Blog

Cyber Essentials vs Cyber Essentials Plus: Which Level Does Your Business Actually Need?

You have decided your business needs Cyber Essentials certification. You have read about the five controls, you understand the assessment process and you are ready to get started.

Then you notice there are two levels, Cyber Essentials and Cyber Essentials Plus and suddenly the decision feels more complicated than it needs to be.

It is not. The difference between the two levels is straightforward. Which one your business needs depends on three things: what your clients require, what your risk profile looks like and how much independent verification you want behind your certification.

This post gives you everything you need to make the right call.

What both certifications have in common

Both Cyber Essentials and Cyber Essentials Plus test exactly the same five security controls: firewalls, secure configuration, user access control, malware protection and patch management.

There is no difference in what you need to implement. A business that passes Cyber Essentials and a business that passes Cyber Essentials Plus have both implemented the same five controls to the same standard. The difference is entirely in how that implementation is verified.

Both certifications are valid for 12 months and must be renewed annually. IASME administers both on behalf of the NCSC. Your certification appears on the official IASME register where clients and partners can verify your status at any time. And both include the free £25,000 cyber liability insurance cover for UK businesses turning over under £20 million.

The one difference that matters

Cyber Essentials is a verified self-assessment. Your organisation completes an online questionnaire about its security controls. An IASME-accredited assessor reviews your answers. If your answers satisfy the requirements, you receive certification.

The key word is self-assessment. You are attesting that your controls are in place. The assessor reviews your answers for completeness and plausibility. Nobody actively tests your systems to verify the controls are actually working in practice.

Cyber Essentials Plus adds an independent technical audit on top of the self-assessment. An external assessor actively tests your controls through vulnerability scanning and on-site or remote technical testing to verify they work in practice, not just on paper.

You must pass basic Cyber Essentials before you can go for Plus. Once you pass the basic assessment you have three months to complete the Plus audit. Miss that window and you need to start the basic assessment again.

That three month window is important. If you know from the outset that you want Plus certification, plan for both assessments in sequence rather than treating them as separate projects.

What the Plus audit actually involves

Understanding what the Plus audit involves helps you decide whether it is appropriate for your business and how to prepare for it.

An IASME-licensed assessor conducts the Plus audit remotely or on-site. They run vulnerability scanning across your in-scope devices and network, actively test your security controls to verify they function correctly and check that the controls you attested to in the self-assessment questionnaire are genuinely in place.

Specifically the assessor will test:

– That MFA is actually enforced on cloud services – not just that you said it was. They will attempt to access services without MFA to confirm the enforcement is real.

– That devices are genuinely running current, patched software – not just that you reported they were. They will scan devices directly.

– That firewall rules are configured correctly – not just that a firewall exists. They will probe for unnecessarily open ports and services.

That malware protection is active and correctly configured across the fleet.

Standard Cyber Essentials gives you two days to fix issues and resubmit at no additional cost if you fall short. Plus offers no such safety net, a failed technical audit means paying the full fee again from scratch. This is the single most important reason to prepare thoroughly before committing to the Plus audit.

This is the single most important reason to prepare thoroughly before submitting for Plus rather than testing your luck.

What each level costs

Cyber Essentials:

The IASME assessment fee for Cyber Essentials in 2026 is £330 plus VAT for micro organisations of 1 to 9 employees, £400 plus VAT for small organisations of 10 to 49 employees, £450 plus VAT for medium organisations of 50 to 249 employees and £500 plus VAT for large organisations of 250 or more employees.

These are the baseline IASME fees. Certification bodies may add their own fees for support, guided submission and consultancy. Most UK businesses pay between £400 and £800 all in for standard Cyber Essentials.

Cyber Essentials Plus:

Cyber Essentials Plus costs £1,500 to £4,250 plus VAT depending on the size and complexity of your environment. The main cost driver is assessor time for the hands-on technical audit. Larger organisations with more devices, more cloud services and more complex network environments pay towards the higher end of that range.

The hidden cost both levels share:

The assessment fee is not the whole cost. The real cost for most businesses is the remediation work required before submitting. If your controls are not yet in place, if MFA is not enforced across all cloud services, if devices are not enrolled in MDM, if patching is not within the 14-day window – you need to address those gaps before the assessment. That remediation cost varies from nothing for a well-prepared business to several thousand pounds for a business starting from scratch.

Working through our Cyber Essentials checklist before submitting is the most effective way to understand your remediation costs upfront.

A direct comparison

Same five controls	Yes	Yes
Self-assessment questionnaire	Yes	Yes
Independent technical audit	No	Yes
Vulnerability scanning	No	Yes
Assessment cost	£330 to £500 plus VAT	£1,500 to £4,250 plus VAT
Free retake if you fail	Yes – two days	No – full fee again
Free £25,000 cyber insurance	Yes	Yes
Valid for	12 months	12 months
CE prerequisite required	No	Yes
Government contract requirement	Standard CE usually sufficient	Required for some contracts
Enterprise supply chain requirement	Often sufficient	Increasingly required

Who should choose Cyber Essentials

Standard Cyber Essentials is the right choice for most UK small and medium businesses.

Choose it if:

– Your clients and contract requirements specify Cyber Essentials without explicitly requiring Plus. Most supplier questionnaires and procurement frameworks accept standard CE.

– First-time certification is almost always best handled at the standard level. Establishing baseline compliance first gives you a solid foundation before considering a higher level of assurance.

– You operate in a sector where Cyber Essentials is expected but CE Plus is not yet mandated, most professional services, creative agencies, tech startups and growing businesses fall into this category.

– You want the free £25,000 IASME cyber liability insurance and the ability to demonstrate credible security posture to clients and insurers without the additional cost of Plus.

– Your security controls are solid but you have not yet been through an independent technical audit and want to understand your current posture before committing to one.

Who should choose Cyber Essentials Plus

Cyber Essentials Plus is the right choice when independent verification carries material weight.

Choose it if:

– Your contracts explicitly require Plus. CE Plus is increasingly preferred for government contracts and enterprise supply chain requirements where third-party verification carries more weight than self-assessment alone. Fundraise Insider

– Businesses handling sensitive data on behalf of enterprise clients or public sector organisations benefit from the higher assurance that independent technical verification provides.

– Regulated sectors, financial services, healthcare, legal increasingly expect CE Plus as evidence that controls are genuinely working rather than self-reported.

– You want to use your certification for cyber insurance purposes and your insurer specifically requests independent technical verification rather than self-assessment.

– You are scaling rapidly and want an independent assessment of whether your security controls are genuinely working as you grow your team and your device fleet.

– Your existing Cyber Essentials certification is up for renewal and you want to take your security posture to the next level with verified rather than self-attested controls.

The Apple fleet consideration

For businesses running Mac, iPhone and iPad, Cyber Essentials Plus has specific implications worth understanding before committing to the audit.

The Plus assessor will actively test your Apple devices. They will check that macOS Application Firewall is genuinely enforced, that FileVault encryption is active, that devices are on a current patched version of macOS and that MFA is enforced on all cloud services accessible from Apple devices.

Without Apple MDM in place, passing the Plus technical audit on an Apple fleet is extremely difficult. You need to demonstrate centrally managed, consistently enforced controls across every device, something that is only reliably achievable through MDM. A manual setup where each Mac is configured individually creates exactly the kind of inconsistency that a technical audit exposes.

Businesses running Jamf Pro or Iru with properly configured compliance policies are well placed for the Plus audit. Jamf and Iru compliance reports provide the evidence the assessor needs and the MDM enforcement means controls are genuinely in place rather than aspirationally reported.

If your Apple fleet is not yet MDM-managed, achieving standard Cyber Essentials first while implementing MDM in parallel is the practical path. Then move to Plus once the MDM environment is established and you have a full audit cycle of compliance data behind you.

The practical path from CE to CE Plus

If you want to achieve both certifications the most efficient approach is:

Start with standard Cyber Essentials. Work through the checklist, remediate any gaps and submit. Do not rush this stage, a well-prepared standard CE submission is the foundation everything else builds on.

Once you pass standard CE, immediately begin preparing for the Plus audit. You have three months. Use that time to verify that your controls are not just documented but genuinely enforced and testable. Run your own internal checks simulating what the assessor will test.

Book the Plus audit with enough time within the three month window. Do not leave it to the last week, if the assessor finds issues that need remediation before certification you need time to address them.

If you miss the three month window, standard CE needs to be redone before Plus can proceed. Build the timeline with that constraint clearly in view.

The verdict – which level does your business need?

For most UK small businesses getting certified for the first time: start with standard Cyber Essentials. It is the right level, the right cost and the right starting point. Get certified, maintain the controls through the year and reassess whether Plus is needed at renewal.

For businesses with government contracts, enterprise clients or regulated sector requirements: go for Plus. The additional cost is justified by the contract access and client confidence it provides.

For businesses currently on standard CE considering whether to upgrade at renewal: the question to ask is whether your clients are starting to ask for Plus specifically, or whether your risk profile has changed in the last 12 months. If the answer to either is yes, upgrade at renewal.

The controls are the same either way. The investment in implementing them properly is the same. The only variable is whether you want an independent technical expert to verify they are working, and who else needs to see that verification.

How nDuo helps

We work with UK businesses running Apple and mixed fleets through both levels of Cyber Essentials certification, from initial gap analysis and remediation through to the Plus technical audit.

If you are not sure which level is right for your business, or if you want to understand your current gap against either standard, the starting point is a free readiness review.

For more detail on the full Cyber Essentials scheme read our Cyber Essentials 2026 guide and our practical checklist. For the cost picture including cyber insurance implications read our cyber insurance guide.

Book a free Cyber Essentials readiness review and find out exactly where you stand and which level is right for your business.

Cyber Essentials Checklist for UK Businesses: A Practical Guide

Cyber Essentials Checklist for UK Businesses: A Practical Guide

Most businesses that fail their Cyber Essentials assessment do not fail because their security is terrible. They fail because they never checked exactly what the
assessment required before submitting.

The industry average first-time pass rate for Cyber Essentials is around 60%. With proper preparation that figure climbs to over 90%.

The difference between the 60% and the 90% is almost always preparation. Specifically, working through a proper checklist before submitting rather than answering the questionnaire and hoping for the best.

This post is that checklist. It covers all five Cyber Essentials controls in plain English, flags the specific areas that catch businesses out most often, explains exactly what evidence you need to provide, recommends specific products for every remediation step and includes Apple-specific guidance for businesses running Mac, iPhone and iPad fleets. Work through each section honestly before you submit and you will know exactly where your gaps are and exactly what to use to close them.

Step one – define your scope before anything else

This is the step most businesses skip. They jump straight into the five controls without first defining what is actually in scope. Scoping incorrectly wastes remediation effort and can cause a failed assessment even when your controls are otherwise solid.

