Remote Work Security: The Endpoint Controls and Network Policies That Actually Protect WFH Employees

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The security architecture for remote work is not the office security architecture with a VPN attached. Office security relied on the network perimeter as the primary control: firewalls, network intrusion detection, and DNS filtering on the office network provided centralized visibility and control for all devices on the network. When employees work from home, none of those controls apply to the home network.
The shift to remote work requires accepting that the endpoint is now the perimeter, and designing security controls around that reality: strong endpoint controls (MDM, EDR, disk encryption), identity-based application access controls that verify device security posture, and agent-based controls (DNS filtering, managed browser) that apply to the endpoint regardless of network location. VPN was the first-generation answer; ZTNA with device posture checks is the current best practice for organizations with cloud-native or SaaS-centric environments.
The remote endpoint security baseline
Every remote endpoint needs the same controls, consistently applied and verifiably enforced via MDM compliance policies. The two items in this section represent the minimum viable security layer for a remote workforce: an MDM compliance policy that defines and continuously verifies the required endpoint state, and an EDR agent that provides the host-based threat detection capability that replaces the network-level monitoring the office environment provided. Both must be in place before any employee connects a remote endpoint to corporate applications, because a device that fails either requirement has no reliable security layer between an attacker and company data.
MDM-enforced policy baseline before first remote access
Configure your MDM platform (Intune, Jamf, Kandji) with a compliance policy that defines the minimum required state: FileVault/BitLocker enabled, OS version current (within 14 days of latest security release), EDR agent installed and reporting, screen lock timeout configured, firewall enabled. Devices that fall out of compliance trigger an MDM alert and are optionally blocked from application access (Intune Conditional Access, Jamf compliance API integration with Okta) until they return to compliance. The MDM compliance report provides the ongoing evidence for auditors that remote endpoints meet the security baseline — 'all enrolled endpoints are compliant' is a verifiable claim supported by MDM telemetry.
EDR as the primary threat detection layer for remote endpoints
In an office environment, network monitoring tools (NDR, network IDS) provide visibility into lateral movement and command-and-control traffic even when endpoint controls are evaded. Remote endpoints have no equivalent network monitoring layer unless all traffic is routed through a VPN or ZTNA with traffic inspection. The EDR platform must serve as the primary threat detection layer: ensure all remote endpoints have the EDR agent installed, confirm the agent is sending telemetry to the management platform (monitor for endpoints that stopped reporting), and configure alerts for: malware detection, suspicious process execution (LSASS access, PowerShell with unusual parent processes), and network isolation events. For small teams without a dedicated SOC: managed EDR services (Huntress, Red Canary, CrowdStrike MDR) provide 24/7 monitoring and alert triage without requiring in-house analysts.
Application access without trusting the home network
ZTNA is the access architecture that provides strong application security without assuming the home network is trusted. Unlike VPN, which grants network-level access after a single authentication event, ZTNA verifies both the user's identity and the security posture of the device on every application connection. This means a managed device that loses EDR coverage or falls out of patch compliance can be denied access to corporate applications automatically, without waiting for an MDM alert to trigger manual remediation. The implementation example below uses Cloudflare Access, but the same posture-check and application-policy pattern applies to Zscaler Private Access and other ZTNA products.
Implementing ZTNA with device posture checks using Cloudflare Access
Cloudflare Access (or an equivalent ZTNA product) creates application-level access control that verifies both identity and device security posture before each connection. Implementation: (1) Deploy Cloudflare WARP client via MDM on all remote endpoints. (2) Configure Cloudflare Gateway with DNS filtering policies for the WARP-enrolled endpoints. (3) In Cloudflare Access: create application policies for each internal application (web apps, SSH, RDP) that require: identity authentication (SAML via your IdP), and device posture (WARP enrolled, MDM certificate present, EDR running). (4) Add internal applications to Cloudflare Access rather than exposing them directly to the internet with VPN access. The result: remote employees access internal applications through Cloudflare's network with identity and device verification on each connection. No full-network access is granted — only the specific applications configured in Access policies.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The bottom line
Remote work security has a clear architecture: endpoint controls (MDM, EDR, disk encryption, managed browser, DNS filtering) replace the network perimeter controls that existed in the office, and ZTNA with device posture checks provides application access control that is stronger than VPN because it verifies device security state before each application connection rather than granting network-level access after a one-time authentication. The acceptable use policy formalizes the home network requirements and personal device prohibitions that make the endpoint controls effective. Monitoring shifts from network-based visibility to EDR telemetry and IdP authentication logs — both of which provide the signal needed to detect compromised remote endpoints.
