CAF - B2.b Device Management

Only trusted, compliant, and authenticated devices can access the systems used to deliver managed services.
Device compliance, including patching, endpoint protection and encryption should be enforced through an endpoint security tools such as Microsoft Defender for Endpoint / CrowdStrike / Sophos / SentinelOne.
Certificate-based device identity is used to ensure only known and approved devices can access systems, using a system such as Entra ID certificate authentication / Intune certificates / Jamf certificates / Okta Device Trust.
Regular automated scans should run (using a system such as using Lansweeper / Auvik / Meraki / Nmap), to identify unknown or unauthorised devices. Any unexpected findings should be investigated immediately and blocked if necessary.

Privileged operations are performed only from Privileged Access Workstations (PAWs) or other hardened administrative devices managed through a system such as Microsoft Intune / Datto RMM / NinjaOne / VMware Workspace ONE.
Administrative devices are restricted to authorised users with enforced MFA, encryption, and only approved applications only. They are separated from day-to-day user workstations.
Standard user devices cannot perform privileged activities.

Where third-party devices require access, either obtain assurance of their security posture or limit them to isolated, controlled environments e.g. using a solution such as Azure AD B2B / VPN segmentation. Access is provided only after appropriate review and approval.

This article provides additional information on how you can meet the requirement for the CAF control - B2.b Device Management