Skip to main content

Security best practices for BYOD environments

Applies to: Windows 8, Windows 8.1

Bring Your Own Device (BYOD) environments present a deep security challenge for organizations because, by nature, they involve allowing unmanaged computers to interact with organizational resources. The problem with unmanaged computers is that there is no way to ascertain that the computer the user has brought into the office is clean and safe, or if it is the malware equivalent of Typhoid Mary. A computer that hasn’t been kept up-to-date with software updates and antimalware protection and is allowed to connect to a protected internal network, can serve as a platform through which malware infections spread. From the perspective of the security conscious IT department, the BYOD computer is like the historical Trojan Horse – allowed through the city gates and full of enemy combatants with mayhem on their mind.

Users choose BYOD as a solution for a variety of reasons. Often it’s because they feel that the computer that they own, usually a laptop or tablet (because very few users are going to lug a desktop to work each day), is superior to the device that is made available to them by the organization. The thorniest questions that arise in BYOD environments involve the level to which the IT department has access to the BYOD device. BYOD users can be quite territorial, demanding that their device be "sovereign territory." Even if users sign up with policies that require them to be up-to-date with updates and antimalware solutions, things again become thorny when it comes to verifying that a user is meeting these goals.

This article outlines somes strategies that you can use to support BYOD policies that can empower users to work on their own devices while minimizing the chance that a device infected with malware will wreak havoc on a protected internal network.

Strategy 1: network isolation

Any device that isn’t managed should be placed on a separate physical or logical network. One option might be to configure domain isolation policies. Another option is to configure Virtual Local Area Networks (VLANs). A third option is to allow only unmanaged devices to connect to a perimeter network. This strategy treats the BYOD device as just another client on the Internet. You allow BYOD users to connect to organizational resources through Workplace Join or Remote Desktop Gateway.

Workplace Join is a technology supported by Windows 8.1 that allows users to access organizational resources without requiring a full domain join. Workplace Join requires Windows Server 2012 R2 and Windows 8.1, and can also be used with RemoteApp or App-V applications, which allows your organization to provide users access to applications without actually deploying those applications on computers that are not owned or managed by the organization.

Remote Desktop Gateway allows you to provide both Remote Desktop and Remote App resources to BYOD devices on an external network. In this scenario, the BYOD user uses their device as a thin client, by running organizational applications securely through presentation virtualization. Remote Desktop clients are available for a variety of platforms used by BYOD users.

Strategy 2: Windows To Go

Windows To Go provides a way of making a BYOD device a managed device without violating the BYOD user’s "sovereign territory." When you pursue this strategy, you configure the internal network with Domain Isolation policies through IPsec, perhaps even implementing Network Access Protection, so that the only devices that can connect to infrastructure servers such as domain controllers, DHCP servers and other important servers such as those functioning as file servers, Exchange, and SharePoint servers are those with a valid IPsec or health certificate. You grant BYOD users access by having them start their BYOD device by using a specially prepared Windows To Go stick.

When started into Windows 8.1 through Windows To Go, their device is under the control of the IT department. When started through Windows To Go into Windows 8.1, the device can be domain joined, have a System Center Configuration Manager client installed, and the organization’s antimalware solution running. However the "sovereign territory" of the user’s device operating system, applications, and data remain intact and inaccessible to anyone other than the user. It doesn’t matter if malware has infected the "sovereign territory" of the device's built-in hard disk because the device is starting into the Windows To Go operating system which is protected through the policies and antimalware software deployed by the security minded IT department. When in Windows 8.1 through Windows To Go, the user does not have access to their hard disk, which limits the chance of anything nasty making its way into the organization’s protected network environment.

Strategy 3: management through Windows Intune and Configuration Manager

An additional option is to configure BYOD devices to be managed through Windows Intune and Configuration Manager. In this scenario, it’s possible to ensure that the device is up-to-date with software updates and antimalware software while allowing the BYOD user to retain control of their device. Acceptance of this scenario often depends on whether the BYOD user perceives the deployment of any management component on their device as a violation of their "sovereign territory." Some users will be okay with it, others will not. This solution also requires that the organization be running the latest version of System Center 2012 R2 Configuration Manager.


There are a variety of ways that you can empower users by allowing them to use their own devices at work without compromising the integrity of the organization’s security. The key to choosing a solution comes back to the reasons that the BYOD policy was adopted in the first place. The other thing to remember is that a solution will be successful only if BYOD users accept it and if organizational security isn’t compromised.

Additional resources

About the author

Orin Thomas photo Orin Thomas is a Microsoft MVP and a Microsoft Certified Trainer (MCT), and has a string of Microsoft MCSE and MCITP certifications. He has written more than 25 books for Microsoft Press and is a contributing editor at Windows IT Pro magazine. Orin has been working in IT since the early 1990s and regularly speaks at events like TechEd in Australia and around the world on Windows Server, Windows Client, System Center, and security topics. He founded and currently runs the Melbourne System Center, Security, and Infrastructure Group. You can follow him on twitter.