Ensure Endpoint
HOW IT WORKS

How Ensure verifies unmanaged devices before access

Ensure checks contractor and third-party device security at sign-in. Compliant devices are allowed through your access policy. Failed devices get clear remediation steps. Every check is logged for evidence.

Request a Technical DemoDownload Architecture Overview →

Broker Device

Personal laptop

Ensure Check

Posture verified

Identity Provider

Okta / Entra ID

Protected App

Access granted

posture signal → IdP
U.S. Patented Technology
Windows | macOS
Entra ID
Okta

What Ensure is

A device verification layer for unmanaged users

At sign-in, Ensure answers one question: does this device meet your security requirements right now?
If yes, access proceeds. If no, the user gets fix steps. Every result is recorded.

01

Contractor signs in through your existing identity flow

No separate portal and no extra login step.

login.company.com

Sign in to continue

portal.company.com

Email

[email protected]

Password

••••••••••
Sign In
Device verified by Ensure
security-assessment.ensure
Ensure Endpoint security assessment showing device posture checks
02

Device posture is verified in seconds

Ensure checks the security requirements you define, including encryption, antivirus, firewall, OS version, lock screen, and risky software. Platform-specific checks can also be applied.

  • Full-disk encryption: BitLocker, FileVault2, or third-party (128-bit minimum)
  • Antivirus / anti-malware: presence and active status
  • Firewall: enabled
  • OS update currency: within your defined threshold
  • Risky remote access tools: presence of tools that could expose the session
  • Lock screen / passphrase: active on all accounts
03

A compliance result is applied to your access policy

If the device meets policy, access is allowed. If not, the user is guided to fix the issue.

Broker Device

Personal laptop

Ensure Check

Posture verified

Identity Provider

Okta / Entra ID

Protected App

Access granted

posture signal → IdP
audit-log — live
2026-02-17T14:32:07ZDEV-8842[email protected]
pass
macOS 15.2FileVault:onCrowdStrike:ok
2026-02-17T14:29:11ZDEV-5519[email protected]
remediated
Win11BitLocker:onDefender:ok
2026-02-17T14:21:44ZDEV-3301[email protected]
fail
macOS 14.1FileVault:offnone

Live audit log — every contractor login, every result

04

Evidence is recorded automatically

Each check records the user, device, controls evaluated, result, and remediation status for reporting and export.

If a device fails, the user gets clear fix steps

Most non-compliant devices are resolved by the user in minutes.

What the contractor sees

Ensure security assessment showing device posture checks with remediation actions

Example failure scenarios

Antivirus outdated

"Your antivirus definitions are more than 7 days old. Open [AV product] and run an update. Re-check when complete."

Disk encryption off

"Full-disk encryption is not enabled. Follow these steps to enable BitLocker / FileVault2."

Risky remote tool detected

"AnyDesk is installed on this device. This tool can expose your session. Remove it or disable it, then re-check."

Works with your existing identity stack

Verification Flow

Broker Device

Personal laptop

Ensure Check

Posture verified

Identity Provider

Okta / Entra ID

Protected App

Access granted

posture signal → IdP

Identity & Access

  • Entra ID Conditional Access (primary)
  • Okta
  • Any SAML/OIDC identity provider with conditional access or step-up capability

Protected Resources

  • Microsoft 365 (Exchange, Teams, SharePoint, OneDrive)
  • Windows 365 Cloud PC
  • Any web application behind your identity provider
  • Azure Virtual Desktop

Admin Controls

  • Policy configuration per contractor group or partner organization
  • Real-time compliance dashboard
  • API for compliance data export
  • Self-populating enrollment (devices register automatically at first login)

Helpdesk override and 24/7 ISO 9001-certified support are available as part of Ensure's managed operations.

How Ensure compares to the alternatives

Every approach has trade-offs. Here's where each one works — and where it doesn't.

MDM (Intune)

Works for contractors?Often impractical (requires enrollment)
Cost per user/month$6–8 + device
Privacy impactHigh (manages device)
Entra CA compliance signal
Deployment timeWeeks (enrollment)
Contractor acceptanceLow (won't accept MDM)
Manages the device
Requires admin rights
Can remote wipe
Accesses personal dataPotentially

Citrix VDI

Works for contractors?Yes (but costly)
Cost per user/month$55–60
Privacy impactLow (virtual)
Entra CA compliance signal
Deployment timeWeeks (infrastructure)
Contractor acceptanceN/A (IT-managed)
Manages the deviceN/A (virtual)
Requires admin rights
Can remote wipeN/A
Accesses personal data

Enterprise Browser

Works for contractors?Yes
Cost per user/month$8–12
Privacy impactMedium (browser data)
Entra CA compliance signalSome
Deployment timeDays (browser rollout)
Contractor acceptanceMedium (new browser)
Manages the deviceN/A (browser)
Requires admin rights
Can remote wipe
Accesses personal dataPotentially

Ensure

Works for contractors?Yes
Cost per user/month$3
Privacy impactLow (posture-only checks, no device management)
Entra CA compliance signal
Deployment timeHours (self-install)
Contractor acceptanceHigh (lightweight agent)
Manages the device
Requires admin rightsTypically no (varies by platform)
Can remote wipe
Accesses personal data

Why not MDM (Intune) for Guests?

Intune guest enrollment requires the contractor's organization to allow MDM from external tenants. Most large service providers prohibit it. Even when possible, it forces a management profile onto a personal device.

Why not Citrix / VDI?

Citrix became the default for contractor access to avoid MDM on personal devices. But at $55–60/user/month for contractors who only use email and web apps, it is an expensive security wrapper.

Why not Enterprise Browsers (Island, Talon)?

Enterprise browsers require contractors to use a separate browser for work, creating friction. Some collect browsing data, and most do not provide a compliance signal to Entra Conditional Access.

Technical FAQ

Frequently Asked Questions

Not finding what you need? Talk to our team →

Want to see the full flow live?

We'll walk through a contractor login, a failed check, self-remediation, and the audit record.

Request a Technical DemoDownload Architecture Overview