Detecting and addressing any unmanaged devices on an organization's network is important for both the overall security posture and its regulatory compliance.

Unmanaged devices pose numerous threats ranging from the introduction of malware to data leakage. Fortunately, there are ways to find and enroll the unregistered devices on the network.

What exactly are unmanaged devices, and how do they happen?

Early on, nearly all devices on a Microsoft network were managed. Windows PCs were almost always domain joined, and the domain controllers would push group policy settings to the PCs. This ensures the PCs adhered to the organization's security requirements.

Over time, it became common for organizations to have non-Windows devices on their network. Such devices were not able to be domain joined, leading organizations to adopt MDM or unified endpoint management (UEM) systems. When a device is connected to one of these systems, it goes through an enrollment process that ensures the device undergoes basic health checks and various security policy settings. An unmanaged device is a device that has not been enrolled in an MDM, UEM or Active Directory (AD) domain. Such devices must rely solely on their own internal security settings, which might or might not be adequate.

There are several different ways that an unmanaged device can be connected to your network. The easiest way for an unmanaged device to connect to the company network is through your own Wi-Fi network.

During the pandemic when nearly everyone was working remotely, organizations commonly set up VPNs with adjoining network access control (NAC) services. NAC software is commonly used in BYOD environments and is designed to apply various policies and to perform health checks on BYOD devices. For example, if a user were to connect to a VPN using a Windows laptop, an NAC might check to make sure that the device has the Windows Firewall enabled. It could also check that the device is not missing any critical Microsoft security patches.

As helpful as NAC software can be, it is only effective if all BYOD devices are checked. Some organizations use an NAC to aggressively scan devices connecting through a VPN but neglect their local Wi-Fi networks. Hence, a user who connects a personal device to the organization's Wi-Fi might be able to use the device without having to enroll the device into the organization's UEM.

While Wi-Fi networks that are not tied to an NAC can result in unmanaged devices being present on the network, there are also other ways such devices can be present. For example, an organization might require vendors, partners and others to use a guest Wi-Fi network rather than connecting to the Wi-Fi network that is tied to their production network. However, if the guest Wi-Fi network is poorly isolated, then some of the unmanaged devices that should be isolated to the guest network might eventually access resources on the organization's production network.

When unmanaged devices connect to a network using one of the methods that has been described so far, it is typically not the end user's fault. Flaws in the network infrastructure can easily allow a user to access network resources using an unmanaged device. While such networks can conceivably be exploited by cybercriminals, end users who connect in this way do not usually have bad intent. However, the opposite can also be true. Unmanaged devices can appear on a network as a result of someone taking deliberate actions that undermine the organization's security.

There are tools that maintain a database of all the known devices on the network and the associated MAC addresses. Any device with a MAC address that is not found in the database is by definition an unknown and unmanaged device.

As an example, a user might connect an unauthorized device to a network jack within the organization’s facility. In spite of the zero-trust initiatives that have been put in place over the last few years, devices connected to an organization's wired network often receive less scrutiny than wireless devices. As such, users might connect their own unauthorized Wi-Fi routers or even set up their own VPNs as a way of circumventing inconvenient security measures.

Another way that unmanaged devices can connect to a network is through the connection of devices that cannot be enrolled through conventional means; for example, if a user -- or even the IT department -- were to connect an IoT device, that device might not be enrolled in the organization's UEM. IoT devices often lack the ability to participate in the enrollment process. Such devices can pose a significant threat to the organization's cybersecurity and are a favorite network entry point for attackers.