"I'm gonna give you run of the complete IP network" rather than "I'm going to show you a picture of a machine that you'll have to log into"?
VPN is sensible, sure, but as an encryption layer only. VPN into a network as if you were plugged in locally is just a perfect way to spread stuff from their machines to your network.
VPN, and filter, and VLAN, and etc. etc. etc. and then to a limited network that only allows RDP traffic, through an authenticated gateway, only to select apps/VM's... yep. That sounds ideal.
But to most people, well-configured RDP - with up-to-date clients - to an unprivileged TS acting as a network client is perfectly sufficient in terms of encryption, stopping brute-force attacks, letting people work from hotels, etc., convenience, and compatibility (you can do it from an iPad, or a smartphone).
The question is not "what protocol do you use" but "what measures do you have protecting that protocol".
But, personally, blanket VPN access is incredibly dangerous. And most people want it "to access network shares", so you can't block the protocols associated with that. Now you have SMB/CIFS traffic flowing around uncontrolled home networks.
RDP, via a gateway, with certs, decent policy, IDS/IPS, and file-transfers disabled... it's then impossible to do anything that "that user logged in on a real machine inside" couldn't do, while also preventing all exposure of unsanitised data to/from their home / cybercafe / etc. IP networks.
Biting the hand that feeds IT
