How to deal with unmanaged devices in the enterprise
Unmanaged devices present numerous risks, but how did they gain access to the network without any management in place? IT should learn how this happens and what to do when it does.
Detecting and addressing any unmanaged devices on an organization's network is important for both the overall security posture and its regulatory compliance.
Unmanaged devices pose numerous threats ranging from the introduction of malware to data leakage. Fortunately, there are ways to find and enroll the unregistered devices on the network.
What exactly are unmanaged devices, and how do they happen?
Early on, nearly all devices on a Microsoft network were managed. Windows PCs were almost always domain joined, and the domain controllers would push group policy settings to the PCs. This ensures the PCs adhered to the organization's security requirements.
Over time, it became common for organizations to have non-Windows devices on their network. Such devices were not able to be domain joined, leading organizations to adopt MDM or unified endpoint management (UEM) systems. When a device is connected to one of these systems, it goes through an enrollment process that ensures the device undergoes basic health checks and various security policy settings. An unmanaged device is a device that has not been enrolled in an MDM, UEM or Active Directory (AD) domain. Such devices must rely solely on their own internal security settings, which might or might not be adequate.
There are several different ways that an unmanaged device can be connected to your network. The easiest way for an unmanaged device to connect to the company network is through your own Wi-Fi network.
During the pandemic when nearly everyone was working remotely, organizations commonly set up VPNs with adjoining network access control (NAC) services. NAC software is commonly used in BYOD environments and is designed to apply various policies and to perform health checks on BYOD devices. For example, if a user were to connect to a VPN using a Windows laptop, an NAC might check to make sure that the device has the Windows Firewall enabled. It could also check that the device is not missing any critical Microsoft security patches.
As helpful as NAC software can be, it is only effective if all BYOD devices are checked. Some organizations use an NAC to aggressively scan devices connecting through a VPN but neglect their local Wi-Fi networks. Hence, a user who connects a personal device to the organization's Wi-Fi might be able to use the device without having to enroll the device into the organization's UEM.
While Wi-Fi networks that are not tied to an NAC can result in unmanaged devices being present on the network, there are also other ways such devices can be present. For example, an organization might require vendors, partners and others to use a guest Wi-Fi network rather than connecting to the Wi-Fi network that is tied to their production network. However, if the guest Wi-Fi network is poorly isolated, then some of the unmanaged devices that should be isolated to the guest network might eventually access resources on the organization's production network.
When unmanaged devices connect to a network using one of the methods that has been described so far, it is typically not the end user's fault. Flaws in the network infrastructure can easily allow a user to access network resources using an unmanaged device. While such networks can conceivably be exploited by cybercriminals, end users who connect in this way do not usually have bad intent. However, the opposite can also be true. Unmanaged devices can appear on a network as a result of someone taking deliberate actions that undermine the organization's security.
There are tools that maintain a database of all the known devices on the network and the associated MAC addresses. Any device with a MAC address that is not found in the database is by definition an unknown and unmanaged device.
As an example, a user might connect an unauthorized device to a network jack within the organization’s facility. In spite of the zero-trust initiatives that have been put in place over the last few years, devices connected to an organization's wired network often receive less scrutiny than wireless devices. As such, users might connect their own unauthorized Wi-Fi routers or even set up their own VPNs as a way of circumventing inconvenient security measures.
Another way that unmanaged devices can connect to a network is through the connection of devices that cannot be enrolled through conventional means; for example, if a user -- or even the IT department -- were to connect an IoT device, that device might not be enrolled in the organization's UEM. IoT devices often lack the ability to participate in the enrollment process. Such devices can pose a significant threat to the organization's cybersecurity and are a favorite network entry point for attackers.
Why are unmanaged devices dangerous?
Unmanaged devices are extremely problematic from a security and compliance standpoint because there is no way to guarantee that they have been configured to match the organization's security requirements. Because unmanaged devices don't undergo the same health checks as managed devices, they could be infected with malware or contain other security vulnerabilities that might put the organization at risk.
Because these devices are not enrolled in the organization's UEM, MDM or AD, they are not included in any centralized reporting that the organization performs as a part of its compliance initiatives.
How to find and address all unmanaged devices
There are a few different ways to detect and deal with unmanaged devices on your network. One such technique is to use media access control (MAC) address filtering. Every network device contains a unique MAC address. There are tools that maintain a database of all the known devices on the network and the associated MAC addresses. Any device with a MAC address that is not found in the database is by definition an unknown and unmanaged device.
There are several tools that admins can use to perform MAC address filtering, but you can also use a PowerShell script to track the devices on a given network.
Similarly, there are several good network inventory tools that can help identify the devices on a network. While such tools also tend to use MAC addresses for device identification, network inventory tools tend to be a little bit easier to use than network monitoring tools.
Some organizations have also been known to use AI-based user and device behavior analytics as a means for detecting unmanaged devices. The basic idea behind this concept is that managed devices all behave in a certain way, so unmanaged devices stand out from the norm with regard to their behavior on the network. AI-based analytics tools can spot these anomalies and potentially detect unmanaged devices.
The best way to address the problem of unmanaged devices on the network is to make it so that no device -- with the possible exception of devices on the guest network -- is able to connect to the company network without first connecting to an NAC system. However, this might involve making some significant architectural changes to the network and it might also result in increased licensing costs for NAC software. Further, IT will have to integrate the NAC system with the management platform.
Ideally, the network should be designed so that Wi-Fi, wired and VPN connections all pass through the NAC. That way, all devices, regardless of type, will be enrolled prior to being allowed to participate on the network.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