Every device that connects to the internet and can access your business data is in scope. In practice that means all company-owned laptops, desktops, Macs, iPhones and iPads. Personal devices used to access work email, Slack, Google Workspace, Microsoft 365 or any other business application, whether through an app or a browser. Cloud services your organisation uses. Network equipment including routers and firewalls. Cloud infrastructure including virtual machines.

What is not in scope:

Home routers used by remote workers are explicitly out of scope under the current Cyber Essentials requirements. The software firewall on the work device itself covers the home working requirement.

Printers, smart TVs and IoT devices that do not access business data and sit on a separate segregated network.If they share the same network as your work devices they are in scope. The practical solution is to put them on a guest or separate VLAN.

Once you have defined your scope, document it. Write down every device category, every cloud service and every user group in scope before you open the questionnaire. The biggest mistake businesses make is answering based on assumption instead of evidence. Most problems come from weak scoping, unclear ownership or answers that do not match the real environment.

The automatic failure points – read these first

Before working through the five controls, understand that certain failures are automatic. A single automatic fail brings down the entire assessment regardless of how well everything else scores.

MFA not enabled on all cloud services – every cloud service your team accesses must require MFA. Not most of them. All of them.

Unsupported operating system on any in-scope device – a single device running an OS no longer supported by the vendor fails the assessment.

Critical patch not applied within 14 days – any device with a critical or high severity update outstanding for more than 14 days fails the patching control.

Admin accounts used for day-to-day work. Your team must use separate standard accounts for email, browsing and daily tasks, keeping admin privileges for administration tasks only.

Default credentials still in place – any router, firewall or device still using factory default admin credentials fails immediately.

Check these five points before doing anything else. If any of them apply to your current setup, fix them first

What Cyber Essentials actually requires

The Cyber Essentials scheme centres around five technical controls that help protect organisations from the most common cyber attacks. The five controls are firewalls, secure configuration, user access control, malware protection and security update management.

The NCSC estimates that Cyber Essentials can help protect against around 80% of common cyber attacks. The controls are deliberately practical rather than exhaustive, they represent the baseline every business should have in place.

The April 2026 update brought specific changes worth noting before you work through the checklist. Greater emphasis on passwordless authentication and MFA in the user access control section, mandatory cloud service scoping and stricter BYOD controls are all reflected below.

Control 1 – Firewalls

The firewall control demands that every device connecting to the internet sits behind a properly configured firewall. This applies to office networks, home working setups and cloud infrastructure.

The checklist:

– Every internet-facing device including routers, firewalls and cloud virtual machines has a firewall enabled.
– You have replaced default admin passwords on all routers, firewalls and switches with strong unique passwords.
– Your firewall rules allow only the traffic your business explicitly needs. You have closed all unnecessary open ports.
– Every device your home workers and remote employees use for work has a software firewall running. Windows Defender Firewall or macOS Application Firewall both satisfy this requirement.
– Every device your home workers and remote employees use for work has a software firewall running.

Products to use:

For Mac fleets, the macOS Application Firewall satisfies the requirement. Push it centrally via MDM using a configuration profile rather than relying on users to enable it themselves.

Use Jamf Pro or Iru (formerly Kandji) to push a configuration profile enabling the firewall across every Mac in your fleet simultaneously. Smaller businesses not yet on a full MDM platform should start with Apple Business, it is free and provides the foundation for MDM enrolment with any major platform.

For Windows devices, Windows Defender Firewall is built-in and enforced via Microsoft Intune or Group Policy at no additional cost if you already have Microsoft 365 Business Premium.

For office network routers and firewalls, Cisco Meraki, Ubiquiti UniFi are all widely used by UK SMBs and provide centralised management, clear logging and straightforward configuration for Cyber Essentials compliance evidence.

Evidence you need to provide:
Screenshots showing the firewall is enabled on a representative sample of devices. For MDM-managed fleets this is a compliance report from Jamf, Iru or Intune. Screenshots or configuration exports showing firewall rules on your network perimeter device. For cloud virtual machines, screenshots of security group or network ACL settings.

Where Apple fleets commonly fail this control:
macOS Application Firewall is not enabled by default. Without MDM you have no reliable way to confirm it is on across every device in your fleet.

Control 2 – Secure Configuration

Secure configuration requires that every device and software application is configured to minimise the attack surface. Default settings on new devices are rarely secure.

The checklist:

– All devices have unnecessary software, features and services removed or disabled.
– Default passwords on all devices and applications have been changed.
– Auto-run and auto-play features are disabled where not required.
– All devices use a supported, vendor-maintained operating system. Check which macOS, iOS and iPadOS versions Apple currently supports before submitting.
– Cloud services are configured with security settings enabled. Microsoft 365 tenants with security defaults not enabled and Google Workspace with no password policy enforcement are common failure points.
– Screen lock activates after a maximum of 10 minutes of inactivity on all devices.

Microsoft 365 specific steps:
Go to the Microsoft 365 admin centre. Navigate to Settings, then Org Settings, then Security and Privacy. Enable Security Defaults if you are not using Conditional Access policies. Security Defaults enforces MFA for all users and blocks legacy authentication. Confirm modern authentication is enabled for Exchange Online. Check all admin accounts have MFA enforced separately.

Google Workspace specific steps:
Go to the Google Admin console. Navigate to Security, then Authentication. Enforce MFA for all users, set it to required rather than optional. Go to Security, then Password Management and set minimum password length to 12 characters. Enable account enumeration protection. Under Devices, enable endpoint verification to see which devices are accessing Workspace.

Products to use:

For Mac fleet secure configuration, Jamf Pro and Iru both provide configuration profiles that enforce macOS hardening settings, FileVault encryption, Gatekeeper, automatic login disabled, screen lock – across every device from a single console.
For smaller businesses, Apple Business provides basic MDM management and is designed specifically for businesses under 50 employees. Apple Business (used to be called Apple Business Manager) is the foundation every Apple fleet needs regardless of which MDM platform you choose.

For Windows, Microsoft Intune included with Microsoft 365 Business Premium enforces configuration baselines across the Windows fleet. CIS Benchmarks are free and provide the specific hardening settings recommended for Windows and macOS environments.

Evidence you need to provide:
MDM configuration profile export or compliance report. Screenshots of Microsoft 365 Security Defaults or Conditional Access. Screenshots of Google Workspace security settings. Software inventory with version numbers confirming all software is on a supported current version.

Control 3 – User Access Control

This is the control that has changed most significantly in the April 2026 update. The user access control section now places greater emphasis on passwordless authentication and MFA.

The checklist:

– Every user account has the minimum level of access needed for their role. Admin accounts are separate from standard user accounts.
– MFA is enabled on all cloud services accessible from the internet.
– Passwords meet minimum requirements: at least 12 characters, or at least 8 characters where MFA is enforced. Account lockout is configured after a maximum of 10 failed login attempts.
– Privileged admin accounts are not used for email or web browsing.
– Accounts for former employees have been disabled or deleted.
– Guest and default accounts that are not required have been disabled or removed.

Practical MFA audit:

Write down every cloud service your team uses. Go through each one individually and confirm MFA is not just available but actively enforced for all users. Pay particular attention to tools used by finance, HR and senior leadership. Check tools that smaller teams use independently, accounting platforms, HR tools, reporting dashboards, that may sit outside your main SSO umbrella.

Products to use:
Okta is the most widely used identity platform for UK businesses running mixed cloud environments. It enforces MFA centrally across every connected application, automates user provisioning and deprovisioning, and provides a single dashboard for managing access across the entire organisation. When MFA is enforced at the Okta layer, it covers every connected application simultaneously rather than requiring individual MFA configuration in each tool.

Microsoft Entra ID – formerly Azure Active Directory is the natural choice for businesses running Microsoft 365 and Windows-first environments. Conditional Access policies enforced through Entra ID can require MFA, enforce device compliance and block legacy authentication protocols.

Google Workspace provides built-in MFA enforcement for businesses running Google’s productivity suite. MFA enforced at the Google Workspace admin level covers Gmail, Drive, Meet and all connected Google services.

For businesses not yet on a full identity platform, most individual SaaS applications including Slack, GitHub and Notion have MFA settings in their own admin consoles. The risk is that each one must be checked individually and there is no central reporting. Moving to Okta or Entra ID resolves this at scale.

For password management, 1Password Business provide centralised password management with MFA enforcement and are widely used by UK SMBs for Cyber Essentials compliance.

Evidence you need to provide:

Screenshots confirming MFA is enforced on each cloud service. For Okta or Entra ID this is a screenshot of the MFA policy. For individual applications this means a screenshot of MFA settings in each admin console. A screenshot of your admin account list showing separation from standard accounts. Confirmation that former employee accounts are disabled or deleted.

Where Apple fleets commonly fail this control:
Apple devices managed without MDM often have admin accounts used for day-to-day work. The MFA requirement also catches businesses where some cloud applications sit outside the Okta or Entra ID umbrella.

Control 4 – Malware Protection

This control requires that all devices are protected against malware and that the protection is actively maintained.

The checklist:
– All devices have malware protection installed and running.
– Malware definitions update automatically.
– On-access scanning is enabled — malware protection runs in real time, not just on demand.
– App installation is restricted to approved sources. On Mac, Gatekeeper restricts installation to the App Store and identified developers by default.

For Mac devices, Apple’s built-in XProtect and Malware Removal Tool satisfy the Cyber Essentials baseline requirement at no cost. For businesses wanting dedicated endpoint protection on top of Apple’s built-in tools, here are the three most relevant options:

Jamf Protect is purpose-built for macOS and works natively within the Apple ecosystem. It integrates directly with Jamf Pro, meaning businesses already using Jamf for MDM can extend into endpoint protection without adding a separate management console. Jamf Protect provides real-time threat detection, behavioural analytics and compliance reporting specifically designed around Apple’s security architecture. For Apple-first businesses this is the most natural choice.

CrowdStrike Falcon is an enterprise-grade platform with strong Mac support alongside Windows and Linux. It uses AI-powered threat detection, a single ‘lightweight’ agent across all devices and centralised management through the Falcon console. CrowdStrike is well suited for businesses in regulated sectors or those that need a single endpoint protection platform covering a mixed Mac and Windows fleet.

Microsoft Defender for Business is included with Microsoft 365 Business Premium. It covers Windows devices natively and includes Mac support. If your business already has Microsoft 365 Business Premium, enabling Defender for Business before purchasing a separate endpoint protection tool is the most cost-effective starting point.

Other endpoint protection platforms including Sophos Intercept X and Malwarebytes ThreatDown also support Mac and Windows environments and are worth considering depending on your existing tooling and budget.

Evidence you need to provide:

Screenshots showing malware protection is active on a representative sample of devices. MDM-managed fleets should pull a compliance report from Jamf, Iru or Intune. Windows devices need a screenshot of Windows Security confirming real-time protection is active. On Mac, confirm XProtect is running and Gatekeeper is set to App Store and identified developers.

