Customer Requirement:
A mid-sized financial services firm needed to give 100+ external contractors access to internal apps using their own laptops.
The problem? No domain join, no GPO enforcement, and no MFA — creating massive compliance and security gaps. Moreover, the client wanted that contractors should be able to follow simple DIY steps to follow the process.
How BAAR-IGA Solved It:
A portal to manage External Employees
A portal is provided to onboard, edit and offboard external employees. Using the portal:
- Onboard/off-board external employees
- Manage GPO policies on BYOD laptops for external
- Manage account expiry and other policies employees
1️⃣ Lightweight Agent Deployment
External users were sent a secure installer for the BAAR-IGA endpoint agent. This agent:
- Runs silently on Windows/macOS
- Connects to the BAAR-IGA cloud
- Requires no domain join to the customer AD or VPN to function
2️⃣ GPO-Like Policy Enforcement on BYOD
Using the BAAR Policy Engine:
- Admins configured rule sets equivalent to GPOs: USB block, firewall enforcement, no access to the control panel, no saving of data on the laptop etc.
- Policies were pushed and enforced through the BAAR agent
- Logs were streamed back for compliance tracking
3️⃣ MFA Integration Without AD
- External users authenticated using the BAAR Authenticator App (mobile push or TOTP)
- MFA was triggered before access to cloud apps, shared folders
- For extra assurance, device posture (e.g., OS version, disk encryption) was checked before access was granted
4️⃣ Granular Access Control & Visibility
- BAAR-IGA assigned just-in-time access to specific apps via dynamic policies
- Time limits and auto-expiry were applied for contractor accounts
- Admins gained real-time dashboards showing policy compliance, failed access attempts, and device health
Results:
✔️ 98% GPO parity achieved on unmanaged devices
✔️ Full MFA compliance across internal and third-party users
✔️ Reduced IT overhead (no domain join, no VPN tickets)
✔️ Passed external audit for device compliance within 30 days
