How do you guys handle laptops distributed to users? For last two years, we give them a generic Windows 10 machine with only Citrix Workspace and our remote support software installed. Recently my Boss has started worrying that these devices aren't mananged and can be security risk. My argument is who cares its not on our network but that is falling on deaf ears. Curious what others do?

I'm working on a number of deployments right now, where we are using Azure/Entra ID joined (only) w/ Intune for managing the laptop endpoints. Load up the VDI client, use Intune for management, etc. Easy!

autopilot / entra joined is the way.

I've been migrating to autopilot with entra joined too. If you can get distro to load the serials into your tenant it's extra slick and you could even drop ship to the end user.

We allow unmanaged and have them install the deviceTRUST client extension so we can posture check their device and disconnect it live if their context changes.

Our can only be managed locally but we have an auto-update for Chrome, Windows updates, and no local admin and tightly secure and CWA on LTSR. You are right that it doesn't matter as BYOD is one big advantage for Citrix/VDI, zero trust approach. It also depends of what you allow in Citrix policy, e.g. allow access laptop's drives will be dodgy. Saying that, as others said EntraID and in tune for self contained management for those devices is nice to have.

VDI / Citrix with BYOD is a potential security risk if folks are accessing resources / data you care about. Students accessing Autodesk to fiddle on their CAD project you'd care less so. But if that BYOD device gets a key logger / screen scrapper it potentially can be used to access whatever the VDI/Citrix user can and then they can move sideways.

Handling laptops distributed to users is indeed a critical aspect of ensuring both security and operational efficiency. While the generic Windows 10 setup with Citrix Workspace may seem sufficient for remote work, it does pose certain risks. These devices, albeit not directly on our network, still represent an attack surface and can potentially compromise data security. This is precisely why we've developed our Device as a Service solution, which addresses these concerns head-on. By bundling IGEL and Lenovo devices with our connection licenses, we provide a secure and seamless way for users to access remote workloads. Our solution not only enhances security but also streamlines operations, ensuring a hassle-free experience for both IT teams and end-users. Feel free to reach out if you'd like to learn more about how our DaaS solution can help mitigate these risks and optimize your remote work setup. http://kasmweb.com/lenovo-daas.html

@Stephen Daniel Wagner @Stephen any recommended guides for this? Entra joined only only shows the machines in Entra AD and has no real domain connectivity?

@Danny, that's the point. With VDI being used, basic management can be performed on the laptop (security, updates, etc) since most of the resources will be accessed through VDI. However, if you do need to access resources locally on the laptop, then that changes the discussion a little bit. You might ultimately need to either have it domain joined, or access resources using Azure ACLs on-prem.

No, i think we want to continue leaving them off the main domain. I just thought there was more security risk even if Entra joined. We do have additional management software that handles 3rd party patches and we just leave windows update on auto but the prospect of having Intune available is good too

@Danny Intune Migration Tasks.pdf Doc I created to help our partners setup Entra Join managed by Intune but has nothing to do with Nerdio itself. Generic info.

Ty so all this does is essentially add the machine to your Tenant and add intune as MDM?

Why do you need to be connected to a domain anymore? Entra + Intune Joined is the new going forward if you get off of a domain.

yea i personally dont want any domain connectivity. We are a hybrid shop. we used to have hybrid set up laptops then when switched to vdi, wiped them all out for base windows 10 with minimal software.

I second the azure AD joined machines. If you are already have licensing for them. Adding the intune allows you to push updates, wipe machines, etc. But that can be pricey unless you can use it to replace other on-premise packaging and deployment tools.

but from security perspective, what does that win us? Wouldn't the machine have some domain information embedded into it which could be more harmful than a machine that doesnt?

Only Azure AD information, not traditional domain information. And it allows you to get more details as to what is happening on that machine, and give you remote control of them. And with Citrix as the Zero Trust ingress method you won't need any VPN or other entry.

Just going to put this right here https://blog.quest.com/golden-ticket-attacks-how-they-work-and-how-to-defend-against-them/

Another risk is screen scrapers and keyloggers on unmanaged devices. You can implement App Protection to defend against this.

I dont follow, is app protection only on managed devices? I thought it was on any?

It is on any, just saying you should deploy it for unmanaged devices as well.

yea thats my counter argument to any domain join. just put on app protection and call it day? Why do I care what the user does on end point if there is no file/drive/clipboard redirection happening.

The user needs to tick the box for App protection during the install so you can't rely on it, no?

We are the ones that typically set up the software before we hand out the laptops. Also, wonder if workspace configuration management has something to enable. and lets say if not, how would one protect themselves from a user using a totally random device. Isn't point of VDI to work from anything.

VDI protects against a lot of stuff but not all. With BYOD, you can mitigate but not against all and as some said it there, it really depends of the type of data accessed, how confidential is it? etc. As usual it depends.

Other big benefit of BYOD is I don't like the laptop some companies give me. I like working from my desk with all my monitors and software. Getting people to work comfortably makes them more productive users.

exactly. I said that as example of what to do in those situations and boss just says well thats not our equipment so w/e. hard to take this sort of request seriously when some external machines are fine and others "arent safe"