Security professionals used to think about endpoints in black and white. On one side were fully managed devices, the corporate laptop, locked down with group policies and running security agents that were patched on schedule. On the other were unmanaged devices, the bring-your-own laptop, tablet, or mobile phone, completely outside IT’s purview.
But in between, there sits a vast and growing middle ground: the semi-managed device.
These are personal endpoints under partial company control. A phone enrolled in mobile device management (MDM), a home PC with a corporate enclave, or a contractor laptop subject to minimal posture requirements. They’re not unmanaged, but they’re far from locked down. And they are everywhere.
Employees juggle personal and work devices, contractors log in from their own laptops, offshore BPOs operate out of call centers with uneven IT standards, and healthcare workers access records from home tablets. Semi-managed endpoints are powering the modern workforce and they’ve created a real challenge for IT security teams.
Take the 2024 attack on a popular cloud data storage platform, when bad actors used credentials stolen by infostealer malware on contractors’ and employees’ machines, quietly harvesting data before compromising dozens of tenants. Or when cybercriminals infiltrated a multinational media conglomerate by exploiting vulnerabilities in an employee’s personal gaming computer via a popular enterprise messaging tool. Or when attackers infected an engineer’s home computer with keylogger malware, bypassing MFA controls to expose a leading password manager’s vault data.
These incidents demonstrate how costly this middle ground can be, when not secured properly.
Why are semi-managed devices so hard to secure?
First, the line of control is blurry. IT can enforce some policies, like MDM enrollment or required extensions. However, it can’t manually enforce patching or OS updates. Nor can it dictate what else runs on the machine.
Spotty compliance exacerbates this issue. Enterprises often require contractors or employees to maintain encryption, screen locks, or firewalls, but they don’t always audit those requirements. In practice, many users fall short; in my role as a field CTO, I’ve spoken with companies that found 80% of their contracted BPO machines were out of compliance.
Networks are another persistent challenge. Even if the device has been properly locked down, there’s no guarantee that a call center’s LAN or a café’s Wi-Fi is up to snuff. Too often, IT has no visibility into the environment where users access sensitive apps.
Attackers love this gray zone, using malicious browser extensions or infostealer malware to quietly capture credentials or keystrokes, later reused in large-scale breaches. Neither the Snowflake nor LastPass incident began with a zero-day exploit or a nation-state backdoor. Both started on semi-managed or personal devices where oversight was partial at best.
Then there’s the semi-managed versions of the consumer browser. Both Microsoft and Google offer the ability to enroll their respective consumer browsers into an enterprise policy. Their main purpose is to allow IT teams to centrally manage, configure, and secure some of the browser settings, updates, and policies across a large organization, often leveraging existing device management tools like Microsoft Intune or Google Workspace.
But these solutions do little if anything to harden or protect the underlying browser itself, which is still a consumer-focused Chromium product. These solutions provide a loose policy enforcement layer within the browser, but do nothing to extend outside web actions to the underlying endpoint. For BYOD use cases, contractors, and third-party users, this form of semi-managed device/application fails to deliver the connectivity, data protection, and workforce productivity capabilities needed by today’s modern workforce.
How to protect semi-managed devices
Traditional endpoint management approaches are struggling to secure our semi-managed modern workplace. Too many of these tools require full OS control, which many security teams don't have. Others treat the device as untrustworthy and block access altogether, which creates a poor end-user experience that hinders productivity. The gray middle requires a more nuanced security approach.
First, organizations need stronger contractual oversight with third parties and BPOs. Standards for encryption, firewalls, screen locks, and more must be written into agreements as well as regularly audited and enforced. The verdict of the continuous device posture assessment should be used to drive dynamic policy.
Dialing in from a coffee shop WiFi? Maybe sensitive data is redacted at the last mile to protect against shoulder surfers. Endpoint disk encryption is disabled? Prohibit any data from being saved to the local file system, and redirect all file actions to sanctioned secure cloud storage.
They should also assume any network might be hostile, whether it’s a home network without password protection, or a shared network accessed during a coffee break or a business trip. Enterprises should route data through secure paths independent of the underlying connection.
In addition, access should be tiered. Not every user needs the same level of exposure to sensitive data. Companies should carefully calibrate privilege between lines of business, locations, employees, contractors, and partners.
Lastly, security teams should shift their focus for semi-managed devices from the operating system to the presentation layer. Securing semi-managed devices at the last mile enables IT teams to redact sensitive fields, block risky downloads, and take numerous other real-time measures to prevent risky behaviors and unauthorized access.
In effect, presentation-layer governance brings the controls that IT can’t reliably apply to the whole device into the place where work actually happens—creating a secure enclave for sensitive work, regardless of the state of the device it runs on.
Semi-managed devices require a full mindset shift
The old binary of “managed vs. unmanaged” endpoints fails to capture the reality of today’s workforce. “Semi-managed” is emerging from the gray space in between, and becoming a dominant feature of modern enterprise. The average enterprise security team may be tasked with securing thousands of such devices, old and new, patched and out of date, on secure networks and shared LANs, for employees and contractors, in offices and homes around the globe.
For too long, semi-managed has meant semi-secured. That’s not good enough. The lesson from the attacks on the data storage platform, the media giant, the password manager, and countless others is clear: attackers thrive in the gray zone. Unless security teams explicitly secure this middle space, they’ll continue to see breaches rooted in devices they only partly control. They should start at the presentation layer, where work happens, and where security must live.
