Anunta Blog US

Stop Trading Access for Security on Your Endpoints

Written by Michael Meyers | Jul 1, 2026 6:56:35 PM

 

Every endpoint team is running the same negotiation, whether they have named it or not. The business wants people working from anywhere, on whatever device is in front of them, with nothing slowing them down. Security wants every device that touches company data to be patched, encrypted, controlled, and known. For years those demands could be balanced at the edges, because most work happened on managed machines inside the building. Remote work and BYOD ended that. Now the negotiation happens every day, on every device that asks for access.

This negotiation lives in a narrower place than endpoint management as a whole. It lives in your conditional access and device compliance policies, the rules that decide whether a device can reach corporate resources based on its security state, plus how you handle personal devices, full enrollment or lighter app-level controls. That control surface is where access and security meet, and where the trade-off gets made. So that is where this piece stays.

I have spent a lot of time inside these rollouts, and the reason the trade-off feels unavoidable is not the one most teams assume.

Why doesn't a middle ground between endpoint access and security hold?

Start with what happens when the pressure hits: a device asks for access, and your policy has to decide. In a deployed estate, the levers are blunt. You can tighten the gate or loosen it.

Tighten it, and you get security with friction. Devices that are close to compliant but not quite get blocked, enrollment gets resisted, and an exception list starts forming. In my experience it grows every single week, because real work does not wait for a device to pass a check.

Loosen it, and you get access with exposure. Unmanaged devices get in, and drifted devices get in. You have traded visibility for the sake of letting people work.

Most teams settle in the middle and call it balance. This is the step worth looking at more closely. The notches you tightened, users quietly route around. Gartner found that 69 percent of employees bypass their security guidance, and that adding more controls backfires, because the friction itself drives the workaround. So, your posture looks enforced while a share of your users sits outside it, on a personal laptop or personal email. It is the same gap a patch dashboard hides when a deferred reboot leaves a device exposed but still reported compliant. The notches you loosen are gaps you are simply carrying.

Which raises the real question. Why are you forced to choose at all? You are not forced to choose because access and security are enemies. They are not. You are forced to choose because the control is static. A blunt gate checks a device once, when it asks for access, and all it can do is let the device in or keep it out, with nothing after. Everything that makes this feel like a trade-off traces back to that one limitation, and the three pressures below are versions of it.

Why does securing device access create so much friction?

To secure access, you require a device to prove it is healthy before it connects. It has to be patched, encrypted, and enrolled, or whatever your policy demands. What I've found is that devices are often out of compliance when they try to connect. An enrolled device has a pending patch or a reboot is overdue, so the gate says no, often right when the user is in front of a customer and needs access.

The friction is not caused by the security check, it is caused by the device not being ready when the check runs. The fix is not a weaker checkpoint, it is a device that is continuously kept ready. If device health is maintained and remediated in the background, the device passes by default, and the gate stops feeling like a tax on getting work done. The right move for most teams is to invest in continuous remediation so that conditional access becomes a formality the user never notices, rather than a roadblock they learn to route around.

That handles the device you manage. The harder pressure is the device you do not.

What does allowing personal devices cost you in visibility?

To let people work from any device, you allow personal and unmanaged ones, and those are precisely the devices you can see the least. You do not own them, you did not configure them, and you cannot assume anything about their state. The more broadly you open access, the more of your estate goes dark.

This is not a small corner. Microsoft has reported that 80 to 90 percent of successful ransomware attacks originate from unmanaged devices. The thing you opened up to enable work is the same thing attackers walk through. So the instinct is to clamp down and require full enrollment. Users resist that, especially on personal hardware, and you are back to friction and workarounds.

There is a way that does not require owning the device. App and data controls let you see and govern the corporate apps and data on a device without managing the whole machine. You get visibility and enforcement where it matters, and the user keeps their device. The move is to reach for app and data controls on BYOD instead of treating full enrollment as the only option. That keeps access open and closes the blind spot at once.

Even with that in place, there is one more pressure, and it is the one that never sits still.

Why do remote and personal devices keep drifting out of compliance?

A device that was compliant this morning may not be this afternoon. A setting changes, an update is deferred, a control gets switched off. On a machine in your office, that drift used to get caught. On a remote or personal device, it does not, because the device is outside everything you used to rely on to notice.

A static estate has only one response to a drifted device. It blocks the device the next time it asks for access. That protects security and kills the access in one move, landing on the user as a sudden lockout for something they did not know was wrong. Every team I have worked with has felt this, the support ticket from someone who was working fine yesterday and is locked out today.

The answer is to stop treating the device as something you inspect at the door and start treating it as something you keep correct continuously. Continuous enforcement detects the drift and remediates it remotely, fixing the device instead of locking the person out. The move is to enforce and remediate on an ongoing basis rather than check once at login. The user stays working and the device stays compliant, because the gap gets closed before it becomes a reason to deny access.

What changes when you run your endpoints instead of deploying them?

Look at the three moves together. Continuous remediation so the device is always ready. App and data controls so you can see without owning. Continuous enforcement so drift gets corrected rather than punished. They are the same shift applied three times, turning the control from a one-time check into a continuous operation.

That shift is what dissolves the trade-off. You were never really choosing between access and security. You were choosing only because your control could act on a device once and do nothing after. When the control runs continuously, the device is ready when access is requested, visible while it works, and corrected when it drifts. Access and security stop pulling against each other, because the same operation produces both.

This is the line between deploying endpoints and running them, and it is worth knowing which side of it you are on. If you want a structured read on where your operation sits, the Endpoint Operations Scorecard walks through the four areas where this shows up and shows whether you are deploying or running.