How much does it cost your organization to manage its Apple devices? Put another way, how much value does your device management system deliver?
The answer to those questions depends on more than just the price of your MDM solution (assuming you have one). You also need to consider the time that your device management solution demands from your IT staff. While there’s no way to provide a one-size-fits-all formula for calculating that for every organization, here’s how you can work through the device-management calculations for yourself.
MDM or No MDM
We need to acknowledge at the outset that there are two very distinct scenarios here: One is that you have no MDM solution now but are considering adopting one. The other is that you have an MDM solution but aren’t sure it’s doing enough for you.
There are, of course, circumstances in which MDM may not be required. If you only have a few Apple devices to manage, and they don’t contain any sensitive company data, don’t (and won’t) require any customization, and can be quickly set up by your existing service desk, keeping the process manual might make sense.
However, if you have more than a few Apple devices (or plan to grow your device count in the future), want them to be configured consistently, need to ensure the safety of company data and support frequent software updates, and would like to provide the best service to users, then you need MDM.
At a certain point, it’s a math problem: You need to consider the staff time (and cost) that manual management requires, versus doing things automatically. You also need to consider the potential costs of data breaches due to inconsistently applied security settings.
Automating Device Management
Let’s say you already have an MDM solution in place, but you’re wondering whether there’s a better alternative. You have to ask yourself the same two questions: How much does each solution cost? And how much staff time does each solution demand (or, to put it another way, save)?
One key to the latter is automation. Some solutions make IT work easier by automating the daily chores of keeping operating systems and apps up to date and deploying devices to new employees.
Take, for example, the process of ensuring that a managed Mac is encrypted with FileVault. Doing that manually (including escrowing and rotating recovery keys) traditionally required formulating and then sending a configuration profile and a batch of scripts. In a more automated solution (such as Kandji), you might check a box and move a slider.
The other key is remediation. How quickly and autonomously does your current management setup detect that a device is no longer in the state you desire for it and return it to the state you want? The traditional MDM protocol is not very conversational. The MDM server has no idea if a command was successful or a profile was installed unless it continually polls the device for status
That is changing thanks to Declarative Device Management. Introduced a few years ago, DDM is becoming more robust each year. Crucially, the spec includes a status channel that allows for real-time communications about the device state. However, not every MDM command, profile, or setting takes advantage of the declarative protocol (yet).
In the meantime, some MDM vendors use on-device agents to send similar feedback to the server. They can also execute scripts or other code, which traditional MDM can’t do.
So at a minimum, you want a device management solution that has some kind of agent-like capabilities, to proactively monitor and remediate devices. It should also support DDM, now and in the future.
Most Mac apps that employees use at work are updated at least once per month. To maintain security, yours should be updated as soon as possible. When zero-day exploits happen and emergency updates are released, that means within 24 hours.
When an update becomes available, a good solution would fetch it and deploy it without admin intervention (after that admin has approved it for distribution, of course); it would also let users know when updates are available and provide enforcement within a given timeframe. Less automated ones might require admins to fetch, upload (maybe even package), and deploy the software themselves. The worst case: Admins need to go around and touch each device to update the software.
The same goes for updating the OSes on Apple devices. They typically get updates once a month. Again, your IT staff needs to deploy those updates and communicate with users about when they’re happening. A good MDM solution can automate almost all of that—not only the updates and upgrades themselves but the end-user messaging as well, providing intelligent prompts that let users delay updates while eventually enforcing them.
So the questions for your IT staff: How much time are they spending on app and OS updates every year? Do they need to fetch, package and deploy those apps and updates manually or is it automated? How are they managing end-user communications? What’s the average lag time between Apple’s release of new operating systems and their delivery to end users? Calculating those time commitments and then correlating them with staff costs will begin to give you an idea of how much keeping your software up to date really costs you.
Similar logic applies to assessing the cost of deploying new devices (to new and existing employees).
Doing it the old-fashioned, manual way means those devices are shipped to your IT team. Someone on that team then needs to physically interact with the device, to get it set up and configured as you wish. They then need to repackage the hardware and ship it out to the employee. That’s time and shipping costs on each new device.
Your cost calculations here need to encompass the time it takes to configure a new device, the cost of staff time (or the cost of outsourcing deployment), the number of new devices that will be deployed in a given year, and the number of new employees you expect to onboard in that same time.
The big question for your IT team: Can you currently deploy new Apple devices without physically touching them? Ideally, your device management solution allows that team to order devices directly from Apple or an authorized reseller, have them shipped directly to users, properly enroll them, and then configure them with your desired apps and settings on the first start-up. If your current MDM solution isn’t making that happen, it’s costing you more than it should.
Beyond the Basics
Calculations about the value (or cost) of a given MDM solution should also take three other factors into account.
MDM solutions can be essential tools in bolstering your organization’s security posture. That’s because they can be used to deploy security apps, configure security-related settings, and make sure software security patches are applied in a timely fashion (another great reason to automate those updates).
Because of the access and privileges security apps require, they are notoriously tricky to deploy at scale. MDM can make that process a lot less tricky.
It can also make sure that security-related settings are properly configured—that FileVault is turned on for Mac computers, for example, or that users are following your password policies. Ideally, your management solution should be able to turn those settings on automatically and then remediate them quickly should users change them.
The question for your IT team: How easy is it to maintain the organization’s security posture using your current device management solution? How much manual intervention is required to keep Apple devices buttoned up? How much time does that intervention require?
As we said above, there’s more here to consider than just your IT team’s time. A good MDM solution will make it less likely your Apple fleet can be breached by bad actors; that in turn reduces the risk of reputational harm, losing valuable intellectual property, and even financial damage. You have to consider the potential costs of failing to maintain a strong security posture in doing your MDM math.
Help Desk Tickets
Many MDM solutions include end-user interfaces to help with things like notifications and self-service software installs. Such interfaces make it easier for those users to understand what’s going on with their Apple devices and let them take care of some management chores (such as software updates) themselves. That in turn can cut IT time significantly.
The alternative is a system in which users don’t know why things are happening to their devices. That, in turn, generates support tickets that could have been avoided—tickets that take up more IT bandwidth. That time costs money: According to industry data, the average cost of servicing each support ticket ranges from $2 to $45 and averages $15.
So the question for your IT team is: How many help-desk tickets do they field per month, and how many of those could be avoided with better end-user communications or self-service options?
Hiring and Training
Two final cost factors to consider in assessing your current or a potential new MDM solution: First, how much training does it require for IT staffers? And how hard is it to hire IT people to run it?
Some MDM solutions are easier to implement and use than others. In particular, solutions that are specifically designed for Apple devices (as opposed to those that attempt to address multiple platforms) are easier to use. Following Apple’s lead, such solutions tend to emphasize simple, clear interfaces, which means they require less training.
The alternative to training is hiring someone who already knows how to use a given MDM platform. Some solutions require specialists with extensive experience. That can make hiring harder and potentially more expensive.
Ideally, any member of your IT team should be able to perform the most basic management tasks—even if they have no previous familiarity with the MDM solution. If that’s not the case, a simpler, more streamlined solution could save you money.
The Bottom Line
The simple fact is that IT costs are business costs. Impacts on the IT team are impacts on the business as a whole. So if your IT staff is spending more time managing Apple devices than is strictly necessary, your organization is losing money.
Finding an MDM solution that automates the most time-consuming IT tasks—including updating software and deploying new devices—means they have time to focus on more strategic imperatives, which in the long term can make the company more nimble and more competitive. That makes finding the right MDM solution a key strategic imperative for any organization.
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.