Managed and Limited BYOD and IoT for Identity and Access Control (Activity 2.4.2) 

Our journey through the Zero Trust Device pillar has led us to establish device inventory, identity, compliance standards, and even implement a deny-by-default policy for resource access based on whether a device is managed and compliant. Now, we tackle a prevalent reality in modern environments: the presence of Bring Your Own Device (BYOD) and the use of Internet of Things (IoT) devices. Zero Trust Activity 2.4.2: Managed and Limited BYOD & IOT Support specifically addresses how to securely incorporate managed instances of these diverse device types into our Zero Trust framework by integrating them with our core identity infrastructure. 

This activity centers on securely integrating a limited, defined set of BYOD and IoT devices that your organization brings under active management. To be considered “managed” within this specific scope, Components utilize their Enterprise Device Management Solution. This process typically involves enrolling the device in a Unified Endpoint Management (UEM) solution, potentially installing necessary agents, and enforcing specific security configurations to ensure these selected devices meet organizational security requirements and compliance baselines. 

The core directive is then that these managed BYOD and IoT devices are fully integrated with the Enterprise IdP, enabling user and device-based authorization. This integration is key to applying dynamic access policies and the practice of least privilege to these device types. 

This is a crucial step in extending sophisticated Zero Trust controls to device types that often pose unique management and security challenges, ensuring that even personally-owned or specialized IoT devices, once managed, are subject to the same rigorous identity and access controls as corporate-owned devices. 

The outcomes for Activity 2.4.2 highlight the progress in integrating and controlling these devices through identity: 

  1. All Component access must be governed by dynamic access permissions for BYOD and IoT Devices. 
  1. Component BYOD and IoT device permissions are baselined and integrated with Enterprise IdP. 

Ultimately, the end state for this activity is to establish a robust access control foundation: Components establish a foundation for risk-based access control for BYOD and IoT with dynamic permissions. This means leveraging the identity framework to apply granular, risk-aware access policies to managed BYOD and IoT devices accessing specific resources. 

Solutions for Achieving Managed and Limited BYOD & IOT Support 

Implementing Activity 2.4.2 requires device management and identity integration, focusing on leveraging UEM/EM and the Enterprise IdP to apply dynamic policies to managed BYOD and IoT devices: 

  1. Leveraging Enterprise Device Management Solutions (UEM/EM) for BYOD and IoT Management: 
    • Utilize a UEM/EM solution with capabilities for enrolling and managing both BYOD (including features for data segregation and privacy) and, importantly, diverse types of IoT devices (which may require specialized agents or agentless management techniques). 
    • Enforce organizational security requirements on these devices through configuration profiles, security policies, and potentially agent deployment, ensuring they meet the “managed” criteria and contribute to compliance (Activity 2.2.1). 
  2. Integrating Managed Devices with the Enterprise IdP for Authentication and Authorization: 
    • Establish a strong, often automated, integration between your UEM/EM solution and your Enterprise IdP/IdAM solution (from Activity 1.9.1 Pt1). This is the core technical task of this activity. 
    • This integration enables the IdP to recognize the device’s managed status and receive relevant device attributes from the UEM/EM. 
    • User Authentication: The Enterprise IdP authenticates the user accessing resources from the managed BYOD or IoT device. 
    • Device Authentication/Identity: The IdP leverages the device’s verifiable identity, potentially established through PKI certificates deployed via the UEM/EM (as in Activity 2.1.2), to authenticate the device itself as a managed entity. 
    • Authorization: The Enterprise IdP, in conjunction with policy enforcement points, supports authorization decisions based on a combination of the authenticated user’s identity and attributes and the authenticated, managed device’s identity and attributes. 
  3. Defining User and Device-Based Dynamic Access Policies: 
    • Within your dynamic access policy engine (often part of your IdP or ZTNA), define granular access policies that consider both user attributes and managed BYOD/IoT device attributes (management status, compliance posture, device type, etc.). These policies enable dynamic access and enforce least privilege. 
  4. Implementing Dynamic Access Policy Enforcement: 
    • Utilize policy enforcement points (such as ZTNA gateways, application gateways, or policy agents) that consume the combined user and device identity and attribute information from the IdP to enforce dynamic access policies for managed BYOD and IoT devices accessing resources. 

    Key Items to Consider: 

    • Comprehensive UEM/EM Capabilities for Diverse Devices: The ability of your device management solution to effectively manage the specific types of BYOD and IoT devices in your environment is paramount. 
    • Seamless UEM/IdP Integration: A robust and reliable integration between your UEM/EM and Enterprise IdP is critical for enabling user and device-based authentication and authorization. 
    • Attribute Mapping and Usage: Ensure that relevant device attributes from the UEM/EM are correctly mapped and available within the IdP to inform dynamic access policies. 
    • User Acceptance and Privacy (for BYOD): Clearly communicate the security requirements and privacy implications of managing BYOD to users. 
    • Scalability for IoT: Consider the scalability of your device management and identity infrastructure to handle a potentially large number of IoT devices. 
    • Defining Least Privilege for Diverse Devices: Tailoring least privilege policies to the specific functions and risks associated with different types of managed BYOD and IoT devices is essential. 

    For the Technical Buyer 

    Activity 2.4.2 is your directive to bring order and control to managed BYOD and IoT devices by integrating them into your core identity framework. It’s about ensuring that these devices, once managed and meeting security requirements through your UEM/EM solution, are fully recognized and controlled by your Enterprise IdP for both user and device authentication and authorization.  

    For technical buyers, success here means ensuring your device management solution can effectively manage the BYOD and IoT types in your environment and, critically, has robust integration with your Enterprise IdP. This integration enables you to define and enforce granular, dynamic access policies based on who is accessing and what managed device they are using, establishing a strong foundation for risk-based access control for these diverse and increasingly prevalent device types in your Zero Trust architecture. 

    Pillar: Device 

    Capability: 2.4 Remote Access 

    Activity: 2.4.2 Managed and Limited BYOD and IoT Support 

    Phase: Target Level 

    Predecessor(s): None 

    Successor(s):  

    • 2.2.1 Implement C2C/Compliance Based Network Authorization Part 1  
    • 2.4.3 Managed and Full BYOD & IoT Support Part 1  

    Technology Partners