This week we continue our series exploring bring your own device (BYOD) in 2025. The state of BYOD in the workplace has evolved since its pandemic-era popularity. As BYOD policies adapt in 2025, managed service providers (MSPs) face mounting pressure to secure an expanding attack surface while balancing employee flexibility with corporate security. Industry experts advocate layered defenses, continuous verification, and the idea that corporate-owned devices can be more sensible than personal ones in certain contexts.
Reigning in mobile attack surfaces
Chris Ortbal, Chief Product Officer at Tangoe, tells SmarterMSP.com that BYOD was meant to simplify mobility and cut costs, but visibility became a real issue in 2025. “The moment a personal device touches corporate email, Teams, or an ERP app, it becomes part of your attack surface, even if IT never enrolled it,” Ortbal says. This creates a big target for attackers if any percentage of business smartphones aren’t under the umbrella of mobile device management (MDM) or unified endpoint management (UEM).
“We’re seeing a quiet shift back to corporate-liable devices in large enterprises. It’s not that BYOD never worked, but scale, regulation, and hybrid work exposed hidden costs and risks,” Ortbal explains, citing employee stipends, supporting multiple OSes, and enforcing on-device security as examples. He notes that when a large percentage of employees use two or more devices and IT headcount shrinks, complexity becomes a security issue.
“A corporate-owned, pre-approved fleet gives MSPs real leverage—you can standardize images, automate enrollment, integrate UEM with IAM, and ensure mobile threat defense from day one,” Ortbal says, adding that this approach reduces unmanaged entry points into the business.
The hybrid reality
Cam Roberson, vice-president of Beachhead Solutions, explains that BYOD has swung from pandemic ubiquity to a middle ground as workers return to offices. “Most still carry personal devices—and company data—with them. For MSPs, that hybrid reality means the attack surface never really shrank,” Roberson notes, pointing out that every laptop, tablet, or phone connecting to a corporate network—whether device-owned or employee-owned—represents a potential entry point or data holder.
“MSPs can’t always control what enters the network, but layered access controls protect what goes out,” he adds. Roberson highlights a mature, layered defense built on encryption that tracks data across devices, enforces least-privilege access to limit damage from compromised credentials, and centralizes risk management across every endpoint. “The tidy perimeter of the past isn’t coming back, so security must travel with the data itself. MSPs that build layered, identity-driven defenses will lead in this post-BYOD era—where protection is continuous, portable, and built to survive compromise,” Roberson says.
The MSP strategy
AJ Thompson, CCO at UK-based Northdoor, outlines actions MSPs can take to safeguard networks amid a diverse device ecosystem.
- Adopt zero trust with ongoing checks. Thompson argues that you can’t simply trust a device because it’s inside the network. “Every access attempt should involve continuous checks of identity and device health. Multi-factor authentication is vital but so is monitoring user behavior and the device’s security state.” He notes that 75 percent of organizations already use some form of multi-factor or risk-based authentication, and firms that implement continuous verification see security incidents drop by about half. “Verification in a BYOD environment must be continuous and context-aware. When done well, it cuts security incidents in half.”
- Use Unified Endpoint Management with containerization. Thompson explains that MSPs need tools to manage and secure many device types fairly. “Unified endpoint management platforms enforce security while respecting user privacy by separating work and personal apps,” he says, adding that this also allows remote wiping of corporate data if a device is lost, without touching personal information.
- Use AI-powered network monitoring. With so many devices, visibility is a risk. About 64 percent of organizations report insufficient visibility of devices on their networks, which can hide early threats. “AI tools help spot unusual activity quickly so MSPs can respond faster,” Thompson says.
- Consider secure browsers and SASE architectures. As cloud and browser usage grows, securing browser sessions on personal devices reduces data leakage risk. Pairing this with secure access service edge enforces security policies no matter where or how staff connect. Thompson notes that BYOD-related incidents can halt operations and ripple out to affect customer and partner networks.
Closing thoughts
“BYOD in 2025 highlights the delicate balance between empowering employees and securing critical assets,” Thompson concludes. “MSPs and CISOs who blend adaptive, user-friendly security technologies with evolving policies and education will be best positioned to thrive in this evolving landscape.”
Photo: PeopleImages / Shutterstock
This post originally appeared on Smarter MSP.