5 Unmanaged Device Security Solutions: From MDM to Secure Local Workspaces

Ninety percent of organizations allow access to corporate data from personal devices. The logic is straightforward: hiring globally, supporting contractors, enabling BYOD, and reducing hardware costs all require some tolerance for devices the company does not own. The problem is that device ownership and security governance have traditionally been treated as the same thing — and for unmanaged devices, they are not.

The question is not whether to allow unmanaged device access. For most distributed organizations, that decision is already made. The question is which unmanaged device security solution actually works — and works in an environment where you cannot simply mandate full device control.

This article compares five approaches: Mobile Device Management, Virtual Desktop Infrastructure, Zero Trust Network Access, Enterprise Browsers, and Secure Local Workspaces. Each has a different philosophy, a different cost structure, and a different fit for real-world contractor and BYOD environments.

Understanding the Unmanaged Device Challenge

Unmanaged devices include personal laptops, contractor-owned equipment, partner and vendor devices, and any other endpoint not enrolled in the organization’s device management program. They are, by definition, everywhere.

Remote and hybrid work has made unmanaged devices standard operating conditions rather than exceptions. Contractors and gig economy workers prefer their own familiar tools. International hiring makes device shipping impractical. Cost-conscious organizations avoid the per-device hardware spend.

The security risks are real: data leakage from work and personal data mixing on the same device; compromised devices with outdated software or weak credentials; compliance gaps where controls cannot be demonstrated on devices you don’t manage; and incident response limitations when you cannot investigate a device you don’t control.

The challenge is bridging the gap between what security requires and what device ownership actually allows. Not every approach closes that gap cleanly.

Solution 1: Mobile Device Management (MDM)

MDM solutions — Microsoft Intune, Jamf, VMware Workspace ONE — give IT comprehensive control over enrolled devices. Policies can be pushed, applications deployed, compliance enforced, and devices remotely wiped. For company-owned devices, MDM is the right tool.

For unmanaged devices, MDM consistently fails at the adoption stage. Research indicates that only 44% of workers would allow MDM on a personal device, and that figure is lower for contractors who have clearer legal standing over their own equipment. A device cannot be enrolled in more than one MDM simultaneously, which further complicates contractor scenarios where someone works with multiple clients.

When MDM is mandated for contractors, the typical outcomes are rejection, delay, or compliance theater — contractors who install it grudgingly but work around it wherever possible. The security outcome is weaker than a purpose-built alternative, and the cost in operational friction and goodwill is significant.

Best Fit for MDM

Company-owned devices – not BYOD. Employees in high-security roles who understand and accept the full device management requirement. Not appropriate for contractors, offshore teams or any scenario where the user has legitimate grounds to refuse device management.

Solution 2: Virtual Desktop Infrastructure (VDI)

VDI delivers a fully managed remote desktop environment to any device. Citrix, VMware Horizon, and Azure Virtual Desktop are the dominant providers. Because all applications and data live in the datacenter, the endpoint is essentially a display terminal — nothing sensitive ever touches the unmanaged device.

The security logic is sound. The operational reality is harder to defend. VDI costs typically run $40–150 per user per month, and that is before infrastructure investment in servers, storage, and network capacity. For contractor-heavy organizations, that cost model compounds quickly.

User experience is the other persistent problem. Latency — even modest latency — fundamentally degrades productivity for knowledge workers who need responsive tools. A global aircraft manufacturer tested VDI for a remote contractor workforce and found that contractors struggled with lag and limited access to the tools required for their work. The organization ultimately replaced VDI with Blue Border™, enabling the same workforce to work natively with zero latency on their own devices.

Best Fit for VDI

Legacy application environments that cannot run outside a centralized datacenter. Maximum isolation requirements in highly regulated settings. Organizations with existing VDI infrastructure extending access to a new use case. Not the right choice when cost, user experience, or deployment speed are constraints. Not ideal when securing apps that can run locally on a user’s desktop and/or rely on performance (ex. VoIP apps like Zoom, Slack, Teams, etc.)

Solution 3: Zero Trust Network Access (ZTNA)

ZTNA or SASE replaces broad VPN access with identity-based access to specific applications. Providers including Zscaler, Cloudflare Zero Trust, and Palo Alto Prisma grant access to the minimum set of applications a user needs, verified continuously rather than assumed after initial login.

ZTNA is an important architectural component of a modern security stack. It reduces the attack surface significantly compared to traditional VPN, eliminates the lateral movement risk that comes with broad network access, and works on any device regardless of management status.

The critical limitation: ZTNA controls access, not data. Once a user accesses an application through ZTNA, what they do with that data on their local device is outside ZTNA’s scope. There is no DLP enforcement, no isolation of work data from personal data, and no protection against exfiltration through the endpoint. ZTNA answers the question of who gets in. It does not answer what they do once they are there.

Best Fit for ZTNA

As a layer within a broader security architecture — not as a standalone unmanaged device security solution. ZTNA pairs well with secure workspace technology: ZTNA governs access at the network level; the secure workspace governs data at the endpoint level. Together they address both dimensions of the problem.

Solution 4: Enterprise Browsers

Enterprise browsers — Island, Palo Alto’s Prisma Access Browser, LayerX, Chrome Enterprise — add policy enforcement, DLP, and audit capabilities at the browser layer. They are non-invasive to the device, fast to deploy, and effective for web-heavy workflows.

The adoption friction is real but manageable: users must switch browsers or install a managed extension, which creates some resistance. The more fundamental limitation is scope. Modern knowledge workers use a mix of web applications and desktop applications — Slack desktop, VS Code, Microsoft Office, Adobe tools, custom internal applications. Enterprise browsers protect the browser; everything else runs unprotected.

