Most clients of mine start off with a default policy of no devices allowed. They all seem to move through locked down VPN-enabled laptops and Blackberrys for email. Most are still at this stage. Occasionally, I have been allowed either VPN access from non-company equipment or access to services over HTTP (HTTPS to be more accurate) such as source control systems.

As more and more services are getting to be hosted remotely, and sometimes by third parties, and accessed allowed via anywhere on the Internet, I expect that more and more non-company supplied hardware access to be utilised. The security will be more and more based on secured creditials rather than secured hardware.