Apple devices make up a growing share of enterprise fleets. iPhones for field teams, iPads for retail, Macs for engineering. Managing them at scale requires a purpose-built approach: Apple Mobile Device Management (MDM).
This guide covers how Apple MDM works, what enrollment options you have, which security policies matter, and how to connect everything through Apple Business Manager.
What Is Apple Mobile Device Management?
Apple MDM is a protocol built into iOS, iPadOS, macOS, and tvOS that lets administrators configure, monitor, and secure devices remotely. Unlike third-party agent-based systems, Apple's MDM framework is native to the operating system. This means no sideloaded software, no battery drain from background agents, and no workarounds for sandboxing restrictions.
The protocol works through a push notification model. When an admin sends a command (install a profile, lock a device, push an app), Apple Push Notification service (APNs) notifies the device. The device then checks in with the MDM server to receive and execute the command.
For an MDM solution to work with Apple devices, it must support the Apple MDM protocol. Appaloosa, for example, is a certified Apple MDM provider that connects directly to Apple Business Manager for device enrollment and app distribution.
Apple MDM Enrollment Methods
How devices get enrolled determines what level of control you have over them. Apple provides three main paths, each suited to different ownership models.
Automated Device Enrollment (ADE)
Previously called DEP (Device Enrollment Program), ADE is the gold standard for corporate-owned devices. When you purchase devices through Apple or an authorized reseller, they are registered in Apple Business Manager. On first boot (or after a factory reset), the device automatically enrolls in your MDM server. No manual steps, no user intervention.
ADE-enrolled devices are supervised by default. Supervision unlocks additional management capabilities: silent app installation, restricting AirDrop, preventing iCloud backup, hiding built-in apps, and enforcing always-on VPN. If you manage corporate iPhones or iPads, ADE should be your default enrollment method.
Device Enrollment via Profile
For devices you already own but did not purchase through official channels (or older devices not registered in ABM), you can enroll them by installing an MDM profile. The user opens a URL, downloads the profile, and approves the installation in Settings.
Profile-enrolled devices are not supervised unless you manually supervise them with Apple Configurator. This limits what commands you can execute remotely. Still, you retain core capabilities: pushing Wi-Fi and email configurations, enforcing passcode policies, and distributing apps.
User Enrollment (BYOD)
Apple introduced User Enrollment specifically for bring-your-own-device scenarios. It creates a separate managed partition on the device. Corporate apps and data live in that partition; personal data stays private. The admin cannot see personal apps, browsing history, or location.
This is the right choice when employees use their personal iPhones for work. You get enough control to protect corporate data (managed apps, per-app VPN, remote wipe of the work partition) without overstepping into personal territory.
Security Policies for iOS Device Management
Security is the primary reason most organizations adopt Apple MDM. Here are the policies that matter most for iOS and iPadOS fleets.
Passcode and Authentication
Enforce minimum passcode length, complexity, and auto-lock timers. For high-security environments, require alphanumeric passcodes and set a maximum number of failed attempts before the device wipes itself. Pair this with Face ID or Touch ID enforcement for a balance of security and usability.
Encryption and Data Protection
All modern Apple devices encrypt data at rest by default (AES-256). MDM ensures this stays enabled and prevents users from disabling it. You can also enforce restrictions on data sharing between managed and unmanaged apps, preventing corporate documents from being opened in personal apps or shared via personal iCloud.
Network Security
Push Wi-Fi configurations with WPA3 Enterprise certificates so devices connect to your corporate network without users seeing or sharing credentials. Configure per-app VPN to route only corporate app traffic through your VPN, reducing bandwidth and keeping personal browsing private. For sensitive environments, restrict cellular data usage or disable personal hotspot.
Lost and Stolen Device Response
Remote lock sends the device into Lost Mode immediately, displaying a custom message and phone number. Remote wipe erases all data. For ADE-enrolled devices, you can also use Activation Lock management: if a device is stolen, it cannot be reactivated without your organization's credentials, even after a full restore.
