The Case for MDM: Improve Security, Save Money

Posted on March 25, 2021

In the modern workplace, mobile device management (MDM) is essential. When it comes to tracking and configuring devices, deploying apps, and complying with security requirements, MDM solutions can help you do it all quickly, flexibly, and cost-effectively.

But despite all those advantages, MDM can be a hard thing to pitch to your executives. They may not know what MDM is or how it can make you more efficient at your job and free you up for more important strategic work.

In this guide, we’ll spell out what we consider to be the most compelling reasons for adopting MDM. We’ll focus primarily on MDM solutions that can help you manage Mac computers and iPhone and iPad devices, because that’s the business we know best. The essentials of the case we'd make:

  1. What is MDM?
  2. Why do you need MDM?
  3. Improving security
  4. Saving time
  5. Increasing agility
  6. Saving money

What is MDM?

The first step in making the case for MDM is giving your leadership team a clear understanding of what MDM is. To do so, it helps to distinguish between MDM in general and MDM solutions.

Mobile Device Management (or MDM) refers to the practice of managing company devices—configuring them, managing policies, distributing content, assigning roles to specific users, enforcing security, and more.

An MDM solution is a specific platform—such as Kandji—that implements MDM. MDM solutions come in many different forms and flavors, but they all try to make it easy for IT to monitor, update, and secure company devices. 

One important note: Historically, MDM solutions focused on mobile devices like phones and tablets. But these days those solutions can also help manage other digital tools, including Mac computers and Apple TV devices.

Our advice: When talking to executives about mobile device management, focus first on the benefits of MDM in general before you get into any discussions of specific MDM solutions. 

Why Do You Need MDM?

The case for MDM boils down to two arguments: First, implementing an Apple MDM solution will save the IT team time—which means saving the company money, as well as freeing up IT bandwidth for strategic projects. Second, it will make the company more secure. 

Let’s take, as an example, a fictional company called AccuHive. It has around 500 employees, but it plans to scale to 750 by next year, and it’s an all-Apple shop.

With an MDM solution in place, Accuhive can set up all those new employees with the hardware they need (and provide upgrades to existing workers, if that’s in the budget) quickly and effectively. With Apple MDM solutions that support zero touch deployment, new hires could get to work with their new Mac computers and iPhone and iPad devices right out of the box; setting up those new devices could take you as an IT person minutes instead of hours.

 

MacBook Pro managed with MDM

 

Accuhive’s IT group can also make sure the company’s devices are secure, even with a small team. With a good MDM solution in place, complying with security frameworks such as CIS (Center for Internet Security) can be a matter of clicking some onscreen buttons. And because MDM solutions make it easier to distribute and update apps, the company would know that users have the latest versions of the business apps they need.

Without an MDM solution, the IT team will have to spend more of its time dealing with devices manually. Without a simple, reliable way to universally adjust security settings on all those computers and devices and to be sure that apps are updated to the latest patched versions, Accuhive could be vulnerable to security risks. It would have a harder time following compliance standards and so risk security audits. Its IT team could also be crushed trying to onboard all those new employees, much less take care of existing staff. 

Improving Security

Now that you have your executives’ attention, it’s time to drill down on some detailed examples. We’d lead with security, because locking down company data is always a major concern.

You can start with FileVault—a cornerstone of security on Mac computers. A good Apple MDM solution will let you require that disk encryption is turned on. Using remediation, you can rest assured that even if a user tries to turn it off, the proper settings will be reinstated. A good MDM system should let you enforce FileVault on all systems with a few clicks. 

FileVault library item

Compare that to the scenario without MDM. Enabling FileVault universally in that case has meant monolithic imaging, running scripts from flash drives, or manually clicking buttons on each computer. Even then, there’s no way to ensure that users won’t decide it’s a hassle and try to turn it off. The back-of-the-envelope math: To enable FileVault on 500 of Accuhive’s existing Mac computers, at 15 minutes each, would require 125 person-hours; with 250 new ones coming online this year, figure another 62-and-change.

