Security Recommendations
Always Supervise Devices (Use ABM/DEP)
Supervision is the foundation of MDM security. Enroll devices through Apple Business Manager (ABM) or Apple School Manager (ASM) with Automated Device Enrollment (DEP). This ensures devices are supervised from the moment they are unboxed, giving you full control over restrictions, configuration, and the ability to lock or wipe devices remotely. Devices not enrolled via ABM/DEP can be removed from MDM by the end user, defeating your security posture.
Enforce Strong Passcodes
Require a device passcode on all managed devices. Configure minimum length (at least 6 digits, preferably 8+), require complex alphanumeric codes, and set a maximum failed attempt threshold that triggers a wipe. On macOS, enforce a screensaver password with a short grace period. A strong passcode is the single most effective defense against unauthorized physical access.
Enable FileVault on macOS
FileVault provides full-disk encryption on macOS. Deploy it via a Blueprint to all Macs. Use the personal recovery key escrow feature so your MDM stores the recovery key — this prevents data access if a device is lost or stolen, while still allowing IT to recover the device if the user forgets their password.
Keep Devices Updated
Configure enforced OS update policies through your MDM. Set deferral windows to validate updates before broad rollout, but do not allow indefinite deferrals. Enable automatic background updates where possible. Unpatched devices are the most common entry vector for exploits.
Use Blueprints for Consistent Security
Define Blueprints (configuration profiles grouped by device role or user type) rather than applying settings ad-hoc to individual devices. Blueprints ensure every device in a given class gets the same security baseline — passcode policy, Wi-Fi with TLS, VPN, certificate trust settings, and restriction payloads. Audit Blueprints quarterly to catch drift.
Monitor Device Compliance Regularly
Set up compliance checks that run on a schedule (e.g., daily). Check for: passcode status, encryption status, OS version, whether the device is jailbroken/rooted, and whether any restricted apps are installed. Configure automated actions for non-compliant devices — notify the user, restrict network access, or quarantine the device until it is remediated.
Set Up Lost Mode Procedures
Define a clear lost-mode workflow before a device goes missing. Your MDM should support locking the device with a custom message and contact number, displaying the message on the lock screen, and tracking the device's location. Practice the procedure annually so the team can execute it under pressure.
Regular Security Audits
Conduct quarterly audits of your MDM environment: review admin accounts and their roles, audit configuration profile changes, verify that no orphaned devices remain enrolled, and check that expired certificates have been rotated. Export and archive an audit log from your MDM for compliance records.
Principle of Least Privilege for Admin Users
Grant MDM admin accounts the minimum permissions needed for their role. Use role-based access control (RBAC) to separate read-only operators, device-enrollment technicians, and full administrators. Require multi-factor authentication (MFA) on all admin accounts. Review the admin list every quarter and revoke access for anyone who no longer needs it.
