Remote work is now a standard operating model for much of the Australian professional workforce. The security challenges it introduces are well understood — but many businesses still rely on informal arrangements rather than deliberate controls architecture.
Device Management Is the Foundation
The most significant variable in remote work security is the device. A managed, Intune-enrolled device with current patches, Defender for Business active, disk encryption enabled, and screen lock configured is substantially safer than a personal device with none of these controls. Extending Conditional Access to require a compliant managed device for access to corporate data means the device posture is verified at every authentication.
Home Network Security
Home networks are outside the organisation's control but not entirely outside its influence. Home router firmware updates, WPA3 or strong WPA2 configuration, and a dedicated VLAN or network segment for work devices are all achievable recommendations for remote workers. A zero-trust approach that does not rely on network location for trust decisions — treating home networks the same as public networks — removes the dependency on home network security for corporate access control.
Split Tunnelling Considerations
VPN configurations that use split tunnelling — sending only corporate traffic through the VPN while internet traffic goes directly — introduce a gap in visibility. Internet-bound traffic from a work device is not inspected by corporate security controls. Full-tunnel VPN or DNS filtering that applies to all traffic from managed devices provides better visibility. Microsoft's Global Secure Access (part of the Entra suite) provides this capability without a traditional VPN infrastructure.
Should remote workers use personal devices?
The preference should be for corporate-managed devices. Where personal devices must be used — for contractors, consultants, or staff in specific roles — Mobile Application Management (MAM) through Intune can apply security policies to corporate apps on personal devices without requiring full device management. This is a reasonable middle ground where full MDM enrolment is not practical.