App Distribution and Management
Managing apps on Apple devices goes beyond installing them. You need to handle licensing, updates, and removal.
Volume Purchase Program (VPP)
Through Apple Business Manager, you purchase app licenses in bulk. These licenses are assigned to devices (not Apple IDs), which means you can install apps silently on supervised devices without requiring user interaction. When a device is decommissioned, the license reverts to your pool for reassignment. This approach works for both App Store apps and custom in-house apps.
Managed App Configuration
Many enterprise apps support managed app configuration (AppConfig). This lets you pre-configure app settings (server URLs, authentication tokens, feature flags) before the app even launches. For IT teams deploying apps like Salesforce, Microsoft Outlook, or custom field apps, this eliminates the manual setup step for every user.
Private App Store
For organizations distributing internal apps, an enterprise app store gives employees a curated catalog. Appaloosa provides a private app store where you can publish iOS, Android, and web apps in one place. Users see only the apps approved for their role or department.
Apple Business Manager: The Control Center
Apple Business Manager (ABM) is the hub that connects your Apple device fleet to your MDM solution. It handles three things:
Device registration. Every device purchased through Apple or authorized resellers appears in ABM. You assign it to your MDM server so it enrolls automatically on activation.
App licensing. You buy and assign app licenses here. Licenses are portable across devices, so when someone gets a new iPhone, their apps follow.
Managed Apple IDs. For organizations using Apple School Manager or Apple Business Essentials, ABM creates managed Apple IDs that are separate from personal ones. This keeps corporate data partitioned from personal iCloud accounts.
If you are migrating from the legacy Apple Developer Enterprise Program, the move to ABM is straightforward. Your MDM provider handles the technical connection, and devices re-enroll on their next check-in.
Managing Macs with MDM
macOS supports the same MDM protocol as iOS, but with additional capabilities specific to desktop environments.
Bootstrap tokens. MDM can escrow bootstrap tokens so that users with Secure Token can enable FileVault or install kernel extensions without IT physically touching the Mac.
System extensions. On Apple Silicon Macs, kernel extensions are deprecated. MDM can pre-approve system extensions (for security tools, VPN clients, etc.) so they activate without requiring user approval at the Security preference pane.
Software updates. MDM can enforce macOS update deadlines. You set a date, and the Mac nudges the user to update. After the deadline, it installs automatically. This closes the gap where users defer critical security patches for weeks.
Mac management through MDM works best when combined with ADE. A Mac enrolled via ADE can be provisioned fully over the air: the user opens the box, connects to Wi-Fi, and the Mac configures itself with all apps, settings, and certificates.
What Changed in iOS 17 and iOS 18 for MDM
Apple has been pushing hard on Declarative Device Management (DDM) since WWDC 2021, and iOS 17 made it the default for several configuration areas. The shift matters because DDM lets the device handle its own compliance state instead of waiting for the MDM server to check in and push corrections. Your server declares the desired state, the device enforces it. Fewer round trips, faster policy application.
iOS 17 brought managed device attestation, where the Secure Enclave cryptographically proves the device's identity and integrity to your MDM server. It's harder to spoof a managed device now. Apple also introduced Return to Service, which lets you remotely wipe and re-enroll a device without physical access. Handy when an employee leaves and ships their phone back: wipe it remotely, and it re-enrolls itself when it connects to Wi-Fi.
iOS 18 expanded DDM to cover more policy types, including software update enforcement. You can now require a specific iOS version and set a deadline. If the user doesn't update by then, the device forces the install. Before iOS 18, you could only defer updates, not require them.
Shared iPad and Common Deployment Scenarios
Shared iPad is Apple's answer to devices used by multiple people in shifts. Think retail, healthcare, and education. Each user signs in with a Managed Apple ID and gets a temporary local partition with their apps and data. When they sign out, the partition stays cached (so their next login is fast) until the device needs space.
