[wl]

I think IT departments also tend to underestimate the risk they pose when they manage machines. Look at Stryker, where intruders used Intune to wipe all the company's devices. The ability to do that shouldn't exist, but the IT department happily rolled out the means of their own destruction in the name of compliance and making their lives easier.

[macNchz]

Device management is definitely a big hole to punch into each machine, but, once you're above a handful of staff, managing devices manually is not really tenable, and I do think the restrictions provided by device management have tangible benefits (it's amazing what people will download and run without a thought).

Arguably the risks of the MDM should be assessed and mitigated with some kind of defense in depth approach—highly sensitive things like bulk wipe disabled with multi-person approval required to re-enable, hardware MFA requirements, anomaly detection + alerting for weird behavior, etc etc. I'd argue the risks stem more from badly configured MDM where a compromise of one sysadmin's browser has a company-wide blast radius, rather than the fundamental presence of device management itself.

[wl]

I think I'm probably coming at this from a different perspective than IT people.

I've worked on IoT products where we've deployed fleets of thousands of devices without user interfaces placed all over the world in random, inaccessible places, hanging off cellular radios. We're definitely not managing those manually. Architecting management systems for that is always interesting. Sometimes the question would come up, "why don't we do X?" where X necessarily included the ability to brick the entire fleet (and probably kill the company) in 5 minutes. My philosophy was that certain things are too dangerous to exist, no matter how useful they might be.

[darkwater]

Are you IoT devices ALSO used by humans directly, where they would be forced to have some admin permission to do their work if there was no MDM system?

MDM are clearly a possible SPOF for certain attack vectors, but are also the only defense against others (unless you want to hire a legion of IT helpdesk specialists)

[dehrmann]

There are also individual-level risks. If you capture everything, you might capture bank account numbers when setting up direct deposit or credit card numbers from corporate purchases (these are clearly valid uses of company equipment). In a only slightly less valid use, you might submit a medical claim (using a company benefit), and surveillance software gets part of your medical record.

There are underappreciated liabilities companies take on with this monitoring.