Where Apple fleets commonly fail this control:
The most common failure is assuming macOS’s built-in protection is sufficient without verifying it is running and configured correctly across every device. On an unmanaged fleet you have no reliable way to confirm this.

Control 5 – Security Update Management

Patching is consistently one of the most common failure points. The April 2026 update enforces 14-day patching all critical and high severity updates must be applied within 14 days of release.

The checklist:
– All operating systems receive automatic security updates applied within 14 days of release.
– All applications are kept up to date – every application on every device must be on a current supported version.
– Software no longer supported by the vendor has been removed or replaced.
– For cloud services, automatic updates are configured where possible.
– Unsupported operating systems are removed from scope or replaced.

Products to use:

For Mac fleet patching, Jamf Pro and Iru both provide centralised OS and application update management with enforcement policies, deadline-based update prompts and compliance reporting. You can enforce that devices must be running the current macOS version within 14 days of release and report on any devices that have not yet updated. This is the most reliable way to evidence patch compliance for an Apple fleet.

For Windows application patching, beyond Windows Update, Patch My PC is the most widely used third-party patching tool for Windows environments. It integrates directly with Microsoft Intune and SCCM, covering over 1,500 applications and automating the 14-day patch cycle without manual intervention. For SMBs already using Intune this is the most practical way to meet the patching requirement for third-party applications like Chrome, Adobe and Zoom.

Microsoft Intune handles Windows OS patching natively and provides compliance reporting confirming all devices are within the 14-day requirement.

For cloud services running virtual machines on AWS, Azure or Google Cloud, enable automatic patching through each platform’s native tools, AWS Systems Manager Patch Manager, Azure Update Management or Google Cloud OS Patch Management.

Evidence you need to provide:
A report showing patch levels across all in-scope devices. For MDM-managed Apple fleets this is an OS version compliance report from Jamf or Iru. For Windows devices, a patch compliance report from Intune. A software inventory showing all installed applications and version numbers confirming no unsupported software. Evidence that the 14-day patching window has been met across all devices.

Where Apple fleets commonly fail this control:
Without MDM you have no reliable way to enforce or verify that every Apple device is on a current patched version. Staff routinely delay updates. With MDM you can enforce update deadlines and report on compliance centrally.

BYOD – the most commonly mishandled scoping question

BYOD is the single most common reason businesses fail Cyber Essentials. The rules are clear but widely misunderstood.

Any device that can access organisational data, including a personal iPhone receiving work email is in scope and must meet the same five technical controls as a corporate laptop. There are two routes to compliance: enrol BYOD into MDM, or technically prevent BYOD from accessing organisational data at all.

The middle ground that most businesses currently operate, personal devices allowed, policy document in place, no technical controls, this does not pass assessment.

Option 1 – Enrol BYOD devices into MDM

Personal iPhones and iPads can be enrolled into MDM with a managed work profile. Modern MDM platforms can create a separate work container on the device. Your organisation can manage the work container without seeing personal photos, messages or browsing history.

Products for this approach: Jamf Pro and Iru both support Apple User Enrolment for BYOD devices, creating a managed partition that keeps work and personal data separate. Microsoft Intune supports BYOD enrolment for iOS, Android and macOS through the Intune Company Portal app.

Option 2 – Technically block BYOD from accessing organisational data

Use Conditional Access policies in Okta, Microsoft Entra ID or Google Workspace to enforce that only enrolled, MDM-managed devices can access business applications. A personal phone cannot reach your corporate tools even with valid credentials.

Products for this approach: Okta with device trust policies. Microsoft Entra ID Conditional Access. Google Workspace Context-Aware Access.

Option 3 – Issue company devices so BYOD does not apply

The cleanest solution. Every employee who accesses business data has a company-owned device enrolled in MDM. No personal devices, no BYOD scope question. Combined with Apple Business Manager zero touch deployment, new devices can be ordered and shipped directly to employees pre-enrolled and compliant.

The 2026 scoping changes you need to understand

Cloud services are mandatory in scope
Every cloud service your organisation uses is in scope and must meet the five controls. For SaaS services like Microsoft 365 and Google Workspace, you are responsible for user access control and configuration settings even though you do not manage the underlying infrastructure.

MFA is mandatory on all cloud services
MFA on every cloud service is not a recommendation. It is an automatic failure point. If any cloud service your team accesses does not require MFA, your assessment will fail regardless of how well the other controls are implemented.

BYOD has tighter requirements
Simply having a BYOD policy document no longer satisfies the requirement. If personal devices access organisational data they must either meet the full Cyber Essentials technical controls or access must be limited to a managed, sandboxed environment. The technical controls must be demonstrable.

Printers, smart devices and IoT

Any printer, smart TV or IoT device connected to the same network as your work devices is potentially in scope. The practical solution is network segmentation – put all non-work devices on a separate VLAN or guest network.

Products for network segmentation:
Ubiquiti UniFi provides VLAN management and guest network isolation suitable for SMBs with straightforward setup. Cisco Meraki provides the same for larger or more complex environments. Most modern business-grade routers including those from Netgear Business and TP-Link Omada support guest network isolation out of the box.
If you cannot segment them, change all default credentials and ensure firmware is up to date.

Apple-specific checklist

For businesses running Mac, iPhone and iPad, here is the Apple-specific verification list on top of the five controls:

– macOS Application Firewall enabled on every Mac via MDM configuration profile.
– FileVault encryption enabled on every Mac – verifiable and reportable via MDM.
– All Macs running a version of macOS Apple currently supports.
– All iPhones and iPads in scope running current iOS or iPadOS.
– Apple Business Manager configured and all devices enrolled in MDM.
– MDM compliance policies active and non-compliant devices flagged automatically.
– Apps installed via MDM or App Store only.
– MFA enforced on all cloud services accessible from Apple devices.
– Admin accounts on Mac separate from standard user accounts.
– Screen lock enforced via MDM configuration profile at 10 minutes or less.
– Gatekeeper set to Mac App Store and identified developers on every Mac.

The evidence you need to compile before submitting

Compile this before you open the questionnaire. Answering without evidence to hand leads to guesswork.

Firewall evidence – MDM compliance report confirming firewall enforcement across the fleet. Screenshots of firewall rules on network perimeter devices.

Secure configuration evidence – MDM configuration profile export or compliance report. Screenshots of Microsoft 365 Security Defaults or Conditional Access. Screenshots of Google Workspace security settings. Software inventory with version numbers.

User access control evidence – screenshots confirming MFA is enforced on every cloud service. Admin account list showing separation from standard accounts. Current employee list compared against active user accounts.

Malware protection evidence – MDM compliance report or screenshots confirming malware protection is active on all devices.

Patch management evidence – MDM patch compliance report showing OS versions across all devices. Software inventory confirming no unsupported applications.

BYOD evidence – MDM enrolment report or Conditional Access policy screenshots.

Scope documentation – a written description of what is in scope including device categories, cloud services and user groups.

The submission process

The IASME questionnaire contains around 70 questions across the five technical control families. Most are yes or no with a free-text justification box. The questionnaire takes four to eight hours to complete properly if you have all the evidence to hand.

You register through an IASME-accredited certification body, pay the assessment fee and gain access to the online questionnaire portal. Submit when complete.
The assessor will return up to two rounds of clarifying queries before formally rejecting. Each round gives you five working days to respond. If after the second round the assessor still cannot certify, the application is rejected and you start again.

From registration to certification takes typically two to four weeks for a well-prepared business, or eight to twelve weeks if remediation is required.

Annual renewal

Cyber Essentials certification lasts 12 months. The controls must be maintained continuously and the assessment repeated annually.

The declaration signed as part of the assessment now includes a statement acknowledging the organisation’s responsibility to maintain compliance throughout the certification period.

For businesses running Apple fleets with MDM, maintaining certification between renewals is significantly more manageable because MDM continuously enforces controls rather than requiring manual verification before each annual assessment.

The most common reasons businesses fail

MFA not enabled on all cloud services. One unprotected cloud application fails the whole assessment.

Unsupported software – a legacy application running on an unsupported version nobody has updated.

BYOD not properly scoped – personal devices either not in scope when they should be, or in scope but not meeting the controls.

Admin accounts used for day-to-day work – common on unmanaged Apple fleets.

Patching delays – a device that missed the 14-day window because the user kept deferring the update notification.

Default credentials still in place on a router or network device.

Cloud service configuration gaps – Microsoft 365 or Google Workspace with security defaults not enabled.

A cloud application used by one team that nobody included in the MFA audit.

A worked example – 30-person London fintech running Mac and Google Workspace

The business runs 28 MacBooks, four iPhones and two iPads. Google Workspace is the primary productivity platform. Slack, GitHub, Notion and Xero are connected via Okta SSO. Twelve people are in a London office and sixteen work remotely.

Scope:
All 28 MacBooks, four iPhones, two iPads, Google Workspace, Slack, GitHub, Notion, Xero and all other SaaS applications. Remote worker home routers out of scope. Office router in scope.

Tools in use:
Jamf Pro for Mac MDM, Okta for identity and MFA, Google Workspace for productivity, JAMF Protect for endpoint protection, Patch My PC for Windows application patching on two Windows machines used by the finance team.

Auto-fail audit:

– MFA enforced through Okta for all connected applications – pass.
– All devices on current macOS – pass.
– Jamf patch compliance report showing all devices within 14-day window – pass.
– Admin accounts separate – confirmed via Jamf – pass.
– Office router default credentials changed – pass.

Firewall:
macOS Application Firewall enforced via Jamf configuration profile across all 28 MacBooks. Jamf compliance report confirms 28 of 28 devices compliant.

Secure configuration:
FileVault enabled on all Macs via Jamf. Google Workspace MFA enforced, password policy set to 12 characters, endpoint verification active. Software inventory pulled from Jamf showing all applications on current versions.

User access control:
Okta MFA policy enforced for all users. Individual MFA audit on Xero and Notion confirmed both enforcing MFA via Okta SSO. Former employee account audit, three orphaned Slack accounts identified and removed. Admin accounts confirmed separate via Jamf.

Malware protection:
JAMF Protect active on all Macs, confirmed via dashboard. XProtect and Gatekeeper also active.

Patch management:
Jamf patch compliance report showing all 28 Macs on current macOS. All iPhones and iPads on current iOS and iPadOS. Application inventory from Jamf confirming no unsupported software.

BYOD:
Two team members access Slack on personal iPhones. Both enrolled in Jamf via MDM user enrolment. Jamf compliance report confirms both meet all five controls.

Total remediation before submission:
Three orphaned Slack accounts removed, two personal iPhones enrolled in MDM. Time taken: approximately four hours.

Getting from checklist to certification

Working through this checklist honestly gives you a gap analysis. The next step is remediating those gaps and submitting the IASME self-assessment questionnaire.
For businesses with significant gaps or uncertainty about whether their current setup meets the requirements, working with a specialist before submitting is more cost-effective than failing and resubmitting.

We help UK businesses running Apple fleets work through exactly this process – from initial gap analysis through remediation to certification. Our Cyber Essentials service covers the full journey.

For businesses that have read our Cyber Essentials 2026 guide and want to take the next step, this checklist is the practical companion. If you have also read our cyber insurance guide you will already know that certification is the single most effective way to reduce your cyber insurance premium.

Book a free Cyber Essentials readiness review and find out exactly where you stand before you submit.

Cyber Insurance for UK Businesses: What It Is, What It Costs and What Insurers Actually Require

Cyber Insurance for UK Businesses: What It Is, What It Costs and What Insurers Actually Require

Your business gets hit by ransomware on a Tuesday morning. Ransomware has encrypted every file on your server. Your systems are down, your team cannot work or your clients are calling. You need a forensics firm, need a lawyer and you need to notify the ICO within 72 hours.

What does that cost?

UK businesses paid out £197 million in cyber insurance claims in 2024, a 230% increase on the previous year. The average incident, ransomware, data breach or business interruption, costs a small business tens of thousands of pounds before you factor in reputational damage and lost clients.

Cyber insurance exists to cover those costs. But in 2026, securing cover takes significantly more work than it used to. Insurers have raised the bar significantly on what they require before they will offer a policy, and businesses that do not understand those requirements are either paying too much or finding their claims denied when they need cover most.

This guide covers what cyber insurance actually is, what it covers, what it costs, and most importantly, what UK insurers now require before they will insure you.

What is cyber insurance?

Cyber insurance is a commercial insurance product that covers financial losses arising from cyber incidents. It is not a substitute for good security. It is the financial safety net for the residual risk that remains after your security controls are in place.
A typical UK cyber insurance policy covers four broad areas:

Incident response and forensics – the cost of bringing in a specialist digital forensics and incident response firm to investigate and contain the breach. Typical claim costs run from £15,000 to £120,000.

Business interruption – lost revenue while your systems are down. Most UK policies cover business interruption from 8 to 12 hours after an incident, up to 12 to 24 months of lost income.

Data restoration – the cost of recovering or recreating data that ransomware encrypted, corrupted or destroyed.

Legal, regulatory and PR costs – legal fees, ICO notification costs, customer notification, fines where insurable under UK law and public relations support to manage reputational damage.

Some policies also cover cyber extortion, ransom payments and negotiation services though this coverage is increasingly excluded or sub-limited in 2026 policies.

Why small businesses need cyber insurance

There is a persistent myth that cyber attackers target large enterprises. The reality is the opposite.

50% of UK businesses reported a cyber attack in the last 12 months. Attackers frequently target small businesses precisely because they expect weaker defences. A successful ransomware attack on a 30-person business can be just as profitable as one on a larger enterprise, and significantly easier to execute.

The Information Commissioner’s Office can issue fines of up to £17.5 million for data breaches under UK GDPR. For a small business, even a fraction of that figure is potentially business-ending. Cyber insurance does not prevent the fine but it covers the legal costs of responding to the ICO investigation and in some circumstances the fine itself where insurable under UK law.

62% of small UK businesses now hold cyber insurance policies. If your competitors hold cover and you do not, and both businesses suffer the same incident, your business may not survive it while theirs does.

What does cyber insurance cost for a small business?

Cyber insurance in the UK costs £500 to £1,500 per year for a small business with £500,000 of cover, rising to £5,000 to £25,000 per year for mid-market businesses with £5 million of cover.

The premium you pay depends on several factors: your annual turnover, the volume and sensitivity of personal data you hold, your industry sector, your existing security controls and whether you hold certifications like Cyber Essentials.

The single most important factor affecting your premium in 2026 is the quality of your security controls. Evidence-based discounting of 10 to 40% is available to businesses that can demonstrate strong controls. Businesses that cannot demonstrate adequate controls face either significantly higher premiums or outright rejection. ContactOut

The free cover most businesses do not know about:

IASME bundles £25,000 of free cyber insurance with Cyber Essentials certification for UK businesses turning over under £20 million. It is not a full mid-market policy but it satisfies most supplier security questionnaires and is the most cost-effective baseline available in the UK market. Small businesses certifying for the first time receive this cover automatically as part of the process.

What UK insurers now require in 2026

Most businesses stumble at exactly this point. The cyber insurance market has changed dramatically in the last three years. Policies look very different compared to just a few years ago. Premiums are rising, requirements are stricter and coverage is more complex.

Insurers have moved from self-attestation, “yes we have security measures” to evidence-based underwriting. They want documented proof that your controls are actually in place, not just a checkbox on a form.

Most insurers now require MFA, EDR, backups and Cyber Essentials as preconditions for cover.

Here is what underwriters are specifically looking for:

Multi-factor authentication
MFA is no longer optional. Insurers now require MFA not just for email but for remote network access and admin accounts. If an attacker compromises that account, your insurer can void the claim entirely.

Patching and updates
Stricter exclusions mean policies may not cover incidents caused by unpatched systems. If attackers exploit a vulnerability in an unpatched system, your insurer may deny the claim outright.

Backups
Immutable, tested, offsite backups are now a standard underwriting requirement. Insurers will ask about your backup regime and when your team last tested it.

Cyber Essentials certification
Most UK insurers align their questionnaires directly with the government-backed Cyber Essentials standard. Holding the accreditation puts you in the lower-risk category and many insurers automatically offer reduced premiums to Cyber Essentials certified businesses. Without it, insurers treat you as high-risk and price accordingly.

The trap businesses fall into:
Saying “MFA is enabled” when it is optional is misrepresentation. Insurers investigate every claim.. Misrepresentation voids policies. Insurers are increasingly using technical verification to confirm controls are actually in place rather than just taking your word for it.

The Cyber Essentials connection

The UK government backs Cyber Essentials as the baseline certification covering the five technical controls most likely to prevent a cyber incident: firewalls, secure configuration, access control, malware protection and patch management.

The connection to cyber insurance is direct and significant.

Businesses with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance. Insurers know this. It is reflected in premiums.

For businesses pursuing cyber insurance for the first time, getting Cyber Essentials certified before approaching insurers is the single most effective way to reduce your premium and improve the quality of cover offered. It demonstrates to underwriters that your basic controls are in place, verified by an independent assessor rather than self-attested.

For businesses running Apple devices, this matters in a specific way. Cyber Essentials v3.3, which came into force in April 2026, includes MFA on all cloud services as an automatic failure point and brings personal devices used for work within scope. A Mac fleet without MDM enrolled, without MFA enforced through Okta or a similar identity platform, and without a consistent patching regime will fail a Cyber Essentials assessment and increasingly will also fail an insurer’s underwriting questionnaire.

The path to affordable, comprehensive cyber insurance for an Apple-first or mixed-fleet business runs through managed Apple IT support, MDM and Cyber Essentials certification. In that order.

What cyber insurance does not cover

Understanding the exclusions is as important as understanding the coverage.

Unpatched systems
If a breach exploits a known vulnerability in a system that had not been updated, many policies will not pay out. Patch management is not just good practice it is a condition of your policy.

Social engineering and business email compromise
Most base UK cyber policies exclude funds transfer fraud caused by social engineering, where an employee was deceived into authorising a payment. A specific social engineering endorsement adds the cover back, usually at additional premium. Business email compromise is now among the most frequent claim types in the UK mid-market. Check your policy specifically for this.

Prior acts
Events that occurred before your policy start date are excluded entirely. If you switch insurers, check whether the new policy includes a retroactive date covering acts before inception.

Bodily injury and property damage
Cyber policies cover digital and financial loss only. Physical consequences require general liability or product liability cover.

Misrepresented controls
If your application states that controls are in place that were not actually implemented, your insurer can void the policy entirely, not just deny the specific claim.

How to approach cyber insurance as a small business

The right sequence for a small business approaching cyber insurance for the first time is:

First, get your controls in place. MFA enforced across all cloud services. Devices enrolled in MDM. Regular patching. Tested backups. These are the controls insurers are checking for and the controls most likely to prevent an incident in the first place.

Second, get Cyber Essentials certified. The certification is verified evidence that your basic controls meet the government standard. It unlocks the free £25,000 IASME cover, reduces your premium with most insurers and satisfies the supplier security questionnaires that many enterprise clients now require.

Third, approach insurers or a broker with your Cyber Essentials certificate and documented evidence of your controls in place. The combination of certification and evidence-based documentation is what moves you from the high-risk to the low-risk underwriting bracket.

The businesses that skip steps one and two and go straight to step three end up either paying significantly more than necessary, getting cover with exclusions that make it nearly worthless, or having claims denied when they need to make them.

Where nDuo fits

We do not sell cyber insurance. What we do is put the controls in place that make you insurable and keep your premium as low as possible.

That means Cyber Essentials certification, Apple/Windows MDM implementation for device management and patch enforcement, Okta, Google Workspace or Entra ID for MFA across all cloud services, and managed IT support that maintains those controls continuously rather than only at renewal time.

If you are approaching a cyber insurance renewal and you are not sure whether your controls would pass an underwriter’s questionnaire, a free readiness review is the fastest way to find out.

Book a free Cyber Essentials readiness review and find out exactly where your security posture stands before your next insurance renewal.

What is Okta and Why Does Your Business Need It?

What is Okta and Why Does Your Business Need It?

Onboarding new staff manually is one of the most time-consuming and error-prone processes in a growing business. Before a new employee can do any work, someone has to create their email account, add them to Slack, grant them access to your project management tool, invite them to your HR platform, set up their GitHub account and configure their single sign-on. Every step is manual, has to be done by a human and depends on someone else doing something on time.

Now think about what happens when that same employee leaves. Every account they ever had needs to be revoked. Every application they ever accessed needs to be closed off. In most businesses, some of those accounts are still active weeks or months after the person left. A few will never be closed at all.

This is the identity problem. Automated onboarding through a platform like Okta removes the manual steps entirely and replaces them with a policy-driven system that works consistently regardless of how many people join, leave or change roles. And it is one of the most common and most costly operational and security failures in modern businesses.

Okta exists to solve it.

What is Okta?

Okta is an identity platform, sometimes referred to as identity as a service. It is the central layer that connects your people to every application, system and resource they need to do their job, ensuring that the right people have the right access at the right time, automatically.

Okta enables single sign-on, multi-factor authentication, lifecycle management and API access management, helping organisations control who has access to applications, resources and data.

In practical terms, Okta sits between your employees and every application your business uses. When someone joins, Okta provisions their access automatically as part of a complete user lifecycle management workflow. Departures trigger automatic revocation. Role changes update permissions instantly. At every login, Okta verifies the user’s identity and enforces your security policies before granting access.

It sounds simple. The impact on how a business operates and how securely it runs is anything but.

