.