Frequently asked questions
What is the minimum security baseline for remote employee laptops?
Remote employee laptop security baseline: (1) MDM enrollment (Intune, Jamf, Kandji) with enforced policies: disk encryption (FileVault on macOS, BitLocker on Windows) with key escrowed to MDM, automatic screen lock after 5 minutes of idle, OS patch policy (automatic security updates within 14 days of release). (2) EDR agent installed and reporting (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne, Huntress for SMB): the EDR is your primary threat detection layer on remote endpoints where there is no network-level monitoring. (3) Application allowlist or controlled software installation: MDM policy should prevent installation of unapproved software that could introduce malware or shadow IT. (4) Managed browser (Chrome or Edge with enterprise policy): prevents extension installation that could be malicious, enforces safe browsing, and logs browser telemetry for security investigation. (5) Password manager deployed to all endpoints: reduces password reuse and credential theft risk. (6) MFA on all applications accessible from the endpoint. These six controls cover the attack surface specific to remote endpoints where the home network cannot be trusted.
Should my remote employees use VPN or ZTNA for accessing corporate applications?
VPN vs ZTNA for remote access: VPN (full-tunnel): routes all employee traffic through the corporate network. Provides full network visibility (you see all traffic). Creates significant latency for SaaS applications (traffic goes to corporate, then back out to the internet). Creates VPN concentrator capacity constraints as headcount scales. Acceptable for small organizations or regulated environments requiring network-layer monitoring of all traffic. VPN (split-tunnel): routes only traffic to specific corporate IP ranges through the VPN, allowing direct-to-internet for all other traffic. Better performance for SaaS. Less network visibility than full-tunnel. Still requires VPN client management and certificate distribution. ZTNA (Cloudflare Access, Zscaler Private Access, Tailscale): provides application-level access control with identity verification and device posture check before each application connection. No network-level access to the corporate network — users access specific approved applications, not the broader network. Better user experience, lower infrastructure overhead, stronger access control. Lacks network-layer visibility into traffic between authorized applications. Recommendation: ZTNA for organizations with cloud-native or SaaS-heavy environments. Full-tunnel VPN for organizations with regulatory requirements for network-level monitoring or data-loss prevention that requires network traffic inspection.
How do I configure device posture checks for remote employee application access?
Device posture checks verify that an endpoint meets security requirements before granting application access, preventing personal or unmanaged devices from accessing corporate applications even with valid credentials. Configuration using Cloudflare Access as an example: (1) Define a posture check policy: OS version (minimum required version), EDR installed (check for specific process running), disk encryption enabled, certificate installed (MDM-issued certificate confirms device is managed). (2) Create an application policy: access requires passing the posture check AND identity authentication (SAML via Okta/Entra ID). If either fails, access is blocked with an error explaining which requirement failed. (3) Enroll the Cloudflare WARP client on all managed endpoints: the WARP client performs the posture checks locally and reports results to the Cloudflare Access policy engine. For MDM-enrolled devices: configure WARP client deployment via MDM (Intune, Jamf) so it is automatically deployed and configured on all managed endpoints. The combination of identity (MFA) and device posture (managed, encrypted, EDR installed) is a stronger access control than identity alone.
What network security controls can I apply to remote employees on home networks?
