A domain-joined Windows laptop in 2026 is the same security posture as a domain-joined Windows laptop in 2015 — full trust the moment it shows up on the VPN. If you haven't changed that model, the blast radius of a single phished employee is still your entire internal network. That isn't a configuration problem. It's an architectural one.

The endpoint is a perimeter segment, not a trusted island. It should prove its identity, prove its compliance, and keep proving both every time it touches a resource. The tooling for this has existed for five years. Most enterprises are still configuring it like it's still 2015.

Intune and Jamf: the reality, not the brochure

Microsoft Intune handles Windows, macOS, iOS, Android, Linux (sort of). Jamf does macOS and iOS brilliantly and everything else reluctantly. Most enterprises end up running both. That's fine. What isn't fine is running them as asset management tools instead of security posture engines.

A baseline Intune configuration that actually moves the needle:

  • Compliance policy enforcing disk encryption, OS version floor, firewall on, Defender signatures current, jailbreak/root detection.
  • Configuration profiles for CIS benchmark baselines — not in "audit mode," in enforcement.
  • App protection policies on mobile so corporate data can't cross into personal apps.
  • Autopatch for Windows, not WSUS, not "we'll get to it."

If your MDM fleet report shows 90%+ compliance, you're probably measuring the wrong things. Realistic orgs sit at 70-85% on meaningful compliance checks because endpoints drift, users defer updates, and agents fail. The goal isn't 100%. The goal is that non-compliance has consequences.

Device compliance as a Conditional Access signal

This is where endpoint management stops being IT hygiene and becomes security architecture. Entra ID Conditional Access (or Okta Device Trust, or equivalents) lets you say:

Access to Salesforce requires: a known user, MFA within 8 hours, a managed device, device compliance = true, sign-in risk = low.

Any one of those failing, access denied. This is zero trust for endpoints in practice. It's not a product you buy; it's a set of policies wired between your IdP, your MDM, and your sensitive applications.

The failure mode: compliance signals exist, but nothing consumes them. Intune says the laptop is non-compliant; Salesforce doesn't know or care. Close that loop. It's often a weekend of configuration work you've been putting off for a year.

BYOD, honestly

Most BYOD policies are fiction. "Employees can use personal devices if they install our MDM profile" — and then no one does, and sensitive email flows through them anyway. The honest options are:

  • App-level containerization. iOS/Android work profiles, Intune App Protection Policies. Corporate data lives in managed apps. Personal data is untouched. This works.
  • Browser-based isolation. Island, Talon, Microsoft Edge for Business with disk-write restrictions. For contractors and occasional-access users, a managed browser on an unmanaged device is a reasonable middle.
  • VDI or CloudPC. When the device can't be trusted at all, send the user to Windows 365 or AVD. The endpoint becomes a display, not a data store.
  • No BYOD. Sometimes the right answer. Not as unpopular as HR thinks, if you ship the hardware quickly.

What doesn't work: pretending personal devices are managed because someone clicked "I agree" on a policy PDF.

Trust scoring and unmanaged reality

No matter how good your program is, 5-15% of the devices touching your data will be unmanaged — contractors, M&A inheritances, service accounts on random VMs, that one executive's iPad. A mature endpoint strategy accepts this and scores trust continuously:

  • Signals: managed state, compliance, sign-in risk, user risk (Entra ID Protection), EDR telemetry, geo/velocity anomalies.
  • Tiered access: read-only for medium-trust, full access for high-trust, step-up auth for sensitive actions regardless of tier.
  • EDR (CrowdStrike, Defender for Endpoint, SentinelOne) feeding the same decision — a device with an active detection should lose access the moment the detection fires, not after the analyst triages.

The takeaway: Device compliance is only as valuable as the access decisions it gates. If your MDM reports aren't feeding your IdP's policy engine, you're running asset management with a security budget. Close the loop, enforce on the result, and accept that unmanaged devices exist — then price access to them accordingly.