TL;DR: If your team manages more than 10 Apple devices and you're still doing it manually, you're accumulating IT debt fast. This article breaks down how Apple MDM works, what to look for in a platform, and which solutions are worth your time in 2026.
The "Just Figure It Out" Phase Ends Around Device 10
Most teams start the same way. One Mac, manually configured. Two iPhones, same deal. Then a hiring sprint happens and suddenly someone's handed the unofficial title of "person who manages our Apple stuff," usually without a plan.
At that scale, mobile device management (MDM) stops being an enterprise concern and becomes a basic operational need. Missed security patches, lost devices with company data, no visibility into what's installed on a machine you issued six months ago: these are the symptoms. Apple MDM is the fix.
So What Is Apple MDM, Exactly?
Apple MDM is a protocol built directly into iOS, iPadOS, macOS, and tvOS that allows a management server to send commands and configuration profiles to enrolled devices.
In plain terms: instead of physically touching a device to configure it, an IT admin pushes settings over the air. Wi-Fi profiles, VPN configs, app installations, passcode policies, remote wipe: all of it happens from a central console without the device needing to be in the room.
Apple's MDM framework is not a third-party add-on. It's a native capability Apple ships in every device. Third-party MDM platforms like Scalefusion, Jamf, or Kandji sit on top of this protocol and add management UIs, automation, reporting, and cross-platform support.
How Enrollment Actually Works
Before a device can be managed, it needs to be enrolled. There are three paths:
1. Automated Device Enrollment (ADE)
The cleanest option. Company-owned devices registered in Apple Business Manager (ABM) or Apple School Manager (ASM) auto-enroll the moment they're switched on. Zero IT presence required at device setup. This is zero-touch deployment done right.
2. Device Enrollment
Manual enrollment for company-owned devices that aren't in ABM. A user or IT admin installs an enrollment profile, usually delivered via email or a web link.
3. User Enrollment
For personal BYOD devices. The user enrolls voluntarily. MDM only manages work data and apps, personal content is untouched. This separation is enforced at the OS level, not just by policy.
How to Check If a Device Is Already Enrolled
Quick diagnostic commands worth knowing:
iPhone / iPad:
Settings > General > VPN & Device Management
If an MDM profile is listed under "Mobile Device Management," the device is managed.
Mac:
System Settings > General > Device Management
Or for deeper inspection:
System Information > Software > Profiles
If you see a managed profile entry or a message stating the Mac is supervised, it's enrolled.
Configuration Profiles and Payloads: What's Actually Getting Pushed
When an MDM server configures a device, it sends configuration profiles made up of payloads: individual setting blocks. Common payload types include:
| Payload Type | What It Does |
|---|---|
| Wi-Fi | Pushes network name, encryption type, and credentials |
| VPN | Configures VPN client settings without user input |
| Passcode | Enforces minimum length, complexity, lock timer |
| Restrictions | Disables App Store, camera, AirDrop, screen recording, etc. |
| Email/Calendar | Pre-configures work accounts |
| FileVault | Enforces disk encryption on Mac |
| Certificates | Installs trusted certificates for internal systems |
A single device can carry multiple configuration profiles simultaneously, each scoped to different settings.
Declarative Device Management (DDM): The Newer Protocol
Apple introduced Declarative Device Management as a smarter evolution of the traditional MDM protocol. The difference:
Traditional MDM: Server polls the device, device responds, server pushes changes. Constant back-and-forth.
DDM: The device receives "declarations" (configuration intents) and manages itself. It reports its own status back through status channels only when something changes.
Traditional: Server asks "are you compliant?" every N minutes
DDM: Device says "I just became non-compliant" when it happens
Benefits in practice:
- Faster policy application
- Lower network overhead
- Better battery efficiency
- Works more reliably when connectivity is intermittent
The catch: Not every MDM platform has fully implemented DDM yet. It shipped in iOS 15/macOS 12 but vendor support varies. Ask any platform you evaluate specifically whether DDM is shipped or roadmapped.
The Security Layer: What MDM Actually Protects
MDM is often sold on "management" but its security value is equally significant:
- Remote lock and wipe: a stolen MacBook or iPhone can be locked or fully erased within minutes
- Encryption enforcement: FileVault on Mac, Data Protection on iOS, enforced by policy not by trusting users
- Activation Lock management: prevents a wiped device from being reactivated without credentials
- Compliance monitoring: real-time alerts when a device falls out of policy (outdated OS, missing required app, jailbroken device)
- BYOD data separation: managed and personal data are isolated at the OS level
For teams under HIPAA, SOC 2, ISO 27001, or GDPR, MDM audit logs and compliance reporting are also what makes a compliance audit survivable rather than painful.
