Device sprawl and access control: what IAM teams need to fix

TL;DR: Mixed personal and corporate device use has become the norm, with 35% of workers using their own devices and 66% using company-issued ones, according to JumpCloud. That shift pushes device management toward identity-centric controls, contextual policy, and Zero Trust assumptions that extend across endpoints, data, and access paths.

NHIMG editorial — based on content published by JumpCloud: a blog on managing different types of devices in the modern workplace

By the numbers:

• Employees use their own devices (35%) alongside company-issued ones (66%), a far cry from the traditional one-to-one user-device model.

Questions worth separating out

Q: How should security teams govern access across BYOD and company-owned devices?

A: Security teams should use identity-centric policy that evaluates device posture, user identity, and context at every access decision.

Q: Why do mixed device environments weaken Zero Trust models?

A: Mixed device environments weaken Zero Trust when policy is written for a generic endpoint instead of the real mix of personal, shared, and managed devices.

Q: What breaks when shared devices are governed like normal laptops?

A: Shared devices break normal laptop assumptions because multiple users, short sessions, and variable trust boundaries create a higher chance of residual access and data leakage.

Practitioner guidance

• Map access decisions to device posture inputs Feed device health, ownership, enrollment status, and compliance signals into conditional access so the policy engine can deny or step up access when the endpoint drifts from approved state.
• Separate corporate, BYOD, and shared-access policy paths Create distinct access rules for employee-owned devices, company-managed devices, kiosks, POS systems, and temporary access so one policy does not mask very different risk profiles.
• Tighten third-party and guest access lifecycles Require explicit expiry, review, and revocation steps for vendor, contractor, and guest access, especially where access is tied to shared devices or temporary workspaces.

What's in the full article

JumpCloud's full blog covers the operational detail this post intentionally leaves for the source:

• Device-management tactics for BYOD, CYOD, shared tech, and IoT environments.
• Implementation detail on identity-centric access, including MFA and conditional access policy design.
• Operational guidance for UEM deployment, from enrollment through patching and secure app delivery.
• Data-protection measures such as encryption, DLP, and remote wipe handling for mixed-device estates.

👉 Read JumpCloud's guide to managing access across mixed-device environments →

Device sprawl and access control: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →