Verify independent agent device security without MDM
Carriers need a way to enforce and prove device security for agents who access carrier systems from personal devices. Ensure verifies agent devices at login and creates exportable evidence for NYDFS and internal audit.
Independent agents are a large unmanaged workforce
Agents drive distribution, but carriers do not control their devices. That creates a gap between policy requirements and what security teams can actually enforce at access time.
No carrier can practically enroll agents in MDM — agents won't accept it, and no single carrier has the right to manage a device shared across competitor relationships.
NYDFS Part 500: Section-by-section mapping
What examiners ask for is not just policy language. They ask how you enforce controls and what evidence you can produce.
Documented controls on who and what devices can access your systems.
An agent signs in from any device, and no posture verification occurs. Access is gated by identity only.
Device posture verification at every login. Access denied if the device fails. Evidence of every check.
You have a policy and you can show it is enforced.
Policy exists, but enforcement is manual or based on agent self-attestation.
Your policy is enforced at every login. Evidence is created automatically.
MFA for all external access to nonpublic information.
MFA is enforced, but device posture is not checked alongside it. An agent with valid credentials on a compromised device passes MFA.
Device posture check layered with your existing MFA through Conditional Access. Both identity and device are verified.
You can account for devices that access your systems.
Inventory covers company devices only. Agent devices are invisible.
Every verified device is recorded in an exportable inventory.
Documented security requirements for third-party access and evidence of enforcement.
Agents are required to attest to device security annually. No real-time verification exists.
Real-time enforcement of device security requirements at every access event. Continuous evidence, not annual attestation.
Your attestation is backed by evidence.
Third-party device access is a known weak spot.
Reports support your claims across policy, enforcement, inventory, and monitoring.
Agents self-install. Carrier IT does not provision devices.
Carriers send an enrollment link. Agents install the lightweight agent on their device and are checked at next login. If a device fails, they get clear fix steps.
For carriers with 10,000+ agents, self-enrollment eliminates the IT provisioning bottleneck entirely.
What exam evidence looks like
Want to see the technical verification flow?
See How It WorksSee how Ensure fits your agent access model and NYDFS requirements
Review a sample audit pack or book a compliance demo for insurance carrier workflows.