[satyrnein]

I'm kind of unclear how the device part is supposed to work. Let's assume the work laptop is fully locked down, and employees' personal laptops are completely compromised with each keystroke sent directly to ransomware rings. Are you supposed to block your employees from logging into your SaaS apps and internal web apps from their personal devices? What's the mechanism for that?

[lokar]

You generally run an agent on the client machine that verifies machine identity and configuration as part of authentication. Beyond identity is an example.

[mr_toad]

Agents on the client can’t really be trusted unless there’s a secure boot and only authorised software is running - at which point it’s not really a personal device any more.