For organizations with strictly web-based workflows, an enterprise browser is a credible option. For most distributed contractor environments, the desktop application gap is too significant to ignore.

Best Fit for Enterprise Browsers

Web-only workflows. SaaS-heavy organizations where all work happens in the browser. Supplemental coverage for specific high-risk browser activities. Not sufficient as a primary unmanaged device security solution for workforces with desktop application requirements.

Solution 5: Secure Local Workspaces — The Recommended Approach

A secure local workspace creates an isolated, encrypted environment on the user’s own device. All work activity runs inside this company-controlled secure enclave — browser and desktop applications alike. The personal side of the device is completely private and invisible to IT.

Blue Border™ by Venn is purpose-built for unmanaged device security. The Venn agent installs on any PC or Mac in approximately five minutes. Once authenticated, a blue line visually frames all applications running inside the work environment. Work data is encrypted, DLP policies apply across all applications, and access is governed by IT-defined controls.

What the Secure Local Workspace Covers

All browsers — Chrome, Firefox, Safari, Edge — running inside the enclave. All desktop applications — Slack, VS Code, Office, Adobe, custom internal tools. All local files within the workspace. Cloud applications accessed from the device. Data flow controls: copy-paste between work and personal, screenshots, downloads, printing.

What the Secure Local Workspace Does Not Touch

Personal files and applications are completely private. Personal browsing is invisible to IT. Personal communications are not accessible. Device settings outside the workspace are not affected. Location when not working is not tracked. This boundary is not a policy statement — it is technically enforced.

Real-World Performance

Because applications run locally on the user’s device, performance is native. There is no lag, no latency, and no dependency on network quality for basic application function. Contractors working internationally — in Europe, Asia, South America — have the same experience as those working domestically.

An international financial firm with nearly $300 billion in assets used Venn to eliminate hardware shipping across a global contractor workforce. A company facing $200,000 in projected laptop spend for a contractor cohort chose Blue Border™ instead, eliminating that cost entirely. A global aircraft manufacturer secured more than 7,000 remote employees, contractors, and suppliers in a single deployment.

Best Fit for Secure Workspaces

Contractor and third-party workforces. BYOD programs. Mixed web and desktop application environments. Organizations that need to onboard quickly, control costs, and maintain compliance on devices they do not own. The model addresses all five dimensions — coverage, privacy, user acceptance, cost, and deployment speed — that other approaches trade off against each other.

How to Choose the Right Approach

Start with the User

Who are the devices? Employees on company-owned equipment → MDM. Contractors on personal laptops → Secure Workspace. A mix → Secure Workspace for unmanaged devices, MDM for company-owned.

Consider the Application Mix

Web-only workflows can be addressed by enterprise browsers. Mixed web and desktop environments need a secure workspace. Legacy application dependencies that cannot be modernized may require VDI for that specific application.

Factor in Deployment Speed

If you need to secure a contractor cohort this week — not in a month — secure workspace technology or enterprise browsers are the only realistic options. VDI and MDM infrastructure takes time. Secure workspace deployment is measured in minutes per user.

The Recommended Stack for Most Organizations

Core: Secure Workspace — protects unmanaged devices comprehensively, with high user acceptance, native performance, and no infrastructure requirements. Layer: ZTNA — adds application-level access control and reduces the attack surface at the network level. Optional: Enterprise Browser — for organizations with specific high-risk browsing scenarios or GenAI governance needs.

Frequently Asked Questions

What’s the Difference Between Securing an Unmanaged Device and Managing It?

Managing a device means controlling it — configuration, applications, policies across the entire endpoint. Securing an unmanaged device means protecting the work that happens on it without taking control of the whole thing. MDM does the former. Secure workspaces do the latter. The distinction matters because contractors will accept the second approach and reject the first.

Can a Secure Workspace Meet Compliance Requirements Without MDM?

Yes. Blue Border™ supports HIPAA, PCI-DSS, SOC 2, FINRA, and GDPR compliance requirements through encrypted work data, DLP controls, access management, and audit logging. Compliance frameworks care about whether data is protected — not whether the entire device is managed. A secure workspace provides defensible, auditable controls on the work environment that compliance assessors consistently accept.

What Happens When an Unmanaged Device Is Lost or Stolen?

With a secure workspace, IT can revoke access remotely and remove the enclave from the device. Work data is gone. Personal data is unaffected. With MDM on a personal device, a remote wipe would destroy everything — which is both legally problematic and technically far more invasive than necessary. The precision of the secure workspace model matters most in exactly these situations.

The Bottom Line

Unmanaged devices are the standard operating environment for modern distributed workforces. The security approaches designed for company-owned endpoints — MDM, VDI — carry cost and adoption tradeoffs that make them poor fits for most contractor and BYOD scenarios.

Secure local workspaces flip the model: instead of trying to make unmanaged devices managed, they govern work precisely where it happens — inside the workspace — while leaving everything else untouched. That precision is what makes contractor and BYOD security actually work – security and governance only apply in a work context.

Five solutions exist. Each has tradeoffs. For most distributed organizations dealing with unmanaged device security across a contractor or BYOD workforce, the secure workspace is the strongest foundation — and Blue Border™ is purpose-built for exactly that problem.

Ready to secure your unmanaged devices without the complexity? Request a Venn demo at venn.com/request-a-demo and see how Blue Border™ secures work on any PC or Mac — without VDI, without MDM, and without asking users to hand over their personal device.

Related reading: BYOD Security in 2025 | Endpoint Security Guide | Venn vs. VDI