Key Points
- Unmanaged devices pose critical risks: BYOD, IoT, and remote worker endpoints increase cyber breach likelihood by 71%, with over 90% of ransomware attacks originating from unmanaged devices.
- Definition & prevalence: Unmanaged devices are IP-connected endpoints without agents or configurations; studies show up to 69% of networks contain them, often outnumbering managed devices.
- High-risk categories: IoT and smart devices (routers, printers, cameras, switches) are frequent attack vectors exploited for ransomware, infostealers, and lateral movement.
- Challenges amplifying risk: Misconfigurations, default credentials, poor asset management, lack of segmentation, and insufficient monitoring heighten vulnerabilities.
- Best practices for defense: Enforce policies for device onboarding, conduct continuous monitoring/logging, perform risk assessments, train employees, and apply network segmentation to reduce exposure.
The trend toward hybrid work environments has compelled businesses to consider how to safeguard their organizations against the increased use of “bring your own device” (BYOD) endpoints and other emerging devices. This is no small challenge, as MSPs know. The rise of the remote worker presents one of the biggest changes to the overall cybersecurity landscape that we’ve ever encountered.
And all of these new, remote devices present a unique risk to your clients. On average, undiscovered BYOD endpoints are 71% more likely to be part of a cyber breach. We know why this is, of course. When security and IT teams lack full visibility into the devices on a network, they have limited ability to set the correct security settings and configurations, run updates, and patch OS and software vulnerabilities.
Undiscovered devices pose a threat that every IT professional should be aware of. In this article, we’ll discuss common methods for identifying and securing undiscovered and unmanaged devices, as well as implementing policies that minimize this particular threat.
What are the risks of unmanaged endpoints?
BYOD and remote workers aren’t a new phenomenon. MSPs have been managing them for years as enterprise networks add a steady stream of new devices that are outside of the IT department’s control. Moves toward mobility and IoT have led to numerous unmanageable endpoints that represent a clear security risk.
Smart lighting, Bluetooth keyboards, smart TVs, surveillance cameras, printers, network switches, and routers are all connected devices that often lack any built-in security. When threat actors probe a network for weaknesses, these devices afford an easily exploitable blind spot.
For instance, unmanaged devices have been proven to be effective entry points for ransomware. In fact, according to a 2024 report by Microsoft, more than 90% of successful ransomware attacks originated from unmanaged devices in the network. Likewise, a 2025 Data Breach Investigations Report by Verizon found that 46% of systems compromised by an infostealer with possible corporate login data were non-managed devices.
What constitutes an “unmanaged device”?
Unmanaged devices are defined as IP-connected devices that lack an installed agent or configuration solution and are not protected by an endpoint agent.
According to a 2019 Forrester survey, 69% of respondents reported that half or more of the devices on their networks were either unmanaged or IoT devices outside their visibility. Additionally, 26% of them reported having three times as many unmanaged devices as managed devices on their networks. The study also showed that 79% of enterprise security professionals were very to extremely concerned about device security.
How to discover unmanaged devices on the network
Finding unmanaged devices isn’t easy. An MSP can’t simply ask Active Directory to show any device not being managed. It’s possible to compare AD data and network management software manually, but this is a time-consuming and error-prone method.
What most MSPs use (or need) is a solution that can automatically correlate and deduplicate data to put them on the fastest road to correcting the problem.
Monitor and manage your IT environment with NinjaOne IT Asset Management Software.
Types of data needed when searching for unmanaged devices
In your typical manual hunt for unmanaged devices, you’ll need the following data sources:
- Network/Infrastructure Data: Gain visibility into all devices within an environment by accessing the network infrastructure
- Directory Services: Services like Active Directory or Azure AD (rebranded as Entra ID) that authenticate users and devices
- Endpoint Management Solutions: Services like SCCM and Jamf Pro
Using Microsoft Defender to Discover Unmanaged Devices
Microsoft has added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender XDR, which consolidates Defender products, including Microsoft Defender for Endpoint, Entra ID (formerly Azure AD), and Security Copilot. Since this is an integrated feature, no hardware or software deployment is required within compatible IT environments.
Once network devices are discovered using this method, IT administrators will receive the latest security recommendations and information on vulnerabilities for those devices. Discovered endpoints can be onboarded to Microsoft Defender for Endpoints.
Native Microsoft solutions carry obvious limitations. Most MSPs require an OS/technology agnostic solution that can discover any device within any environment.
Using NinjaOne to Discover Unmanaged Endpoints
NinjaOne makes it easy to ensure that all endpoints are fully managed through automated asset discovery and deployment using Microsoft Active Directory. Scheduled, periodic scans can identify unmanaged devices and deploy a management agent to the asset seamlessly. SNMP-enabled devices are also easily discoverable by the integral network monitoring probe.