The problem Okta solves

Most businesses manage identity badly. Not because they are careless, but because identity management was never designed to scale with the way modern businesses operate.

Ten years ago, a business might use five or six applications. Today the average business uses dozens. Each application has its own login, its own password, its own access control. The employee onboarding process for a new hire means someone manually adding them to each one. When they leave, someone manually removes them from each one.

The failure rate on both processes is high. New hires wait days for access to tools they need from day one. Remote employee onboarding is even harder, a new starter based outside the UK, working from Porto or Berlin, has no way to chase IT in person when their access has not been set up. Former employees retain access to systems they should no longer be able to reach. IT teams spend hours each week on manual provisioning tasks that add no strategic value.

Instead of managing users and permissions in multiple tools, Okta provides a single source of truth for identity, reducing administrative overhead and errors. Features like SSO, MFA and adaptive policies reduce the risk of compromised credentials while still keeping access convenient for users.

The security implications are equally serious. Every orphaned account from a departed employee is a live credential that could be used to access your systems. Applications without MFA enforced are potential entry points. Any manually managed access list will eventually be wrong.

Okta removes the manual process entirely and replaces it with an automated, policy-driven system that works consistently regardless of how many people join, leave or change roles.

How Okta works in practice

Single sign-on

Single sign-on means your employees log in once and get access to everything they are authorised to use. One set of credentials. One login prompt. Every application, from Google Workspace to Slack to Salesforce to GitHub, accessible from a single Okta dashboard without separate passwords.

Employees benefit from less friction and no password fatigue. IT teams get one place to manage access rather than dozens of separate admin consoles. For security teams, every login goes through Okta’s authentication layer where policies are enforced consistently.

Multi-factor authentication

Okta’s MFA enforces additional verification at sign-in, requiring employees to confirm their identity through a second factor such as an authenticator app, a push notification or a hardware key.

Multi-factor authentication is no longer optional for UK businesses. Cyber Essentials v3.3, the updated framework that came into force in April 2026, makes MFA on all cloud services an automatic failure point at certification. Every account without MFA enforced is a gap in your compliance posture.

Okta enforces MFA centrally across every connected application. Rather than enabling MFA separately in each app, you configure the policy once in Okta and it applies everywhere. When a new employee is provisioned as part of the onboarding process, MFA is enforced from their very first login without any additional IT steps.

Automated user provisioning and deprovisioning

This is where Okta delivers its most significant operational impact and where automated employee onboarding becomes a reality rather than an aspiration.

When a new hire is added to your HR system, Okta receives the signal and automatically provisions their access across every application as part of a complete user lifecycle management workflow. Google Workspace account created. Slack access granted. GitHub organisation membership added. Project management tool access configured. All of it happens automatically, before the employee starts, without a single IT ticket being raised.

For remote employees joining from outside the UK, whether in Porto, Berlin or anywhere else, remote employee onboarding through Okta works identically. Access is provisioned before they start, regardless of where they are based. The new hire opens their laptop on day one and everything is ready. There is no waiting, no chasing IT and no days lost to manual setup.

When that employee leaves, the reverse happens. One action in your HR system triggers Okta to revoke access everywhere simultaneously. There are no manual steps, no orphaned accounts and no ex-employees logging into your systems because someone forgot to remove them.

For businesses that have read our guide to the perfect employee onboarding process, this is the engine that makes zero-friction onboarding possible. The automation does not happen by magic. It happens because Okta is configured correctly, integrated with your HR system and mapped to the right application access for each role.

Role-based access control

Okta manages access through groups and roles. A developer gets access to GitHub, your cloud infrastructure and your monitoring tools. A finance employee gets access to your accounting platform, your expense tool and your reporting dashboards. A new starter in operations gets their specific set.

When someone changes role, their group membership changes and their access updates automatically. They gain what they need and lose what they no longer should have. No manual review. No access creep where employees accumulate permissions they should have lost when they moved teams.

Automated user provisioning and deprovisioning, role-based access controls and detailed audit trails help organisations address compliance requirements and reduce security risks associated with manual access management.

Integrations

Okta offers more than 8,200 pre-built integrations covering the applications and services most businesses rely on. Google Workspace, Microsoft 365, Slack, Salesforce, GitHub, Jira, Zoom, HubSpot, Xero, if your business uses it, Okta almost certainly has a pre-built integration that handles provisioning, SSO and deprovisioning automatically.

For less common applications, Okta’s API and SCIM support allows custom integrations to be built. The breadth of the integration catalogue is one of the primary reasons businesses choose Okta over building identity management in-house or relying on a patchwork of individual application settings.

Why businesses choose Okta over alternatives

The identity management market has several options. Microsoft Entra ID is the natural choice for businesses built entirely around the Microsoft ecosystem. Google Workspace has built-in identity management for Google-first businesses. JumpCloud and other platforms offer similar capabilities at different price points.

Okta’s primary differentiator is that it is platform-neutral. It works equally well across Mac and Windows, across Google Workspace and Microsoft 365, across any combination of cloud applications regardless of vendor. For businesses running a mixed environment – which describes most UK businesses at the 20 to 200 employee scale, Okta provides a single identity layer that works across everything rather than being tied to one vendor’s ecosystem.

For businesses running Apple devices specifically, Okta integrates directly with Apple Business Manager and MDM platforms like Jamf Pro and Iru. When a Mac is enrolled in MDM and the user logs in with their Okta credentials, the device and the identity are linked. Conditional access policies can enforce that only enrolled, compliant devices can access specific applications. A personal laptop cannot reach your corporate tools even with valid credentials.

Okta and Cyber Essentials compliance

For UK businesses pursuing or maintaining Cyber Essentials certification, Okta directly addresses several of the five technical controls.

Access control is one of the five controls. Cyber Essentials requires that users only have access to what they need for their role. Okta’s role-based access control and automated provisioning make this demonstrably true at assessment time. Rather than manually reviewing who has access to what, you can pull an Okta report showing exactly who has access to each application and why.

Cyber Essentials MFA requirements are now mandatory under v3.3 for all cloud services. Okta enforces MFA centrally across every connected application, making compliance a configuration rather than an ongoing manual effort.

Secure configuration is also addressed. Okta’s conditional access policies can enforce that only devices meeting your security requirements, enrolled in MDM, encrypted and up to date, can access corporate applications. This strengthens your device security posture in a way that is auditable and consistent.

For businesses that need to demonstrate compliance not just at certification time but continuously, Okta’s audit logs provide a complete record of every authentication event, every access grant, every policy change. If a question arises about who accessed what and when, the answer is in Okta.

Okta and the full employee lifecycle

The clearest way to understand Okta’s value is to map it against the full employee lifecycle. This is where identity as a service moves from a technical concept to a measurable business outcome.

Joining – automated onboarding from day one

New hire added to HR system. Okta provisions Google Workspace account, assigns group memberships based on role, pushes app access to their Okta dashboard and enforces MFA on first login. The induction schedule for new employees can focus entirely on culture, role and relationships rather than IT setup. Not a single ticket raised, no manual steps taken and no days lost waiting for access.

For remote employee onboarding specifically, this is transformative. The new hire in Porto logs on, their Okta dashboard shows every application they need, Google Workspace is fully configured and Slack is ready. The onboarding new staff experience is identical whether someone starts in the London office or joins remotely from anywhere in the world.

Role change – access that follows the person

Employee moves from engineering to product. HR system updated. Okta adjusts group memberships automatically. GitHub organisation access changes. Infrastructure tools removed. Product management tools added. Access reflects the new role within minutes of the HR update.

Leaving – complete and immediate deprovisioning

Employee gives notice. HR system updated with departure date. Okta deprovisions access across every connected application on that date. Google Workspace suspended. Slack access revoked. GitHub removed. Every application closed simultaneously. No orphaned accounts.

Security incident – instant response

A device is reported lost or stolen. IT suspends the user’s Okta session. All active sessions across every application are terminated immediately. The device can no longer be used to access corporate systems regardless of what credentials are stored on it.

Once Okta is set up it runs smoothly without day-to-day intervention, making things easier for admins who benefit from better organisation of access and authentication, and for users who benefit from simpler logins through SSO

Building an onboarding checklist around Okta

A well-structured staff onboarding checklist built around Okta looks different from a manual process. Rather than a list of IT tasks to complete, it becomes a list of configurations to verify.

Before the employee starts: confirm Okta account provisioned, group memberships assigned, Google Workspace accessible, MFA policy active, app assignments correct for role.

Day one: confirm single sign-on working on first login, all applications accessible from Okta dashboard, MFA enrolled in first session, device enrolled in MDM and linked to Okta identity.

First week: confirm access correct across all tools, no missing application assignments, device compliance confirmed in MDM.

When this checklist is consistently green, the new employee onboarding process works every time. Not most of the time. Every time.

Is Okta right for your business?

Okta is not the right fit for every business at every stage. Here is an honest picture of where it makes most sense.

Okta makes sense when your business uses more than ten cloud applications and managing access across them manually is becoming a source of IT overhead and security risk.

Growing businesses find it valuable when the cost of manually onboarding new staff is measurable in hours per week. For businesses pursuing Cyber Essentials certification, Okta provides the consistent access control and MFA enforcement the assessment requires. Mixed Mac and Windows environments benefit from a single identity layer that works across both platforms. And if a former employee still has access to systems they should not, that is perhaps the clearest signal that a structured identity platform is overdue.

If several of those describe your business, Okta is worth serious consideration. The configuration and integration work to implement it correctly requires expertise. Mapping roles to application access, integrating with your HR system, connecting your Apple MDM environment and building the provisioning workflows is a project, not a plug-in. But once it is in place, the operational and security return is substantial.

How nDuo helps businesses implement Okta

We implement and manage Okta for UK businesses running Apple and mixed device environments. That includes initial setup and configuration, HR system integration for automated employee onboarding, Apple MDM integration for device-based conditional access, Google Workspace and Microsoft 365 connection, and user lifecycle management for the full employee journey from day one to departure.

If you are currently onboarding new staff manually across multiple applications, or if a recent hire’s first day did not go as smoothly as it should have, the starting point is a conversation about what your current setup looks like and what it would take to automate it.

Book a free consultation with our team to talk through your identity setup and get practical recommendations.

The Perfect Employee Onboarding Process

The Perfect Employee Onboarding Process: Getting New Hires Productive From Day One

Picture this.

It is Monday morning. Your new software engineer starts today. She is talented, expensive to hire and genuinely excited about the role. Her manager has been talking her up for weeks. She is remote, based in Porto, joining a London team, so everything depends on the laptop arriving on time.

It does not.

Nobody tracked the shipment. The courier’s system had flagged it as held at a customs facility on Friday afternoon, caught in post-Brexit cross-border delays between the UK and Portugal, but no one noticed. The laptop sat in a warehouse all weekend while the new hire waited at home in Porto, refreshing her email for joining instructions that assumed a device she did not have.

