Skip navigation
Product & Engineering

Secure BYOD Without an MDM

Bring your own device (BYOD) is the new normal.

Employees demand access from anywhere, any time. And many use personal mobile devices – iOS and Android – to access corporate applications, whether that’s work email, calendar, contacts or other sensitive data.

As more enterprise applications enable mobile workflows, employee reliance on using personal devices for work will continue to increase.

At Duo, we have seen this trend for years. Recently, our research of nearly half a billion authentication events shows an upward trend in enterprise application access from non-office networks. Our data shows the number of unique networks customers and enterprise organizations authenticate from grew 10 percent, increasing from 2017 to 2018.

For more than a decade, security practitioners have turned to mobile device management (MDM) solutions to secure remote and personal mobile devices. MDM solutions, however, introduce several challenges. For one, users are skeptical about installing MDM on their personal devices; they are concerned that admins can glean personal information and could control how they use their devices. Users fear admins could block camera access, prevent copy and paste, or limit other functionality. Yet when users do not install MDM on their devices, admins do not get visibility into the security posture of those devices. It’s a vicious cycle that stalls BYOD security programs, while increasing the risk exposure for organizations.

We launched an alternative to MDM, Duo Beyond, last year that our customers use to secure their employees’ personal, non-corporate managed devices in a user friendly way. A year later, we are happy to report hundreds of customers take advantage of this functionality.

Our approach does not rely on collecting personal information about users or their devices. Rather, we only check the security status associated with devices, such as passcode, biometrics, encryption, OS version, etc. Users can easily review what information is checked. Users embrace this approach, which enables admins to quickly deploy to thousands of users within days.

Let’s review a few use cases and customer stories that illustrates how customers use Duo to secure BYOD:

First, our customers want an easy way to gather visibility into all devices – managed and unmanaged – accessing their environment. Duo offers Unified Endpoint Visibility, which provides a single dashboard view of all device platforms – iOS, Android, Windows, macOS and ChromeOS. Furthermore, admins can generate device reports and logs with a few clicks to help them meet audit and compliance requirements. To learn more about Unified Endpoint Visibility, check out our blog. One of our customers, Proquest, deployed Duo and immediately discovered more than 1,000 user-owned devices had been accessing their environment. Learn more about how Proquest uses Duo.

Along with visibility, a real win for our customers is to prevent risky devices from accessing sensitive company data. Duo offers a policy framework that allows admins to set up custom security policies for each application. One of our customers, Zenefits, an HR management company, uses Duo to check if a user’s personal mobile device meets the corporate security criterion everytime that device is used to access a sensitive app. If mobile devices do not meet security requirements, users are asked to enable specific security controls, such as a passcode, or they are blocked from accessing their work applications. With Duo, Zenefits can meet HIPAA and SOC 2 compliance requirements easily and without additional user burden. Read more about Zenefits here.

Furthermore, we have customers who want to preserve their existing investment in MDMs. For these customers, we offer integrations with leading MDM vendors such as AirWatch, MobileIron, Sophos and more. Through these integrations, when a user tries to access an application, Duo checks for the presence of a management agent. If the device does not have MDM installed, Duo informs the user to enroll in the enterprise MDM or block access.

For more information on alternatives to MDM, speak with your account executive or start at free trial at