Second example: Passwords. With MDM, in place, you can enforce the password management policies you want—minimum length, complexity characters, maximum age, and more. And, again, if a user tries to reverse your decision, a good MDM solution will automatically remediate it. Time to set this up? Again, we’re talking minutes, not hours.

With no MDM, you’d have to enforce password policies by binding to a directory service, manually setting policies with scripts, or manually installing configuration profiles. Again, a little quick math: If everyone at Accuhive has a Mac computer and an iPhone device, and if it takes 10 minutes on each one to set up passwords, that’s about 160 person-hours right there. To onboard the new hires this year, you’ll need another 80. 

A third good example: How do you make sure that employees are accessing your company data in a safe way, whether they’re using company devices or bringing their own to the job (aka BYOD)?

With MDM, you can decide which apps can be accessed by which devices, approving trusted ones or limiting those you don’t know. Setting up such trusted-device workflows can take time, even with the best MDM, but it’s nothing compared to the time it’d take to continuously check and control which devices are accessing your data. 

Saving Time

There’s more to IT life than security, of course. Apple MDM solutions could also help IT teams with onboarding new users and deploying apps. That saves admins time, which they can then spend on more important work.

One example of the time-savings: Zero touch deployment. When you drop-ship Mac computers to new hires and they boot them up for the first time, you can use MDM to automatically configure those computers right away, with all the settings and apps in place that you want. It’s not only faster than manual deployment, it’s also safer: The computer is protected as soon as it is enrolled.

It might take a couple of hours to initially set up zero touch deployment in your MDM solution. But once that’s done, it will take a few minutes for each individual device you deploy. Without MDM, that same job could take a couple of hours per device. 

With MDM, you can also leverage Apple Business Manager and your MDM to distribute apps and other content. In Kandji’s case, there are three ways to do so: You can distribute software from the App Store, use Auto Apps (popular business applications that aren’t available in the App Store, which Kandji packages, hosts, and automatically updates), or distribute your own custom programs. Again: a couple of hours to do the initial setup in your MDM, but after that it shouldn’t require much IT time at all. 

 

Kandji Auto Apps help you keep users' apps up to date and secure.

Without MDM, apps must be manually packaged and installed. IT will also have to manually update all custom apps. And even then, you’ll have no way to be sure that the latest versions are being used. In the Accuhive example, we’re talking hundreds of hours to install apps for 500 end users

Increasing Agility

One final argument in favor of MDM that we haven’t mentioned: It makes your company more flexible and adaptable to changing conditions.

Let’s say, for example, that all of your workers are suddenly working from home. As an IT person, you’d have to reconfigure everything, from the way you distribute hardware and software to the way you set up security. Because MDM solutions exist in the cloud, you can still control devices and apps from a single console. With the right Apple MDM, your company will have the flexibility to manage a variety of devices and seamlessly adapt to changes in how you work.

With zero touch deployment, you can purchase devices from Apple or a qualified reseller and have them shipped to remote employees—and, again, they’ll already be configured the way you want. With trusted-device workflows, those newly remote workers can all still access the data they need—and none of the data they shouldn’t see.

Saving Money

Using our Accuhive example, it’s clear that a company can save hundreds of hours of IT time—and expense—by switching to MDM. You can adapt those numbers to your particular business in making the case to your executives for adopting MDM. But if you stress two things they’re likely to care about most—security and cost—that argument should be compelling. 

One final bit of advice: Getting an MDM solution is a game-changer no matter what platforms your company uses. If your business runs on Apple, you should have an MDM solution—such as Kandji—that does too. With time-saving features like zero touch deployment and unmatched security capabilities like one-click compliance, Kandji has everything you need to deploy, manage, and maintain your company devices.

Request access to Kandji today.

Share post

The Latest in Apple Enterprise Management

Subscribe to blog

The Latest in Apple Enterprise Management

Subscribe for regular updates and guides written exclusively for Mac admins.

Tactical tips 2x per month