She sends a message to HR on Monday morning. An apologetic reply comes back two hours later. Apparently this happens sometimes. Someone will sort it out.

The laptop arrives Tuesday.

By now she has spent a full working day doing nothing. She has already messaged two friends who work in tech to tell them about her first day. The story is not flattering.

When the laptop arrives, nothing is ready

When the laptop finally arrives, the IT setup begins. Except nothing is ready. The device has not been enrolled in the company MDM. There is no single sign-on configured.
Nobody provisioned her Okta account before she started. Without Okta, none of the automated provisioning ran. No Google Workspace account was created, no app assignments were pushed, no group memberships were configured.

Slack is connected to Okta SSO. Without her Okta account being active and her Slack app assignment configured, she cannot log in. The manager tries to invite her directly but the company has enforced SSO-only login, so the invitation fails silently. Nobody knows why.

By Wednesday lunchtime, her third day, she has email and Slack. GitHub access comes Thursday. She still cannot access the project management tool her team uses because it requires an Okta group assignment that nobody has set up yet.

She does not quit that week. But something has shifted. The excitement she felt when she signed the offer letter has been replaced by a quiet, nagging doubt. Is this what working here is actually like?

70% of employees decide whether a job is the right fit within the first month. 29% know within the first week. That means you have roughly 44 days, and arguably just a few hours, to show a new hire that joining your company was the right decision.
The story above is not unusual. It is, in most businesses, completely normal. And every single part of it was avoidable.

The real cost of a broken onboarding process

Onboarding failure is not just uncomfortable. It is expensive.

A failed hire in the first year costs approximately £12,000 when you factor in recruiting, onboarding, training, lost productivity and re-hiring costs. For specialist or technical roles, this can exceed £40,000.

One in three new hires leave within 90 days. Only 12% of employees say their company does onboarding well.

And yet the fix is not complicated. It does not require a new HR platform, a rebrand of your company culture or an onboarding retreat in the Cotswolds. Most of the problem comes down to a single failure point: the device and access setup that should happen before day one but almost always does not.

This post is about fixing that, and what the perfect employee onboarding process actually looks like when IT, HR and management are all working from the same plan.

Why IT is the make-or-break moment

Ask any new hire what went wrong in their first week and the answer is almost always the same. IT delays are a prevalent issue. New hires are left without laptops, software access, email accounts and security credentials, sometimes for days or even weeks, leading to frustration and a negative first impression.

This is not a people problem. It is a process problem. Specifically, it is a provisioning problem.

In most businesses, a new hire’s device and access setup is triggered manually. Someone in IT or HR sends an email, someone else orders the laptop, someone else creates the Okta account, someone else raises a ticket to configure Google Workspace and assign the right groups. Every step requires a human to remember to do something, which makes every step a dependency, and every dependency a potential point of failure.

The result is what almost everyone experiences: a new hire sitting at a desk, watching IT scramble, while their first impressions of the company form in real time.

More than half of employees, 52%, reported that administrative tasks dominated their onboarding experience. Instead of learning the job and connecting with colleagues, they spent their first days buried in paperwork and waiting for systems access.

The businesses that get onboarding right have removed the manual steps entirely. Here is how they do it.

The perfect employee onboarding process: hour by hour

This is not a hypothetical. This is what onboarding looks like when it is done well.

Before day one

The new hire’s details are entered into HR. That single action triggers everything else automatically.

An identity is provisioned in Okta. Group memberships are assigned based on role. Every app the employee needs, Slack, GitHub, your project management platform, your expense tool, is pushed to their Okta dashboard automatically. Google Workspace is provisioned with the right organisational unit, the right shared drives and the right group memberships. Her email account is live, her calendar is set up and her access is ready before she has opened a browser.

Their device is already configured and ready to ship directly to them. For Mac devices, this happens through Apple Business Manager and an MDM platform like Jamf Pro/FleetDM or Iru. The device ships directly from Apple or an authorised reseller to the employee’s address in Porto, or wherever in the world they are based. It arrives enrolled, supervised, encrypted and compliant with your security policies. For Windows devices, the equivalent is Microsoft Autopilot, with devices enrolled in Azure Active Directory and configured automatically via Intune on first boot.

The employee opens the box. They power on the device. They log in with their Google Workspace credentials through Okta single sign-on. Everything is there. Every app, every permission, every policy applied silently in the background before they even started.

This is zero touch deployment. And it works for both Mac and Windows.

8:55am on day one

The new hire logs on from Porto. The device is ready. Her Okta dashboard shows every application she needs, accessible with a single login, and Google Workspace is fully configured with her name, her team’s shared drives and her calendar already populated with her first week’s meetings.
They receive a welcome message from their manager on Slack. It was pre-scheduled to arrive at exactly this moment.

This is what the first hour should feel like. Human connection, not a ticket queue.

9:30am

She opens Google Workspace for the first time. The shared drives are there. The team’s project documentation is accessible. Her calendar is populated with her first week’s meetings, already accepted on her behalf. She has context before anyone has briefed her on anything.

She opens Slack. Her Okta account has pushed her app assignments automatically overnight. She is already in the right channels. A few teammates have dropped a welcome message. She replies.
It has been thirty minutes and she already feels like she works here.

10:00am

The new hire joins their first team standup. She has access to everything she needs, can contribute from minute one, looks competent and feels confident. More importantly, she feels like she made the right decision.

That feeling is worth more than any welcome pack or culture deck.

The identity layer: Okta and Google Workspace working together

The invisible infrastructure behind a smooth onboarding process is the identity layer. This is where most businesses have a gap, and where the most powerful fixes live.

Modern businesses run on cloud services. The average business uses dozens of SaaS applications. Without a centralised identity layer, each of those applications has its own login, its own credentials, its own access control. A new hire needs to be manually added to each one. An employee who leaves needs to be manually removed from each one. Both processes fail regularly.

Okta is the most widely adopted identity platform for businesses running a mix of cloud applications across Mac and Windows. It provides single sign-on across every application, centralised MFA enforcement, and automated provisioning and deprovisioning based on HR system triggers. A new hire starts and Okta provisions their access. An employee leaves and Okta revokes it. There are no manual steps, no orphaned accounts and no ex-employees still able to log into your systems three months after they left.

The integration between Okta and Google Workspace is particularly powerful. Okta acts as the identity provider. Google Workspace acts as the productivity layer. When a new hire is created in Okta, their Google account is provisioned automatically, their group memberships are assigned, their shared drives are accessible and their Google Meet and Google Calendar are live. When they leave, deprovisioning in Okta triggers deprovisioning in Google Workspace simultaneously.

For businesses running both Mac and Windows, Okta handles the identity layer across both platforms consistently. A MacBook user and a Windows laptop user authenticate through the same Okta dashboard, access the same Google Workspace environment and use the same MFA policy. The device type is irrelevant to the experience.

Mac and Windows: the same experience for everyone

One of the most common objections to automating the onboarding process is that running Mac and Windows makes it too complicated.

It does not. Modern identity platforms like Okta manage users across both platforms from a single console. The device type is irrelevant to the identity layer.

On the Mac side, Apple Business Manager handles device enrolment and zero touch deployment through your MDM platform. A Mac purchased through Apple or an authorised reseller can be shipped directly to a new hire in Porto, or anywhere in the world, and on first boot it automatically contacts Apple’s servers, receives its MDM assignment, and applies your organisation’s security profiles, apps and policies. The employee does not need IT to touch the device at any point.

On the Windows side, Microsoft Autopilot does the equivalent. Devices are pre-registered in Azure Active Directory and configured automatically on first login with Okta credentials. Combined with Intune for ongoing policy enforcement, a Windows device can be provisioned with the same zero touch approach as a Mac.

Both platforms, one process. The new hire in Porto gets exactly the same experience as a new hire starting in the London office.

The compliance dimension – why onboarding is a security event

Every new employee is a potential security gap. Not because of anything they have done, but because of what has not been set up correctly.

An account without MFA. A device without full disk encryption. An app installed outside your approved software catalogue. A personal iPhone connecting to corporate email without an MDM profile. Any of these represents a failure in your Cyber Essentials posture, and each of them is most likely to occur in the first week of employment, when setup is rushed and checks are missed.

The businesses that treat onboarding as a security event, not just an HR event, are the ones that maintain a consistent compliance posture as they grow.

When onboarding is automated through Apple MDM, Okta and Apple Business Manager, the security configuration is not something IT does later. It is applied at the point of enrolment. FileVault encryption enabled. Screen lock enforced. Software update policies active. MFA required through Okta. All of it part of the zero touch deployment workflow, not an afterthought.

For businesses working toward Cyber Essentials/ISO certification or maintaining it between annual assessments, this matters enormously. Every new hire who joins with a properly configured device and a correctly provisioned Okta identity is one fewer gap in your next assessment.

Remote onboarding – the same process, wherever they are

Remote new hires are nearly 50% more likely to say culture was demonstrated poorly or not at all during onboarding, and almost twice as likely to say the onboarding software or tools they used were not helpful.

The technical side of remote onboarding is actually the easiest part to solve. Zero touch deployment means the device ships to the employee’s address anywhere in the world, pre-configured and ready. Okta means their access is live before they log on for the first time. Google Workspace means their productivity tools work identically in Porto as they would in the London office.

The customs delay that opened this post is not an IT problem, strictly speaking. But it is a process problem that IT can solve. When devices are ordered through Apple Business Manager and assigned to the employee’s MDM server before they ship, the device is ready the moment it clears customs. There is no separate setup step. There is no waiting for IT. The employee powers it on, logs in through Okta and they are working.

What makes remote onboarding feel disconnected is not the technology. It is the absence of the human moments that happen naturally in an office. The fix for that is not an IT problem. But the IT setup is the foundation everything else sits on. If a remote new hire in Porto spends their first three days waiting for a laptop and then waiting for access, the human connection problem becomes impossible to solve. If they open their laptop on day one and everything works, you have the full first day to focus on the people side, which is where onboarding wins or loses.

The employee onboarding checklist – what good looks like

A well-structured employee onboarding process covers three phases.

Pre-boarding – before they start

Okta identity created and group memberships assigned
Google Workspace provisioned with correct organisational unit, shared drives and groups
Device ordered through Apple or Authorised Resellers and added to Apple Business Manager, assigned to MDM before shipping
MFA policy applied to Okta account on creation
Welcome email sent with first day logistics and Okta login instructions
Manager briefed and first week meetings scheduled in Google Calendar
IT onboarding checklist confirmed complete before start date

Day one

Device arrives ready, no IT setup required
Okta single sign-on works on first login
Google Workspace fully accessible including shared drives and Gmail
MFA enrolled in first two minutes
New hire introduced to team on Slack and Google Meet
First one-to-one with manager
Role expectations set clearly

First 30 to 90 days

MDM policies actively managed and monitored
Okta access reviewed and adjusted as role evolves
Any departing team members fully offboarded with Okta and Google Workspace access revoked simultaneously
Compliance posture maintained as headcount grows
Ongoing end-user support available via Slack

The cost of getting this wrong

Companies that invest in strong onboarding report a 70% boost in new hire productivity. Effective onboarding can reduce time to full productivity by 50% or more. New hires with structured onboarding reach competence in four to six months instead of eight to twelve.

