Matt Coppinger
← Writing

Zero Trust at the Endpoint: A Practical Guide

SecurityEnterpriseArchitectureZero Trust

Zero trust is everywhere. Vendor pitches. Boardroom slides. LinkedIn thought leadership posts that make my eyes glaze over. Everyone's talking about it. Very few are doing it well.

I've implemented zero trust architectures across organisations with tens of thousands of devices. I've worked on Workspace ONE UEM - the product itself. And I've watched too many security teams slap a "zero trust" label on what is fundamentally the same perimeter-based thinking they've had for twenty years.

This is a practical guide. Not theory. Not vendor marketing. What zero trust actually is, why the old model is broken, and how you build it across the layers that matter: device, identity, network, and application.

What Is Zero Trust?

The core principle is simple: never trust, always verify.

The traditional perimeter model trusted everything inside the corporate network by default. Authenticate once at the VPN or firewall, and you're in. Broad access. The assumption was that "inside" meant "safe."

That assumption is dead. Remote work killed it. Cloud services killed it. BYOD killed it. An attacker who compromises a single device or credential is already "inside" - and a perimeter model hands them the keys to everything.

Zero trust flips this completely. Every access request gets verified, regardless of where it originates. Trust is never assumed, never permanent, and never binary. It's continuously evaluated based on multiple signals.

The Four Pillars

Zero trust isn't a product. It's a framework spanning four interconnected layers.

1. Device Trust

Before a device touches any corporate resource, you need answers. Is it managed? Compliant? Compromised?

This isn't a one-time check at enrolment. That laptop which was compliant yesterday? It might have a disabled firewall today. Or an outdated OS. Or a jailbroken status. I've watched security teams panic when they realise their "compliant" fleet has 30% drift from baseline. It happens faster than you'd think.

This is where Unified Endpoint Management (UEM) earns its keep. Platforms like Workspace ONE UEM enforce security baselines across your fleet:

  • OS version and patch level - block access from devices running unpatched operating systems
  • Encryption status - FileVault on macOS, BitLocker on Windows, no exceptions
  • Firewall and antivirus state - verify endpoint protection is actually active, not just installed (you'd be surprised how often these are different things)
  • Jailbreak/root detection - tampered devices can't be trusted, full stop
  • Security baseline compliance - deploy and monitor 200+ configuration standards using tools like WOMBAT to align with CIS, NIST, or DISA STIG frameworks

That last point is personal. I built WOMBAT specifically because I kept running into the same problem: organisations had no reliable way to measure and enforce security baselines at scale. Compliance dashboards that said "all green" while the actual fleet told a completely different story.

The key is continuous assessment. A compliant device at 9am drifts by lunchtime. Your architecture needs to catch that drift and respond - remediate automatically or adjust access accordingly.

2. Identity Trust

Device trust tells you the machine is clean. Identity trust tells you the person is who they claim to be - and that they should actually have access to what they're requesting.

Username and password alone? Not even close.

  • Multi-factor authentication (MFA) - required for every access attempt, not just initial login
  • Conditional access policies - grant or deny based on context: device compliance, location, risk score, time of day
  • Single sign-on (SSO) with continuous evaluation - authenticate once, but keep re-evaluating trust signals throughout the session
  • Risk-based authentication - step up requirements when something looks off. New device. New location. Impossible travel.

Here's where it gets powerful. Workspace ONE Access (or similar identity providers) can tie device compliance directly into conditional access decisions. User on a compliant, managed device? Seamless SSO. Same user on an unmanaged device? MFA plus restricted access. Same user on a non-compliant device? Blocked entirely.

That's the real payoff of combining identity and device trust. Access decisions based on the full picture, not just credentials.

3. Network Trust

Look. I need to talk about VPNs.

The number of times I've seen a full-tunnel VPN treated as zero trust is genuinely painful. A full-tunnel VPN puts the authenticated user onto the corporate network with broad access. That's the "trusted insider" model. That's literally what zero trust exists to eliminate.

Full-tunnel VPNs are broken. They are a zero trust anti-pattern.

