Face It: You Can't Manage All the Endpoints Accessing Internal Resources

|
July 13, 2026
Conceptual artwork depicting data streams, secure cloud sessions, and endpoint security for hybrid or remote work environments.

Somewhere in your organization right now, a contractor is signed into one of your applications from a laptop you've never managed. An employee is reading a sensitive document on a personal machine at the kitchen table, on a home network it shares with a teenager's gaming PC and a couple of smart speakers. A new hire from the company you acquired last quarter is reaching enterprise resources through an identity system your team doesn't fully own yet.

None of these people are doing anything wrong. They're doing their jobs, on the devices that let them work from anywhere. That arrangement is what hybrid work runs on, and it has paid off in lower costs, faster onboarding, and a workforce that can actually move. Most organizations have no intention of giving that back, and they shouldn't have to.

Here's the uncomfortable part. The security model most companies still lean on assumes you can somehow see and control the endpoint. For a growing share of the endpoint devices touching your applications, you can't. The distance between what your tools were built to protect and where work now happens is exactly where attackers are focused.

Stop Fighting the Device Battle

For twenty years, the reflex has been to push control outward to the endpoint. Install an agent. Stand up a VPN with heavy clients that bundle endpoint security assessment. Route everyone through virtual desktop infrastructure. Require a managed image and a long list of conditions before anyone connects. Those reflexes made sense when the endpoints were yours. It falls apart the moment the device belongs to a contractor, a partner, or an employee who reasonably expects their personal laptop to stay personal.

You can keep fighting that battle. You can demand agents on machines you don't own, then absorb the resistance, the support tickets, and the cost that follows. Or you can notice that you've been fighting a losing battle.

Think about the modern reality of hybrid work and endpoints. A contractor brought on for a three-month project will scoff at the notion of you re-imaging their laptop, and often a contract or national regulation that says they don't have to. A partner's security team answers to its own policies, not yours. An acquired company shows up with its own identity provider and its own fleet of machines, and integrating all of it cleanly can take time and budget you don't have. In every one of these cases, the device sits outside your authority by design, not by accident. Building your defense on controlling it means building on ground you don't own.

What you actually need to protect isn't the endpoint. It's what the endpoint device can reach. Move the unit of control from the endpoint to the session, and the unmanaged-endpoint problem stops being something you solve one device at a time.


The Risk Is Quiet, Ordinary, and Already Here

Attacks that exploit unmanaged devices rarely announce themselves. In a documented 2025 cyberattack on a state government, the entry point was one employee who downloaded a trojanized system administration tool. One download, one unmanaged context, statewide impact. In 2024, a supply-chain attack on Chrome browser extensions reached roughly 2.6 million users and went straight for corporate service credentials. The technique showing up most often now is quieter still: infostealer malware that sits on a personal device, harvests session tokens, and then walks past multifactor authentication by impersonating someone who already logged in.

92%

of successful attacks originated from unmanaged devices (Microsoft DDR, 2024)

46%

of devices with compromised corporate credentials were unmanaged (Verizon 2025 DBIR; SpyCloud)

95%

of organizations permit personal device use for work in some form (NordLayer, 2026)


Your Security Stack Isn't Broken. It Wasn't Built for This Layer.

Firewalls and network controls do what they were designed to do. They secure the path. Endpoint tools secure the machine, when the machine is yours to secure. Neither was built to govern what happens inside a browser session on a device you don't manage, and that's precisely where the modern workday lives. Email, SaaS applications, internal tools, AI assistants, file sharing: nearly all of it now runs in a browser tab.

Most security stacks have this browser security gap, not because anyone made a poor call, but because the layer where work concentrated barely existed as a category when those investments were made. VPNs and VDI can stretch to cover unmanaged devices, but they carry their own weight in security issues, cost, management overhead, and the friction users quietly learn to route around. Closing the gap cleanly takes a different approach, not a heavier version of the old one.

A Better Place to Draw the Line

This is the shift Menlo is built around. Instead of trusting the endpoint  or straining to manage it, Menlo Secure Application Access puts the Menlo Cloud between the unmanaged device and your applications. Web content runs in the Menlo Cloud, never on the endpoint, while the person keeps working in the Chrome or Edge browser they already had open. Nothing changes for them, but a lot changes for you.

Because the endpoint never touches the application directly, a compromised device can't reach it. Parameter tampering, web scraping, API abuse, cookie manipulation, session hijacking, exploitation of flaws like Log4j: none of it lands, because the attacker is interacting with an isolated browser in the cloud rather than your application. Even on a device that's already infected, the threat actor can't get to the HTTP/S headers, the content, or the system behind them. The session becomes the line of defense, and the line holds.

That same position opens up more defenses. Menlo inspects files before they move, so an infected upload never reaches your storage. And it applies data controls by user, group, geography, or IP range, so a contractor on an unmanaged device can operate under stricter rules than a full-time employee without anyone standing up two parallel systems to make that happen. 

It also gives your team something the old model couldn't: a clear view of what actually happened. Because sessions run through the cloud browser, security and forensics teams can watch browsing activity in near real time instead of reconstructing it from network and SIEM logs after the fact, and they can record sessions by category, threat type, or user when an investigation calls for it.

Protection That Doesn't Punish the Work

Most security controls protect data by getting in the way. They block the upload, freeze the workflow, and quietly teach people to find a detour. Over time, security that frustrates becomes security that gets bypassed, which is how well-meaning policy turns into shadow risk.

Menlo applies its data controls inside the session instead. Copy and paste rules, watermarking, redaction, read-only modes, and protection on permitted uploads all apply in real time, while the work keeps moving. Your people stay productive. Your data stays inside your control. The trade-off between security and productivity that everyone has been taught to accept turns out to be optional.

Simple Enough to Actually Deploy

The practical objection to all of this is deployment, and a fair concern for previous approaches. Menlo Secure Application Access deploys without agents or infrastructure changes. There are no certificates to import, no DNS changes to make, no network to rebuild. To bring someone onto an unmanaged device, you hand them a URL, a username, and a password, and that's the entire setup. Onboarding the users from an acquisition or keeping contractors on their own identity provider while granting them the same access as employees, becomes a setting rather than a project.

This point is something to remember: The browser is no longer just where people work. It's fast becoming where AI agents work too, authenticating and acting at machine speed through the very same sessions. Securing access at the session layer isn't just the answer to today's unmanaged-device problem. It's the foundation for whatever connects to your applications next, whether that's a person or a process.

You're not Going to Manage Every Device That Reaches Your Business. You Were Never Going to.

The reassuring part is that you don't need to. Secure the session, and the device stops being the thing that keeps you up at night.

Menlo Security

menlo security logo
linkedin logotwitter/x logoSocial share icon via eMail
See the Menlo Browser Security Platform in Action