Ensuring only compliant devices connect to your network is key to modern cybersecurity
As more organizations move their systems and data to the cloud, many of cyber community leaders are asking an important question “Do we still need traditional Network Access Control (NAC) if we already use modern device management tools like Mobile Device Management (MDM)?
This question we floated in our CXO community, heard from many and the honest answer is “it depends”.
One of the experienced CISOs in retail industry, Vishal Vaghela added, “for some organisations, especially those fully operating in the cloud, MDM may be enough. But for many larger, regulated, or security-focused organizations with core infrastructure to protect, using both MDM and NAC together still makes a lot of sense”.
At the heart of both MDM and NAC is one simple idea “TRUST”.
Before any device, whether it’s a laptop, phone, or tablet connects to an organization’s systems, we need to be confident that the device is legitimate, secure, and authorized to connect. MDM plays an important role by managing devices and ensuring they follow desired security rules. It can enforce disk encryption, antivirus protection, software updates, strong passwords, and other critical security settings, making sure devices are properly configured and safe to use. However, MDM alone does not physically prevent a device from connecting to the company’s Wi-Fi or plugging into a network port. That enforcement happens at the network level, and that’s where NAC becomes essential.
If MDM manages and secures devices, NAC controls who and what is allowed onto the network. You can think of NAC as a security guard at the entrance of a building. Before any device is allowed inside the organisation’s network, NAC checks whether the device is recognized, properly authenticated, and compliant with the organization’s security policies. If the device fails any of these checks, NAC can block or restrict it immediately. Without NAC, the physical network, both Wi-Fi and wired connections can become a security blind spot. While cloud security tools are effective at protecting applications and user accounts, they do not always provide visibility or control over what connects directly to the internal office or data centre network.
When MDM and NAC work together, they create a strong “pre-admission” security check before any device is allowed onto the network. In simple terms, when a device attempts to connect, NAC first verifies its identity and then checks with MDM to confirm that it meets the organization’s security requirements. If the device is healthy and compliant, access is granted; if not, access is restricted or blocked. This process can happen in real time, meaning that even if a device was compliant yesterday but has since disabled antivirus or missed a critical update, NAC can immediately limit its network access. This significantly reduces the risk of malware spreading or unauthorized users gaining entry into the organization’s systems.
Not every organization needs both. But in some situations, the combination becomes very valuable.
1. Organizations with On-Premises Infrastructure
If a company still relies heavily on physical offices, internal servers, or private data centres, NAC becomes much more important. It allows security teams to control exactly which devices can connect to switches and wireless access points.
MDM alone cannot enforce this at the network level.
2. BYOD (Bring Your Own Device)
Many organizations allow employees to use personal laptops or smartphones for work.
This increases flexibility, but also risk.
With MDM, the organisation can require basic security standards on personal devices. With NAC, it can enforce those standards before allowing network access.
For example, if a personal laptop doesn’t have encryption or is running an outdated operating system, NAC can deny access until the issue is fixed.
3. Highly Regulated Industries
Industries like banking, healthcare, government, and critical infrastructure face strict security regulations.
They often must prove that:
Only approved devices can access sensitive systems.
Devices meet defined security standards.
Access is controlled and monitored.
In these cases, NAC provides an additional layer of assurance and auditability that regulators expect.
In some cases, NAC may be unnecessary. Organizations that are fully cloud-native, where most applications are SaaS platforms like Microsoft 365, devices rarely connect to internal servers, and there is little to no on-premises infrastructure can often rely on modern identity-based security controls instead of network-level enforcement. Tools such as Conditional Access can determine whether users are allowed to access applications based on factors like user identity, device compliance, location, and risk level. In these environments, managing access at the application level may be sufficient, and adding NAC could introduce additional cost and operational complexity without delivering significant additional security benefits.
Modern security strategies increasingly follow a “Zero Trust” approach, which means no user or device is automatically trusted, even if it is already inside the corporate network. Instead of relying on location, Zero Trust focuses on verifying identity, checking device health, and continuously validating access. Zero Trust Network Access (ZTNA) solutions take this concept further by granting users access only to specific applications rather than exposing entire network segments. For many organizations, especially those modernizing legacy systems, ZTNA can reduce or even replace the need for traditional NAC. However, these technologies are not mutually exclusive. In more complex environments, NAC, MDM, Conditional Access, and ZTNA can work together to create a layered, defense-in-depth security model.
MDM and NAC usually integrate using digital certificates. When a device enrols in MDM, it receives a unique certificate that proves its identity.
When the device connects to the network, NAC checks this certificate and confirms with MDM that the device is still compliant.
Security teams should also be aware of ongoing changes. For example, Microsoft has announced stronger certificate mapping enforcement starting in February 2025. Organizations using MDM and NAC integrations should review their configurations to avoid disruptions.
This highlights an important lesson: security integrations are not “set and forget.” They require ongoing maintenance and updates.
The bottom line is that MDM and NAC are no longer automatically required for every organization, but they are certainly not outdated. Companies that are fully cloud-based, rely mostly on SaaS applications, and have little or no internal infrastructure may be able to depend primarily on identity and application-level controls. However, organizations that maintain on-premises systems, support BYOD environments, operate in regulated industries, or require strict device enforcement at the network level will still find strong value in combining MDM and NAC. In today’s security landscape, protection is no longer just about verifying a password, but it’s about determining whether a device truly deserves access before it connects.
That discussion continues to evolve, and it remains an important consideration for every security leader.
Stay tuned for more updates, as we are taking this discussion to more CXOs, Vendors, Distributors and Suppliers.