A few deployment patterns come up repeatedly:
1:1 corporate devices. Each employee gets their own iPhone or Mac, enrolled via ADE. This is the simplest model. Full MDM control, managed Apple ID optional. Most office-based deployments look like this.
Shared devices in shifts. iPads on retail floors, hospital wards, warehouse stations. Shared iPad mode with Managed Apple IDs, locked to approved apps. The device wipes the user session data between shifts if configured.
Kiosk and single-app mode. Digital signage, check-in stations, self-service terminals. The iPad runs one app in Single App Mode (or Autonomous Single App Mode for apps that can lock themselves). You'll want to disable the home button, sleep/wake, and volume controls.
BYOD with User Enrollment. Personal iPhones where the employee installs a management profile voluntarily. Apple keeps personal data strictly separated. IT can only see and manage work apps and a managed Apple ID. The user can remove the profile anytime, which deletes all work data.
Apple MDM vs. Jamf, Kandji, and Other Solutions
Apple doesn't sell its own MDM product. Apple Business Manager is the backend portal, but you need a third-party MDM to actually push policies, install apps, and manage devices. The market splits into a few categories.
Apple-only MDMs like Jamf and Kandji focus exclusively on Apple devices. They support Apple's newest features faster (often within days of an iOS release), and their UI is designed around Apple concepts. Jamf is the largest with over 70,000 customers; Kandji is smaller but growing fast with a more modern interface.
Cross-platform MDMs like Appaloosa, Hexnode, and Scalefusion manage Apple, Android, and sometimes Windows from a single console. If your fleet is mixed (and most are), a cross-platform MDM avoids the overhead of running two separate management tools. The trade-off is that platform-specific features might lag slightly behind Apple-only tools.
The choice depends on your fleet composition. If 90%+ of your devices are Apple, an Apple-focused MDM makes sense. If you're running a mix of iPhones and Samsung Galaxy devices (which is the reality in most European enterprises), a cross-platform solution saves admin time and licensing costs.
Choosing an Apple MDM Solution
When evaluating MDM providers for Apple devices, focus on a few practical criteria:
Apple protocol support. The vendor should support the latest Apple MDM protocol features within weeks of each iOS and macOS release. Delayed support means delayed access to new security controls.
Enrollment flexibility. You need ADE, profile enrollment, and User Enrollment. Not every vendor supports all three well.
Cross-platform support. Most organizations manage Apple and Android devices together. A solution like Appaloosa's MDM handles both from a single console, which avoids running parallel systems.
App distribution. If you deploy custom or in-house apps, you need a vendor that integrates with VPP and provides a private app catalog.
Zero-touch deployment. The ability to ship devices directly to employees and have them self-configure on first boot. This is especially valuable for distributed teams or remote workers.
Getting Started with Apple MDM
If you are deploying Apple MDM for the first time, here is a practical sequence:
1. Set up Apple Business Manager. Register your organization, verify your domain, and connect your MDM server.
2. Define your enrollment strategy. ADE for new corporate devices, User Enrollment for BYOD, profile enrollment for legacy devices you already own.
3. Build your configuration profiles. Start with passcode policy, Wi-Fi, email, and VPN. Add restrictions based on your security requirements.
4. Configure app distribution. Buy licenses in ABM, assign them to device groups, and test silent installation on a pilot group.
5. Enroll a pilot group. Start with 10-20 devices across different roles. Validate that profiles apply correctly, apps install, and restrictions work as expected.
6. Roll out to production. Once validated, expand enrollment to the full fleet. Monitor compliance rates and adjust policies based on support tickets.
Apple devices are built for management. The MDM protocol, combined with Apple Business Manager and a capable MDM provider, gives IT teams the control they need without compromising the user experience that makes Apple devices popular in the first place.
Related Guides
Once your Apple MDM is running, two topics come up consistently: how to lock down the fleet, and which enrollment method fits each scenario.
- Secure Apple devices with MDM: encryption enforcement, passcode policies, and compliance monitoring.
- Apple enrollment methods compared: ADE, profile-based, and User Enrollment for BYOD.