The zero trust approach is per-app VPN (also called micro-tunnelling):

  • Instead of tunnelling all device traffic through the corporate network, you tunnel only traffic for specific approved applications
  • Each application gets its own encrypted tunnel to its specific backend resource
  • The user never sits "on the network." They have access to individual services. Nothing more.

Workspace ONE Tunnel does exactly this. Per-app VPN on both managed and unmanaged devices, routing only sanctioned application traffic through the corporate gateway. The user's browser, personal apps, everything else - none of it touches the corporate network.

This is a massive reduction in blast radius. Even if an attacker compromises a device, they can't pivot across the network because there is no network-wide tunnel to exploit. I've seen the difference this makes in practice. It's night and day.

Other network-level controls worth implementing:

  • Micro-segmentation - isolate workloads so lateral movement is limited even within the data centre
  • Software-defined perimeter (SDP) - make resources invisible to unauthenticated users. Can't attack what you can't see.
  • DNS-layer security - block connections to known malicious domains before they hit the endpoint

4. Application Trust

The final layer. Only approved, verified applications should access corporate data.

  • Application whitelisting - only sanctioned apps connect to corporate services
  • App-level authentication - individual applications authenticate independently, not just the device or user session
  • Data loss prevention (DLP) - control what data can be copied, shared, or exported from managed applications
  • Managed app configuration - push security policies into the application itself (disabling copy/paste between managed and unmanaged apps, for instance)

Workspace ONE UEM enforces this at the app level: managed applications get access to corporate data through per-app VPN tunnels, while unmanaged applications on the same device are completely isolated. Open-in restrictions prevent data leaking between managed and personal apps.

How It All Works Together

Individually, each pillar helps. Together, they're transformative. Here's what a typical access flow looks like:

  1. User opens a corporate app on their device
  2. Device posture is checked - OS version, encryption, compliance status, security baseline
  3. Identity is verified - MFA, SSO token, risk score
  4. Conditional access evaluates - Is the device compliant? Is the user authorised? Is the context normal?
  5. Per-app VPN tunnel opens - only for this specific application, to this specific backend
  6. Access is granted - with restrictions based on trust level (read-only if posture is marginal, for example)
  7. Continuous monitoring - if device compliance changes mid-session, access is re-evaluated in real time

No broad network access. No permanent trust. Every request evaluated on its merits.

Practical Implementation Tips

You don't implement zero trust overnight. It's a journey. Here's how to approach it without losing your mind.

Start with what you have. Running a UEM platform already? You've got device compliance, app management, probably some conditional access. That's a foundation. Build on it rather than ripping everything out for some shiny new vendor stack.

Pick a high-value use case first. Don't try to zero-trust everything at once. Start with your most sensitive applications - email, finance systems, code repositories - and implement device + identity + per-app VPN for those. Expand from there.

Replace full-tunnel VPN early. Seriously. This is often the single biggest security win. Moving to per-app VPN reduces your attack surface immediately and visibly. I've seen organisations agonise over this for months. Just do it.

Automate remediation, don't just block. When a device falls out of compliance, the first response should be to fix it. Push the missing update. Re-enable the firewall. Rotate the certificate. Only block as a last resort. Users who get blocked without explanation will find workarounds, and those workarounds will be worse than the original risk. Every time.

Communicate with users. Zero trust changes the user experience. Be transparent about why access was restricted and what they need to do. A self-service compliance portal - showing users exactly what's non-compliant and how to fix it - dramatically reduces support tickets and frustration. I've seen ticket volumes drop by half after deploying one.

The Endpoint Is the Foundation

You can have the best identity provider, the most sophisticated network segmentation, the tightest application policies. None of it matters if you can't verify that the device itself is secure. Your entire zero trust architecture is built on sand.

That's why endpoint management isn't just an IT operations concern. It's a security architecture decision. Tools like Workspace ONE UEM - extended with security baseline tooling like WOMBAT - provide the device trust layer that makes everything else work.

Zero trust isn't a product you buy. It's a model you build, layer by layer. Start practical. Stay consistent. And never, ever assume trust.