In my last blog post around MDM you’ll see that Windows 10 AAD+Intune MDM devices are aimed at users who are primarily working outside of your organisations network. Most likely users are connected to the internet at their own home, via 4G, at client/customer sites or on public Wi-Fi at Starbucks etc. This isn’t a problem as that’s the whole point of it, taking away dependencies on your on-premise infrastructure for patching, management and access to systems is generally a good thing.
But what about when an MDM users comes on-site? What sort of network connectivity do you give them? How much do you trust the device? Here’s a few thoughts:
The MDM device is likely to be Wi-Fi only, so how are you going to connect it to your Wi-Fi network? Do you trust it enough to put it on the same VLAN as Wi-Fi devices which are fully managed via AD+ConfigMgr? Bearing in mind that, by default, MDM users will have admin rights on their devices and no whitelisting they will be able to download and run whatever they like. Do you want these devices to be able to reach your fully managed and AD bound devices/servers when you lack full control of them?
Personally I would put them onto a Wi-Fi network which sits outside your firewall, where they can only access resources which are based on the internet or published via your DMZ. That is how you designed them to function when they are off-site, so why have them behave any differently when on-site? Intune can be used to deliver a Wi-Fi profile for your organisational network to simplify connecting devices to the Wi-Fi. Your domain joined, and fully trusted devices can continue to connect to a trusted VLAN over Wi-Fi using auto-enrolment to grant a certificate to connect.
I’d be interested to hear what others think on this topic so comment below…
Alex Pooley EUC Blog 
One thought on “Where should MDM only devices sit on your network?”