All assets are automatically groupable and searchable by collected data points, making it incredibly fast and easy to find and manage an asset. With flexible custom fields, you can collect almost any data on an endpoint for device classification and management.
If you want to dive deeper, check out our IT Asset Management FAQ to learn more about ITAM.
How to keep unmanaged endpoints off of the network
In an ideal world, finding and managing unauthorized devices would not be necessary. In real operational networks, however, new devices will always find their way onto the network. MSPs and their clients can take steps to reduce the number of unauthorized and unmanaged devices on the network and identify who is responsible for these devices.
According to the CISA access management FAQ, the following actions can be taken to reduce the number of unauthorized and unmanaged devices that appear on the network:
- Policy can require administrators to put new devices into the desired state inventory before adding them to the network. Often system administrators connect new devices, then patch and configure them on the production network. This provides a window for the devices to be compromised. Additionally, the devices are often added to the network before being recorded in Active Directory (or any other source of data for the desired state is in use). Getting administrators to keep the desired state up-to-date (edited before the machine appears) will reduce the number of Hardware Asset Management risk conditions.
- Logging can track when unauthorized and unmanaged devices are connected to the network, where they are connected to, and who has logged onto them. All this data can help investigate who connected the devices. Once the person is found, letting them know what is expected can prevent the creation of these risk conditions.
- Employees will need to be trained. There should be consequences for individuals who frequently connect unauthorized devices, even after receiving, due warning. While such actions won’t eliminate all unauthorized and unmanaged devices, they can lower the incidence rates, which is a positive step.
Get a clear visual overview—watch the quick video guide: ‘How to Discover Unmanaged Devices‘.
Unmanaged devices are common entry points for threat actors.
🔒 Learn how automate network discovery for 24/7 protection
Challenges around unmanaged devices
While unmanaged devices pose inherent security risks, several factors can influence the extent of the danger they represent. IT providers and organizations should be aware of these challenges and threat multipliers:
Failure to conduct risk assessments
As with the rest of the network, it’s vital to perform risk assessments on unmanaged devices. Are there any known vulnerabilities or configuration issues? This can be difficult when you can’t put an agent on the device, so a flexible (and tech-agnostic) device discovery tool and agent can be invaluable.
Innately risky devices
Certain devices come with serious issues that will be tough to guard against.
Peer-to-peer networks are notoriously difficult to secure, and research has shown that such devices can be accessed remotely over the internet, even through a firewall because they are configured to continuously find ways to connect to a global shared network.
It’s essential to evaluate IoT tools and hardware to identify potential risks and prevent P2P exploits. You should also investigate the device’s firmware update policy and keep these devices updated (as always).
Default configurations/misconfiguration
Configuration issues have led to many data breaches. Widely-known default configs can hand cybercriminals the keys to your network. Simple steps such as changing or deleting the default admin login for your security cameras can significantly enhance your security. Passwords and credentials should be carefully managed, and users should be wary of undocumented backdoor accounts.
Misconfiguration is another big problem. Aside from access control mishaps, users often leave unnecessary features enabled, such as Universal Plug and Play (UPnP), or inadvertently open ports that can serve as entry points for attackers.
Lack of network segmentation
Putting a firewall between every device and the internet can prevent hackers from side-stepping through the network. IT professionals should implement network segmentation by categorizing unmanaged devices into their own network segments, separate from corporate devices and the guest network. This will stop threat actors from using an unmanaged device as an entry point and then moving laterally to exfiltrate data or install malware. There are ways to bypass segmentation, even if you follow all the network segmentation best practices, but this measure is still worth pursuing.
Poor asset management
Any list of cybersecurity best practices — including NIST’s Cybersecurity Framework — will tell you that identifying all the devices on your network is foundational to security. It’s not enough just to scan your network for physically connected devices; devices that connect via Wi-Fi and Bluetooth must also be managed.
Lack of continuous monitoring
The majority of unmanaged devices are difficult to scan than traditional computers connected to a network, so it’s all the more important to monitor their usage/behavior and look for anything suspicious. Log collection, machine learning, and SIEM/SOC all play a role in the modern cybersecurity stack for this key reason.
Partnering with NinjaOne
Complete visibility is critical to effective management. NinjaOne is here to help MSPs manage their business efficiently and securely. Thousands of users rely on our cutting-edge RMM platform to navigate the complexities of modern IT management.
Not a Ninja partner yet? We still want to help you streamline your managed services operation! Visit our blog for MSP resources and helpful guides, sign up for Bento to get important guidance in your inbox, and attend our Live Chats for one-on-one discussions with channel experts.
If you’re ready to become a NinjaOne partner, schedule a Demo or Start Your 14-day Trial to see why over 10,000 customers have already chosen Ninja as their partner in secure remote management.