Conversely, a poor onboarding process compounds at scale. New hires who lose confidence in their first week are harder to re-engage. Orphaned Okta accounts from failed offboarding are a security risk. Manually provisioned devices not correctly enrolled in MDM are gaps in your Cyber Essentials posture.

The businesses that automate the onboarding process through MDM, Okta, Google Workspace and zero touch deployment do not just have happier new hires. They have cleaner security, lower IT overhead and a compliance posture that holds as they grow.
Automating the onboarding process can produce up to a 65% increase in new hire productivity, a 50% improvement in employee satisfaction scores and a 77% decrease in turnover within the first three months.

That is not a marginal gain. That is a structural advantage.

How nDuo makes this happen

The story that opened this post does not have to be your story.

We work with UK businesses running Mac, Windows and mixed fleets to design and implement onboarding processes that work from the moment the offer letter is signed. That means Apple MDM implementation through Jamf Pro or Iru, Apple Business Manager enrolment for zero touch Mac deployment, Okta integration for identity and access management, Google Workspace configuration for productivity and collaboration, Cyber Essentials compliance built into device policy from day one, and managed IT support for your team once they are up and running.

New hires who open a laptop in Porto and everything works are not just happier. They are more productive, more likely to stay and more likely to tell others that your business is a great place to work.

That is the return on getting onboarding right.

Book a free consultation to talk through your onboarding setup and find out what it would take to get every new hire productive from minute one.

Bringing Mac into Your Business: How Windows and Mac Work Together

Bringing Mac into Your Business: How Windows and Mac Work Together

For years, the assumption in business IT was straightforward: you standardise on Windows, you manage everything through Active Directory, and anything that does not fit gets left at the door.

That assumption no longer holds.

Across the UK, businesses are running Macs and Windows devices side by side. Developers prefer MacBooks. Designers have always used them. New hires arrive expecting the choice. Finance and operations teams stay on Windows. The result is a mixed fleet and for many IT teams and business owners, that feels like a problem waiting to happen.

It is not. With the right setup, Mac and Windows coexist without complexity, without doubling your IT overhead and without creating security gaps. This post explains how.

Why businesses end up with mixed fleets

Mixed environments rarely happen by design. They happen for practical reasons.

A fast-growing startup hires ten engineers who all request MacBooks. A creative agency has always run Mac. A fintech acquires a smaller company and inherits their Windows estate. A new operations director joins from a Windows-first business and their team follows.

Whatever the reason, the outcome is the same: two platforms, one IT team, one security posture to maintain.

The good news is that this is now one of the most common IT scenarios in UK businesses. The tools, the processes and the expertise to manage it well are mature and widely available.

The MacBook Neo is changing the conversation about cost

For years, the most common objection to introducing Macs in business was straightforward: they cost too much. A MacBook Air started at £999. Windows laptops at a similar spec could be had for £400 to £600. For finance teams managing device budgets across dozens of employees, that gap was hard to justify.

That changed in March 2026 when Apple launched the MacBook Neo – the company’s most affordable laptop ever, starting at $599. In the UK that lands at approximately £480, putting a genuine MacBook within reach of the same budget brackets that previously defaulted to Windows.

The Neo runs the full macOS operating system found across Apple’s entire laptop lineup, powered by the A18 Pro chip, the same family of silicon that powers the iPhone 16 Pro. Apple says it can run AI tasks up to three times faster than comparable PC laptops at the same price point.

The technology press has called it the “Mac for the masses” and a “near perfect starter Mac.” For businesses considering introducing Macs for the first time or expanding their Apple fleet to cover roles that previously defaulted to Windows out of budget constraints, the Neo removes the most cited barrier to doing so.

It is worth being clear about what the Neo is and what it is not. The base model comes with 8GB of unified memory and 256GB of storage, with no backlit keyboard. For knowledge workers running Microsoft 365, Google Workspace, Slack and browser-based tools day to day, that specification is more than sufficient. For developers running resource-intensive local environments or engineers with heavy computational needs, the MacBook Air M5 or MacBook Pro remains the right choice.

The practical implication for IT and business decision-makers is this: the cost argument against Mac has largely gone. A mixed fleet where developers and power users get MacBook Pros, general knowledge workers get MacBook Neos, and Windows-dependent roles stay on Windows is now financially viable in a way it was not twelve months ago.

Explore the MacBook Neo on Apple’s website

The myth that Mac and Windows cannot coexist

The idea that mixing Mac and Windows creates unmanageable complexity dates back to a time when Mac management genuinely was difficult. Active Directory did not support Macs natively. File sharing across platforms was unreliable. Security tooling was Windows-first and treated Macs as an afterthought.

None of that is true in 2026.

Modern cloud-first identity providers like Okta and Microsoft Entra ID manage users across both platforms from a single console. Microsoft 365 and Google Workspace run identically on Mac and Windows. Most business applications, CRM, HR, finance, collaboration tools, are browser-based or have native apps on both platforms.

The platforms are different under the hood. But from a user experience and IT management perspective, the gap between Mac and Windows has never been smaller.

What actually needs to be managed differently

Where Mac and Windows genuinely diverge is in device management. The two platforms use fundamentally different approaches and understanding this is key to running a mixed environment well.

Windows relies on Active Directory and Group Policy to push configurations, enforce policies and manage updates. Mac uses Apple Business Manager, configuration profiles and MDM to do the same job. The outcome is identical, IT control over the device, but the mechanism is different.

This means a business running a mixed fleet needs a management approach that handles both properly. The worst outcome is treating Mac as a secondary platform and applying Windows management logic to it. Generic IT providers often make this mistake, which is why Mac devices in mixed environments frequently end up under-managed, with gaps in security policy enforcement and update compliance.

How well-run businesses manage Mac and Windows together

The businesses that manage mixed fleets effectively share a few common characteristics:

1. They use a cloud identity provider as the single source of truth

Okta or Microsoft Entra ID sits at the centre, managing user identities across both platforms. When a new employee joins, their account is provisioned once and works on both Mac and Windows. When they leave, access is revoked everywhere simultaneously. The platform does not matter, the identity layer handles both.

2. They use the right MDM tool for each platform

Rather than forcing one tool to do everything badly, they use Jamf Pro or Iru for Mac management and Microsoft Intune for Windows. Both platforms are managed with specialist tools. Policies, security configurations and compliance reporting flow from each tool into a unified view.

3. They treat compliance as platform-agnostic

Frameworks like Cyber Essentials os ISO do not differentiate between Mac and Windows. All devices in scope must meet the same five controls, patching, access control, malware protection, firewalls and secure configuration. In a mixed fleet, both platforms need to be assessed and maintained against those controls. Businesses that do this well have a single compliance posture covering the whole fleet rather than two separate processes running in parallel.

4. They standardise on cloud-first applications

When the business runs on Microsoft 365 or Google Workspace, the operating system becomes largely irrelevant for day-to-day work. Documents, email, calendar, collaboration tools, all of it works the same on Mac and Windows. This removes the most common source of cross-platform friction for employees.

The business case for embracing Mac alongside Windows

Beyond managing the complexity, there is a genuine business case for running Mac in a mixed environment rather than resisting it.

Talent is the most immediate argument. 72% of employees prefer Mac when given a choice in enterprise environments. For businesses competing for developers, designers and technical talent, restricting device choice is a recruitment disadvantage. Offering Mac as an option is increasingly table stakes in the UK tech sector.

Support costs are the second argument. Mac fleets generate 60% fewer support tickets per device annually compared to Windows, and IT teams can manage twice as many Macs per FTE as Windows devices. In a mixed fleet, every Mac added is a device that requires less reactive support.

Security is the third. Enterprises using Mac fleets see up to 65% fewer successful cyber attacks than mixed environments managed poorly, and Mac provisioning takes five minutes versus sixty minutes for Windows devices. With zero-touch deployment through Apple Business Manager, new Macs arrive configured, enrolled and compliant before the employee opens the box.

The IBM story – what happened when a 400,000-person business went Mac

If you want to understand what introducing Macs into a large business actually looks like in practice, the most cited and best documented example is IBM.

In 2015, IBM launched its Mac@IBM programme – an employee choice initiative that let staff select a Mac instead of a Windows PC. IBM was deploying 1,900 Mac devices per week, supported by just 24 help desk staff members, one support person for every 5,400 Mac users. Only 5% of Mac users called the help desk for assistance, compared to 40% of PC users.

The numbers that followed are the ones that get cited most often in IT circles:
IBM found it could save between $265 and $535 per Mac versus a comparable PC over a four-year lifespan. With 90,000 Macs deployed and adding 1,300 more per month, that added up to more than $26 million in projected savings over four years.

By 2018, IBM was managing 277,000 Apple devices with just 78 IT staff members. Seven engineers supported 200,000 Macs, compared to 20 engineers required to support an equivalent number of Windows devices. That is a 186% increase in support engineering needed for Windows.

The compliance and security picture was similarly compelling. In 2015 alone, Windows 7 required 135 major critical patches versus 31 on Mac, meaning IBM had to manage the Mac environment 104 fewer times per year for security patches alone.
Beyond the cost and IT overhead numbers, IBM’s research revealed something that resonated across the business beyond IT: Mac-using employees were 22% more likely to exceed expectations in performance reviews compared to Windows users, and were 17% less likely to leave IBM.

IBM’s CIO Fletcher Previn put it plainly: “When did it become acceptable to live like the Jetsons at home but the Flintstones at work?”

IBM is an extreme case, very few UK businesses are managing 290,000 devices. But the principles hold at any scale. Fewer support tickets per Mac, lower IT overhead per device, faster patching cycles and higher employee satisfaction are outcomes that show up consistently whether you are running 20 Macs or 20,000.
The question is not whether Macs can work in your business. IBM answered that definitively a decade ago. The question is how to introduce them well, with the right Apple MDM setup, the right compliance posture and the right support structure from day one.

The one thing that makes or breaks a mixed environment

Everything above works when one condition is met: your IT team or IT partner has genuine expertise in both platforms.

This is where most mixed environments fall down. A Windows-first IT provider will manage Mac as a secondary concern. Apple-specialist knowledge how Apple Business Manager works, how to configure MDM profiles correctly, how to maintain Cyber Essentials compliance across an Apple fleet does not come from general IT experience.

The businesses that run mixed Mac and Windows environments well typically either have an in-house IT team with dedicated Apple expertise, or they work with an Apple specialist who understands how to integrate with their existing Windows infrastructure.