Five Platforms Worth Evaluating in 2026
1. Scalefusion
The strongest option if your environment isn't purely Apple. Scalefusion manages iOS, iPadOS, macOS, Android, Windows, ChromeOS, and Linux from one console, which matters the moment you have any non-Apple hardware to deal with.
Standout features for IT teams:
- Zero-touch enrollment via ABM and Apple School Manager
- Remote screen sharing on both iOS and macOS (not just Mac)
- Kiosk mode across all supported platforms, not just iOS
- Prebuilt CIS Level 1 compliance templates for macOS, iOS, iPadOS, tvOS
- No-code automation workflows for common IT tasks
- Veltar-powered endpoint security with real-time threat detection
- Zero Trust access control via OneIdP
Pricing starts around $2 per device/month. 14-day free trial available.
2. Jamf Pro
The established enterprise standard for Apple-only environments. Jamf offers same-day support for new iOS and iPadOS releases, which matters if you're managing a fleet that updates the day Apple drops a new OS.
Good for: large Apple-only orgs, complex compliance environments, teams that want a mature, well-documented platform.
Limitation: no cross-platform support, higher price point (~$4/device/month and up), some workflow quirks (no automated device naming, confusing bulk-scoping UI).
3. Kandji
Automation-heavy and Mac-centric. The proprietary macOS agent enables things the standard MDM protocol doesn't: custom app installs, native app blocking, running scripts as root. The Auto-Remediation engine fixes configuration drift automatically.
Good for: Mac-focused engineering or design teams that want deep, hands-off compliance management.
Limitation: no native remote support tooling, no shared Mac lab support, custom pricing (no public tiers).
4. Addigy
Built around live interaction with devices. LiveDesktop gives remote macOS control directly from a browser. LiveTerminal provides instant command-line access. GoLive pulls over 100 real-time data points off a device on demand.
Good for: MSPs managing multiple client environments where live troubleshooting is the primary workflow.
Limitation: Apple-only, UI can be clunky, Splashtop integration unreliable in some environments. Starts at $6/device/month.
5. Mosyle
The most accessible entry point on this list. Free tier covers up to 30 devices including Apple Watch and Apple TV. Paid tiers add AI-based endpoint hardening, encrypted DNS filtering, and SSO for Mac logins.
Good for: education, small teams, budget-constrained environments starting out with formal device management.
Limitation: thinner community support, no iPad-specific authentication flow comparable to macOS, 15-minute auto-logout can interrupt longer admin sessions.
Quick Comparison
| Platform | Cross-Platform | Remote Support | Starting Price | Best For |
|---|---|---|---|---|
| Scalefusion | Yes (6 OSes) | iOS + macOS | ~$2/device/mo | Mixed-OS fleets |
| Jamf Pro | Apple-only | macOS only | ~$4/device/mo | Apple-only enterprise |
| Kandji | Apple-only | None native | Custom | Mac-heavy teams |
| Addigy | Apple-only | macOS live | ~$6/device/mo | MSPs |
| Mosyle | Apple-only | Screen sharing | Free/$1+ /device/mo | Education, small teams |
Key Questions to Ask Before You Commit to a Platform
Before running a trial, have answers to these:
- Is your fleet Apple-only or mixed? If mixed, you need cross-platform support. Scalefusion is the cleanest option here.
- Do you need remote screen access on iOS, not just Mac? Most platforms skip iOS remote support. Scalefusion and Mosyle both offer it.
- Has the vendor shipped DDM, or is it a roadmap promise? Ask specifically.
- What compliance framework are you working against? HIPAA, SOC 2, GDPR: make sure audit logs and compliance reports are native, not add-ons.
- Is BYOD in scope? User Enrollment support and data separation handling should be verified, not assumed.
Wrapping Up
Apple MDM isn't a niche IT topic anymore. If you're a developer provisioning your own MacBook, a tech lead handling team devices, or an IT admin scaling a mixed fleet, understanding how enrollment, configuration profiles, and declarative management work gives you the foundation to evaluate platforms intelligently instead of just picking whatever has the best demo.
For most teams managing more than Apple hardware, Scalefusion is the natural first stop. For pure Apple enterprise environments, Jamf is still the battle-tested benchmark. Start with a free trial on one or two options, the differences in UI and support quality only show up once you're actually inside the console.