Should I allow personal laptops or stick with company owned?

Today’s post is based on a reader question.

Hey Alex,

I am trying to figure out how to talk to my client about personal vs. work-owned laptops. Right now, they have a mix of both. I am a bit confused because Microsoft makes it seem like they have the tools to secure any type of access, and yet I have seen some passages on your website where you seem to suggest that company-owned is always preferred. But we have MAM specifically so that we can allow personal device access, isn’t that right? Am I missing something?

My client wants to know if they can just stop buying hardware and have their employees bring whatever devices they want to work, since it is all in the cloud now anyway, and everyone is protected by passwordless MFA. Is this good enough? How can I convince them that corporate devices are still necessary?

In a related question, I am also trying to figure out how to best separate and assign my Intune policies in this tenant and other mixed environments. I have seen you advocate for user-based assignment in the past, but in environments where you have a mix of both types of devices (personal and corporate), won’t you need to target devices rather than users for some policies? Also, when I deploy policies using the Settings Catalog, some say they are for User and some for Device. Has something changed since you wrote your blog post about this? Shouldn’t we be assigning Device settings to devices and User settings to users?

–Rick, from Kentucky

Rick, I am glad you wrote in, and sorry it has taken me a while to respond. These are all questions I have to answer very often. If I can manage to write something halfways coherent, then maybe in the future I can just point people to this one article.

First, I will say that you are correct, there have been some changes since I wrote my article about “Devices vs. Users”—so I went ahead and updated it. My approach hasn’t really changed much (I still generally target users over devices for most things). But there are some nuances, for sure.

Now for the harder question: I think it can be very tempting for a business owner to imagine that they can drop the expense of buying new laptops every 3-5 years or whatever, and just ask their employees to take on that burden instead. This is a bad idea, for a number of reasons, which I will explain shortly.

However, I also think that your question(s) needs to be clarified a little bit. I can hear your confusion, and I don’t blame you—the reality versus the marketing around Microsoft 365 and BYOD can be hard to reconcile, and thus the reason you are unable to communicate effectively with your customer. Let me re-phrase your first question for you, which I think will help us clear it all up.

Is there greater risk in allowing personal devices vs. corporate ones?

The answer to this question is yes, unequivocally. When we allow personal devices, there are real risks that you are leaving on the table, and real boundaries that we as administrators will run into. Most notably, on a Windows laptop, personal ownership means we cannot remove local admin rights. Just like on a mobile device I could not control your access to the app store or prevent you from installing whatever you want. I would say this is the most important thing to understand: you are not really in control if the device is not yours.

Furthermore, when you Entra join a company owned Windows computer, the edition of your operating system might also change depending on your Microsoft 365 licensing. For example, if you started with Windows 11 Pro, then upon joining, your edition will become Windows 11 Business or Enterprise, depending on what licensing is assigned to your user account in the cloud. This edition upgrade opens additional security features and functionality that would be lacking on personally owned laptops which are merely registered. For example, Microsoft Defender for Business/Endpoint, or the ability to manage BitLocker keys from the cloud.

You might think, “Why not just have users join their personal computers then?”

Well, that would technically work I suppose to give the organization back these controls and allow them to use their full licensed feature set. But then the question becomes, if the org controls the device now, shouldn’t they own it as well? I mean, how is this going to work? Is the organization going to buy this device from the end user, or provide them with some kind of monthly reimbursement or stipend for technology?

And what happens if a user is terminated, or they move on to another job? There could still be corporate apps and data on that device, and of course you wouldn’t want it to remain joined to the tenant. You would have to insist upon a factory reset/wipe/reload for every departure event. And now you’re in a really sticky place since you might also be destroying personal data in that process as well. The whole situation would feel very intrusive and over-bearing for most end users.

What about MFA, is this “good enough” security?

Moving on to your next question(s). Multi-factor authentication, while very important, is not a strategy in and of itself. Even if you went to 100% “phish-resistant” authentication, you still aren’t addressing the risks of leaving a device unmanaged and unprotected.

A number of years ago, I attended a cybersecurity conference where the keynote speaker had said that something like 80% of all malware incidents could be mitigated simply by removing local admin rights. So, think not only ransomware, but also key loggers, screen grabbers, etc.—all types of malware can cause real damage to a business. The more you can control the device, the more you can reduce these very real risks.

Doesn’t Microsoft make MAM specifically for personal devices?

Yes, Microsoft does provide us with this “soft management” option, however, I would suggest that it is more appropriate on personally owned mobile devices such as iOS or Android versus Windows computers. The reason is that we can achieve much better isolation of corporate apps and data on the mobile platforms (and the ability to remotely wipe only the corporate data).

As regards MAM for Windows, Microsoft’s first attempt (a.k.a. Windows Information Protection) basically flopped and they have now deprecated it. The replacement, MAM for Edge, is so far also looking to be a flop, and not something I would recommend to my customers at this time.

I would also add that MAM is addressing a fairly narrow band of concerns (to be fair, the most common concerns around mobility are being addressed). For certain organizations, their risk tolerance may be such that it would not allow for only MAM. In such cases, they are likely to also deploy corporate owned and fully managed mobile devices (e.g., via Apple Business Manager and Microsoft Intune).

That having been said, I think the vast majority of small businesses are comfortable allowing employees to access their Outlook email and calendar items on a personal mobile device while having MAM and MFA in place to protect the application and data. They will get:

• Strong authentication required for access
• PIN or biometric requirements to access the app
• Data encryption requirement
• Ability to prevent copy/paste/save to non-corporate apps or data locations
• Ability to remotely wipe only the corporate data w/o harming personal data
• Ability to block access to the app on jailbroken/rooted devices
• (Optional) Ability to require Defender device threat level compliance

When it comes to Windows devices, I would recommend enrolling them into Microsoft Intune, even if they are personally owned. But my first choice would be not to allow personal PC’s at all.

The inescapable conclusion

As I mentioned before, your best shot at reducing risk will always be owning and managing the device. However, when it comes to personal mobile devices, you would be correct in observing that most SMBs are still going to be comfortable enough with the MAM solution. I think it is confusing to some business owners why this wouldn’t translate to personal computers, too.

Unfortunately, that’s just where the technology is at—I haven’t seen anything from Microsoft that will do exactly what MAM does on mobile devices for us. As well, on Windows we generally have more attack surface, more risk to manage, and a little less tolerance for that risk. All of this adds up to one inescapable conclusion: it is best to recommend company owned PCs (i.e. Entra-joined and Intune-managed), assuming we want to provide a solid foundation of security for our clients.

At the same time, it is also true that security is always a choice. So, here is a table that summarizes what you are “leaving behind” when you opt for personal devices over corporate ones:

I hope that answers your questions. Best of luck in your future communications and painting a picture of value to the customer!