Skip to content

Security Recommendations

Always Supervise Devices (Use ABM/DEP)

Supervision is the foundation of MDM security. Enroll devices through Apple Business Manager (ABM) or Apple School Manager (ASM) with Automated Device Enrollment (DEP). This ensures devices are supervised from the moment they are unboxed, giving you full control over restrictions, configuration, and the ability to lock or wipe devices remotely. Devices not enrolled via ABM/DEP can be removed from MDM by the end user, defeating your security posture.

Enforce Strong Passcodes

Require a device passcode on all managed devices. Configure minimum length (at least 6 digits, preferably 8+), require complex alphanumeric codes, and set a maximum failed attempt threshold that triggers a wipe. On macOS, enforce a screensaver password with a short grace period. A strong passcode is the single most effective defense against unauthorized physical access.

Enable FileVault on macOS

FileVault provides full-disk encryption on macOS. Deploy it via a Blueprint to all Macs. Use the personal recovery key escrow feature so your MDM stores the recovery key — this prevents data access if a device is lost or stolen, while still allowing IT to recover the device if the user forgets their password.

Keep Devices Updated

Configure enforced OS update policies through your MDM. Set deferral windows to validate updates before broad rollout, but do not allow indefinite deferrals. Enable automatic background updates where possible. Unpatched devices are the most common entry vector for exploits.

Use Blueprints for Consistent Security

Define Blueprints (configuration profiles grouped by device role or user type) rather than applying settings ad-hoc to individual devices. Blueprints ensure every device in a given class gets the same security baseline — passcode policy, Wi-Fi with TLS, VPN, certificate trust settings, and restriction payloads. Audit Blueprints quarterly to catch drift.

Monitor Device Compliance Regularly

Set up compliance checks that run on a schedule (e.g., daily). Check for: passcode status, encryption status, OS version, whether the device is jailbroken/rooted, and whether any restricted apps are installed. Configure automated actions for non-compliant devices — notify the user, restrict network access, or quarantine the device until it is remediated.

Set Up Lost Mode Procedures

Define a clear lost-mode workflow before a device goes missing. Your MDM should support locking the device with a custom message and contact number, displaying the message on the lock screen, and tracking the device's location. Practice the procedure annually so the team can execute it under pressure.

Regular Security Audits

Conduct quarterly audits of your MDM environment: review admin accounts and their roles, audit configuration profile changes, verify that no orphaned devices remain enrolled, and check that expired certificates have been rotated. Export and archive an audit log from your MDM for compliance records.

Principle of Least Privilege for Admin Users

Grant MDM admin accounts the minimum permissions needed for their role. Use role-based access control (RBAC) to separate read-only operators, device-enrollment technicians, and full administrators. Require multi-factor authentication (MFA) on all admin accounts. Review the admin list every quarter and revoke access for anyone who no longer needs it.

Released under the MIT License