Beyondcorp protects communication between trusted devices. The work to maintain a trusted hardware device of a particular model is high; CVEs occur constantly and sometimes you have to rely on the vendor to provide microcode (even if you get the source to review, they may be the only ones who can sign it, for example) or drivers.
The network connection isn't the main problem, it's every access to a protected system that would no longer trust the device.
I'm still not able to see what's the difference here. In a "no trusted special networks" world as the one painted by BeyondCorp, if the Intel Mac is not supported anymore, well, you will just not be able to login in any corporate portal because the smart BeyondCorp SSO will reject you, no matter if you are at home or in Mountain View HQ, no?
I mean, I can understand defense in depth and not wanting anyway a possible unsafe device connected to the corp network which still might expose some unwanted data (i.e. I imagine a trusted device on the corporate LAN might relax some local firewall rules to make it easier to develop? I'm just guessing, no real idea)
The network connection isn't the main problem, it's every access to a protected system that would no longer trust the device.