Guide for Apple IT: Leveraging MDM for Remote Work

Posted on March 19, 2020

As more companies begin letting their employees work from home, device security and productivity have become key considerations for IT. More than figuring out how to encourage a smooth workflow, IT has to guard company data from the unique security threats posed by the remote work environment.

In this guide, we’re going to walk you through how, with the right MDM solution (Mobile Device Management), remote work can be achieved securely and productively.

Here’s what we’ll cover:

  • Zero touch deployment for MDM Remote Work
  • VPNs for Remote Work Device Security
  • Using Trusted Device Certificates
  • Leveraging Remote Tools

apple MDM remote management mac

Zero touch deployment for MDM Remote Work

In any modern platform for mobile device management, work-from-home capabilities are essential. The biggest challenges for any business that relies on remote work are setting up devices for use and getting them to your employees. While in traditional employment devices can be ordered to your company and then handed to your workforce, the only way to get devices in the hands of your remote employees is by shipping them to their location.

Whether you’re buying your devices directly from Apple (as an SMB or enterprise customer) or from a Device-Enrollment-enabled reseller, like CDW or SHI, you can have your devices sent directly to your employees. However, only Device-Enrollment-enabled resellers can asset tag the devices for you — this lets you ship them directly to employees and have your MDM solution automatically recognize the device.

When it comes to getting devices work-ready, using zero touch deployment is key. Zero touch deployment is an automated deployment strategy that lets businesses prepare and configure devices for their employees — without having to physically touch them. It’s easy, automatic, wireless, and, as you’ll see next, a huge time saver.

Zero Touch Deployment for Remote Work Device Security

If your company uses Apple devices, then finding an MDM solution that supports zero touch deployment, like our product Kandji, is highly recommended. By pairing your MDM with Apple Business Manager, you can unlock powerful remote work device security options, like zero touch deployment. Zero-touch lets you do all of the traditionally manual onboarding and setup steps, like sending commands, apps, and configuration profiles to all of your company devices — without interacting with them physically.

As a quick primer, Apple Business Manager is a program that IT administrators use to manage their devices in one place and assign them to their MDM for enrollment. Once you configure Apple Business Manager to your MDM, every device that you buy from Apple or a Device-Enrollment-enabled reseller will be enrolled in your MDM as part of Setup Assistant.

Compared to manual enrollment methods, which take a lot of time and can leave your devices vulnerable to security risks longer than necessary, zero touch is faster, easier, and more secure. You can read more about how you can achieve zero touch deployment in our zero touch deployment guide — but for now, here’s an overview of the benefits you can expect:

  • Quick and Easy Deployment: While traditional deployment involves unboxing and manually configuring new devices, with zero touch deployment, once your employees connect their devices to the internet, enroll, and complete Setup Assistant, they’re ready to go.
  • Enhanced Endpoint Security: If your employees work from home, device security needs to be tailored for the remote environment. The manual deployment methods that are sometimes used in-house take a lot of time and require complicated interactions from IT or users. This leaves your company devices vulnerable to malicious activity much longer than they should be — zero touch deployment, on the other hand, minimizes this security concern by quickly enrolling devices during Setup Assistant.

At Kandji, we built zero touch deployment into our MDM solution so your employees can use their devices sooner — without a visit to IT. We can also automate a lot of other device management steps with features like our 150+ pre-built macOS controls, such as the “Set Computer Name” parameter, which lets you create dynamic device names by combining multiple variables — including custom text, asset tagging, and Blueprint names.


VPNs & Device Management: Work from Home Securely

The remote work environment needs special attention when it comes to security. Because your employees work from home, device security can be compromised in new ways. That’s why it’s important to keep the line of communication between your workers and your business network safe from malicious activity to keep sensitive data out of the wrong hands.

This is where Virtual Private Networks (VPNs) come into play. When your employees connect to your company network to access data and resources, they open up new security vulnerabilities — but VPNs can secure them.

You can think of a VPN as a tunnel between the employee device and your company network. Rather than connecting to a remote company server directly over the internet, leaving your data and system information vulnerable, employee traffic is routed through a VPN, which can employ multiple levels of encryption. This gives the employee a direct and secure connection to the server, so none of the transmitted data is open to the public.

When it comes to picking the right mobile device management/remote work solution, it’s important that it supports Apple’s VPN Profiles. Because VPN configuration and deployment capabilities are supported by Kandji, remote workers can automatically connect to the company network while keeping all of your data secure.


Leveraging Trusted Device Certificates

Another important security measure for any MDM work-from-home setup is managing which apps your remote workers can access from their devices. For instance, you may not want your employees to access Salesforce (or any other program that holds valuable company information) on their personal device, since it may not be configured in the same way that their company device is.

Using trusted device workflows, you can make sure only company devices can use these apps. To do this, you can use your IdP (identity management provider), or a third-party PKI provider, with your MDM solution. Once your IdP is configured, you can restrict access to Cloud and on-premise apps behind the IdP to only allow devices with a "Trusted Device" certificate. This workflow is sometimes known as "Conditional Access."


Leveraging Remote Tools

You can also take advantage of other MDM remote work capabilities to keep your employees’ devices up-to-date. We’ll take a look at a few options here:

  • Automatic Enterprise App Installation: With Kandji, once an app has been added to your library, you can deploy it to any enrolled company device. This makes it a breeze to get essential business apps to your remote workers — without having to manually install them.
  • Mac Patch Management: As Mac admins know a bit too well, managing updates for apps that aren’t in the Mac App Store can become pretty time-consuming. With Kandji’s Auto Apps, you can access a library of custom applications — which Kadji pre-packages, hosts, and automatically patches — and deploy them with a single click. We’ve already added over 20 of the most common business apps (like Zoom and BlueJeans for virtual meetings, Notion for notes, and Google Drive File Stream), and we’re adding more every month.
  • Sync GSuite with MDM: Kandji can automatically sync your workforce from GSuite or Office365. Once you connect your GSuite or Office 365 account, Kandji will add all of your employees and check for new users every few hours, letting you assign users to devices so you can better track your assets.


In a modern MDM, work-from-home capabilities are necessary to keep your business as versatile and secure as possible. Kandji offers everything you need, from zero touch deployment support and VPN configuration to app deployment, pre-built security controls, and plenty more. It’s time to manage your devices like your business depends on it. Request access to Kandji today.

Share post

The Latest in Apple Enterprise Management