Network controls for remote employees that work regardless of home network configuration: (1) Agent-based DNS filtering (Cloudflare Gateway, Cisco Umbrella, DNSFilter): deploy a DNS filtering agent on each endpoint that overrides the system DNS resolver with the organization's filtered DNS service. All DNS queries from the endpoint are filtered for malicious domains, phishing domains, and policy-controlled categories regardless of which network the endpoint is on. (2) Managed browser with enterprise policy: enforces safe browsing, blocks dangerous downloads, and prevents access to known malicious URLs at the browser layer. (3) EDR network visibility: modern EDRs include network connection logging that captures which processes are making outbound connections, providing some of the network visibility that office environments get from network monitoring tools. (4) What you cannot control on home networks: the other devices on the same WiFi (family phones, smart home devices that may be compromised), the router configuration and firmware version, and whether the employee is using WPA2 or an older encryption standard. Acceptable use policy should address WiFi encryption requirements.
What should the remote work acceptable use policy cover?
Remote work acceptable use policy required elements: (1) Device requirements: company-issued devices must be used for all company work — personal devices are prohibited from accessing company data unless enrolled in MDM and meeting the device security baseline. (2) Network requirements: WPA2 or WPA3 encryption required for home WiFi. Public WiFi (coffee shops, airports, hotels) is prohibited for accessing company resources without VPN or ZTNA. (3) Physical security: screen privacy (no family members or strangers should be able to view confidential data on the screen). Screen lock when stepping away. Secure storage of company devices when not in use (do not leave in cars, public locations). (4) Personal device prohibition: company data should not be accessed on personal devices, stored in personal cloud storage (personal Google Drive, iCloud), or transmitted via personal email accounts. (5) Software installation: only approved software may be installed on company devices. (6) Incident reporting: how to report a security incident (lost device, suspected malware, phishing click) when working remotely — the same process as in the office, including the emergency contacts for after-hours incidents.
How do I monitor endpoint security for a fully remote workforce?
Remote workforce security monitoring approach: (1) EDR platform telemetry: your EDR (CrowdStrike, Defender for Endpoint, SentinelOne) is your primary threat detection source for remote endpoints, replacing network-level monitoring. Ensure all remote endpoints are enrolled and reporting. Monitor for: endpoints that stop reporting (potential offline or compromised agents), threat alerts from remote endpoints, and the aggregate endpoint health dashboard for compliance drift. (2) MDM compliance reporting: Intune, Jamf, and Kandji provide compliance reports showing which endpoints are current on patches, have disk encryption enabled, and have all required policies applied. Review this report weekly and flag endpoints out of compliance for follow-up. (3) Identity provider login telemetry: Okta, Entra ID, and Google Workspace log all authentication events including geographic location, device, and time. Impossible travel alerts (authentication from New York and London within 2 hours), new device logins, and failed authentication surges are all detectable from IdP logs without network monitoring. (4) DNS filtering logs: agent-based DNS filtering platforms generate logs of all DNS queries from each endpoint, providing some network traffic visibility and detecting malware command-and-control via DNS.
How do I handle security incidents involving remote employees?
Remote incident response has the same phases as office incidents but requires adapted procedures for the absence of physical access to the endpoint. Preparation: (1) Ensure MDM remote lock and remote wipe are configured for all endpoints — if a remote employee's laptop is stolen, you need to remotely wipe it within minutes of the report. (2) Confirm EDR remote isolation capability (CrowdStrike's Network Containment, Defender for Endpoint's isolation) is authorized and tested — you need to be able to isolate a remote endpoint immediately when a compromise is detected. Detection: (3) Remote employee incidents are most often detected by EDR alerts (malware execution, suspicious network connection) or IdP anomalies (impossible travel, new device). Containment: (4) Isolate the endpoint via EDR remote isolation immediately after detection. (5) Force session revocation in the IdP (Okta: Revoke user sessions; Entra ID: Revoke sign-in sessions). (6) Coordinate with the employee remotely via phone or alternate messaging channel (not email on the potentially compromised device) for instructions and evidence collection. Forensics: (7) EDR platforms capture endpoint telemetry even after isolation — the timeline of processes, network connections, and file operations before isolation is available in the EDR console for forensic review without physical access to the device.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
