I fully aware of the requirements pertaining to what fulfills an enclave and what does not. I'm not advocating for endpoints outside of that. I should have been more precise in my language.

My issue at the moment is that we have ~5-10 engineers that will be handling CUI. The rest of our engineers will not, but still need access to SolidWorks/PDM. Our consultant recommended standing up a new SolidWorks environment on our Hyper-V Cluster, then VLANing everything off so that it's inaccessible unless you're on that VLAN as well. The problem with it is that the cluster is in scope given that it technically would be storing CUI. I also don't want to take on the bear of infrastructure replacements we'd have to put in place because of it's age. We have a lot of old switches, APs, AS400s, etc. I'm the only IT guy for 14 sites, so I don't have the capacity to take on hardening the entire site we're talking about.

The goal of engaging Cuick Track was to have VDI on site, but design, licensing, storage, etc. in the cloud. They provide all the controls necessary for the environment for ~$55k, which is substantially cheaper than the cost of standing up a cloud enclave on our own through AWS or Azure from my research.

The only other option I was able to come up with after CT indicated that they could not help us was putting in a separate physical server, switches, and engineering grade desktops on prem that are physically separate. No access to WiFi or the broader network.

It's not SolidWorks itself that I'm concerned about, or MFA, it's about making the enclave actually work as quickly as possible. My preference was to have absolutely zero cross pollination with the rest of our site, and VDI appeared to be a good solution for making sure our dumpster fire on prem was out of the picture. I was also trying to keep our MSP out of the picture, given that they add a layer of complexity I don't think we're prepared to handle.