Back in the mid 90’s when I worked on the helpdesk at an Australian University, the University organized for site licenses of anti-virus software so that anyone that was a student or a staff member at the University was able to get a free copy to install on their personal computer. The University’s thinking was that unless these computers were protected, they would likely become a vector for infecting computers owned by the University, either indirectly through email and document borne viruses or directly through self-replicating worms that would attack when these personal computers were connected to the University network.
Today more and more organizations are allowing people to bring their personal machines to the office to use as their primary workstations. The problem with personal machines is that their digital hygiene depends very much on the person operating them. The majority of non-IT people aren’t very good when it comes to ensuring that their computers are kept up to date and the hygiene of those systems is likely to be a threat to the organization.
So how does an organization stay secure when the organization’s documents are commonly created and edited on computers that have problematic hygiene? One more commonly used option is to use a technology such as Citrix or Remote Desktop Services, or Virtual Desktop Infrastructure to provision personal machines with applications while not allowing important organizational documents to be opened by machines whose hygiene is suspect. In this situation these personal machines just end up as dumb thin clients. That may be a waste of a perfectly good expensive computer, but unless the IT department has the resources to ensure that the perfectly good expensive computer is also a perfectly hygienic expensive computer, it is probably your only option.
You can of course try to implement a technology such as Network Access Protection. The drawback of doing this is that it involves a degree of configuration of each individual’s personal computer. Unfortunately as most IT professionals know, the moment you end up starting to work on a person’s personal computer, you end up often having to do a significant amount of work on that computer. As I found working at that University, people would come in to have us install the anti-virus software. We’d often find their machines so corrupted with malware that we’d end up having to spend several hours cleaning the machines before we could successfully install the anti-malware applications. Unless you want your IT department to spend a substantial amount of time cleansing plague infected machines, it is simpler, if your organization has gone the way of allowing personal computers onto the organizational network, to go with the Citrix/Remote Desktop/VDI option. That allows you to minimize the chance that the plague ridden computers which users insist on bringing to the workplace can infect the organizationally owned computers that you are responsible for managing.