Half-measures create the complexity that people mistakenly attribute to mixed fleets. The right setup removes it.

What to look for in an IT partner for a mixed environment

If you are considering introducing Macs alongside your existing Windows estate or if you already have a mixed fleet and it feels harder to manage than it should, here is what to look for in an IT partner:

Genuine Apple MDM experience, not just familiarity. Ask specifically about Apple Business Manager setup, zero-touch deployment and Cyber Essentials compliance across Apple fleets.

Windows integration capability. An Apple-only specialist who cannot integrate with your existing Intune or Active Directory environment will create a silo rather than a unified setup.

A clear approach to compliance across both platforms. Ask how they maintain Cyber Essentials controls on Mac and Windows simultaneously.

References from businesses running mixed environments. The practical challenges of managing both platforms are specific. An IT partner with relevant client experience will have solved them before.

Ready to bring Mac into your business?

Whether you are introducing your first Macs or trying to get better control of an existing mixed fleet, the starting point is a clear picture of your current setup and what needs to change.

We work with UK businesses running Mac and Windows together managing Apple fleets, integrating with existing Windows infrastructure and keeping everything compliant. Book a free consultation with our team to talk through your environment and get practical recommendations.

Cyber Essentials Certification for UK Businesses in 2026: The Complete Guide – With a Focus on Apple Fleets

Introduction

Three weeks before your Cyber Essentials assessment, your IT Director gets a call from your assessor.

Here are all the rewrites:

Microsoft 365 MFA works correctly. Your Macs are enrolled, patched and ready. Firewall policies are in place. You have done the work. You are confident.

Then the assessor asks about your project management tool. And your CRM. And the accounting platform your finance team has been using since 2023. Has your team enabled MFA controls on all of them?

You do not know. Nobody checked. Two of them offer MFA as a paid add-on and nobody ever switched it on. Under the rules that came into force on 27 April 2026, that is an automatic failure.

This is the new Cyber Essentials landscape. The five core controls have not changed. What has changed is how strictly assessors enforce them, how broadly the scheme defines scope, and where the new automatic failure points sit. Businesses that approach their 2026 renewal as a straightforward repeat of previous years will get a surprise.

This guide covers everything a UK business needs to know about Cyber Essentials in 2026. Whether you run a pure Apple fleet, a mixed Apple and Windows environment, or manage personal devices alongside company hardware, the same framework applies. We focus particularly on Apple fleets because that is where most generic Cyber Essentials advice falls short, but the principles here apply across your entire device estate.

What Is Cyber Essentials Certification?

The NCSC and IASME run Cyber Essentials, the UK government-backed certification scheme that verifies a business has the right technical controls in place. It certifies that a business has implemented five technical controls that defend against the most common cyber attacks. The scheme is not theoretical. The scheme targets the attack methods that cause the majority of real-world incidents affecting UK businesses.

According to the NCSC’s 2025 Annual Review, 84% of UK cyber incidents affecting small and medium businesses involved at least one of three things: missing MFA, weak passwords or misconfigured cloud services. Cyber Essentials directly targets all three.

There are two levels of certification. Standard Cyber Essentials is a verified self-assessment. You complete a questionnaire confirming your controls are in place, an accredited assessor reviews it and IASME issues the certificate if you pass. Cyber Essentials Plus goes further. An independent assessor performs technical testing of your systems to verify the controls actually work as claimed, not just that you have documented them.

Both certifications last 12 months. You renew them annually.

Why Cyber Essentials Matters More Than Ever in 2026

Cyber Essentials certification has moved from a nice-to-have to a genuine business requirement for a growing number of UK organisations.

Government contracts and public sector frameworks require it as a minimum. An increasing number of enterprise supply chains now require suppliers to hold valid Cyber Essentials certification before procurement processes can progress. Cyber insurers are tightening underwriting requirements and many now require certification as a condition of cover or offer significantly better premiums to certified businesses. In fintech, legal, healthtech and other regulated sectors, clients and investors are asking for evidence of certification as part of due diligence.

UK organisations also experienced a 36% year-on-year increase in cyber attacks per week in 2025, compared to a global average of 9.8%. That context is not incidental. It is the reason the NCSC updated the standard.

The Five Core Controls: What They Require

The five controls have not changed in the April 2026 update. What has changed is the strictness of enforcement and the breadth of scope. Here is what each control requires, with specific guidance for Apple fleets and mixed environments.

Firewalls

Every device must have a properly configured firewall. On Apple, this means enforcing the macOS firewall through MDM configuration profiles rather than relying on users to enable it themselves. Devices connecting from home networks or public WiFi are in scope. The firewall must be active and configured correctly on every in-scope device, including remote and hybrid workers’ Macs.

On Windows, this means Windows Defender Firewall enforced via Group Policy or Intune. For mixed environments, you need to evidence both sets of controls — one policy covering Macs, a separate policy covering Windows devices. A single MDM platform like Microsoft Intune can manage both, though Apple-specific controls are less granular than on dedicated Apple MDM platforms.

Under v3.3, the scheme removes the terms “untrusted” and “user-initiated” as qualifiers for internet connections. Any device connected to the internet now falls in scope, regardless of how that connection starts. There is no longer a way to argue that a home-working Mac or Windows laptop falls outside the boundary.

Secure Configuration

Devices must be securely configured from day one. For Apple fleets this means enforcing FileVault encryption, screen lock timers, Gatekeeper settings to prevent installation of unverified software, and removal of unnecessary applications and services. These controls apply via MDM configuration profiles, not through guidance documents asking users to configure their own devices.

The NCSC’s macOS guidance is explicit: MDM is the mechanism for enforcing secure configuration at scale. A written policy is not a technical control. An MDM profile is.

On Windows, Intune or Group Policy with CIS or Microsoft Security Baseline templates handles secure configuration. For mixed environments the principle holds across both platforms: enforce configuration technically on every in-scope device rather than trusting users to do it themselves.

User Access Control

Only authorised users should access your systems and data. Under v3.3, this control now explicitly references passwordless authentication methods including passkeys and FIDO2 security keys as preferred alternatives to traditional passwords. For Apple fleets, this means Managed Apple Accounts configured correctly, admin rights restricted to those who genuinely need them and identity provider integration – Okta, Microsoft Entra ID or Google Workspace, enforced via MDM.

Local administrator accounts on Macs are one of the most common reasons Apple-fleet businesses fail this control. Users running as local admins with no central oversight is not compliant. MDM-enforced standard user accounts with controlled escalation is.

In mixed environments, identity provider integration becomes even more important. Okta or Microsoft Entra ID as a single identity layer across both Apple and Windows devices ensures MFA and access controls are applied consistently regardless of which device an employee uses. Fragmented identity management – one policy for Windows, a different approach for Macs, is a common failure point in mixed-fleet assessments.

Malware Protection

Apple devices need active malware protection configured and verified, not just installed. macOS includes XProtect as a built-in malware detection layer but Cyber Essentials requires active protection that is demonstrably up to date and configured to scan files automatically. Most MDM platforms provide native visibility into XProtect events. For businesses pursuing Cyber Essentials Plus or operating in regulated sectors, a third-party endpoint detection and response solution such as CrowdStrike or SentinelOne provides deeper protection and better evidence for your assessor.

Windows 10 and 11 ship with Microsoft Defender, which meets the basic malware protection requirement when your team configures it correctly. For higher risk profiles or Cyber Essentials Plus, a more comprehensive EDR solution provides stronger assurance. For mixed environments, a unified EDR platform covering both Mac and Windows from a single console gives assessors the clearest evidence of consistent protection across the estate.

Patch Management

Keep all devices and software up to date at all times. Under v3.3, the 14-day patching requirement for high-risk and critical security updates has become an automatic failure point if not met. This is not new in principle, 14 days has been the standard for several versions. What is new is that failure to evidence it within 14 days now results in immediate failure rather than a warning with an opportunity to remediate.

For Apple fleets, this means OS updates and third-party application patches enforce via MDM policies with documented enforcement timelines. Relying on users to update their own Macs is not evidenceable. MDM-enforced update policies with compliance reporting are.

On Windows, Intune handles OS patching well through Windows Update for Business but has no native third-party app patching — a gap that requires additional tooling such as PatchMyPC. On Mac, dedicated Apple MDM platforms like Jamf and Iru handle both OS and third-party app patching natively, making the 14-day patching requirement significantly easier to evidence on Apple than on Windows-heavy Intune deployments.

What Changed in April 2026: The v3.3 Danzell Update

From 27 April 2026, all Cyber Essentials assessments use the new v3.3 requirements, known as the Danzell question set. Any assessment account your team creates on or after that date runs against these updated standards. Accounts created before the deadline continue under the previous version for up to six months.

The five core controls remain unchanged. What v3.3 changes is how strictly assessors enforce the controls, where the new automatic failure points sit and how broadly the scheme defines scope.These are the changes that matter most for UK businesses.

MFA Is Now an Automatic Failure Point

Under previous versions, if a cloud service offered MFA and you had not enabled it, you received a major non-compliance warning but could still pass. Under v3.3 that changes entirely. If any cloud service your business uses offers MFA, whether free, included in the subscription or available as a paid add-on, and you have not enabled it, your assessment fails automatically.

This applies to every cloud service your business uses. Microsoft 365. Google Workspace. Your CRM, accounting platform, project management tool etc.. Any SaaS application that stores or processes company data and offers MFA as an option is in scope. Cost is not an acceptable justification for not enabling it.

For Apple fleets this means identity provider integration via MDM is no longer optional for Cyber Essentials purposes. Your team needs to enforce Okta, Microsoft Entra ID and Google Workspace MFA across all user accounts, not just administrator accounts.

Cloud Services Cannot Be Excluded From Scope.

Under previous versions, businesses could argue that certain cloud services sat outside scope because they had segregated them from the main environment. Under v3.3 that argument no longer holds. Businesses need clear justification and credible evidence of proper segregation to exclude anything and most cannot provide it.

Any cloud service that stores or processes business data is in scope. This includes productivity suites, CRM platforms, accounting systems, HR software, project management tools and file sharing services. If company data touches it, it is in scope. For many UK businesses this will significantly expand their certification footprint compared to previous years.

14-Day Patching Is Now an Auto-Fail

Two patching questions have moved to automatic failure status under v3.3. If high-risk or critical security updates are not applied across your entire device estate within 14 days of release, your assessment fails immediately. Previously this was a major non-compliance with the ability to remediate. Under v3.3 it is an outright failure.

For Apple fleets this means MDM-enforced OS update policies with documented enforcement timelines are essential, not just good practice. For Windows devices, Windows Update for Business must be configured with 14-day enforcement timelines and third-party app patching must be handled through a supplementary tool. Relying on users to update their own devices on either platform does not meet this requirement.

BYOD Controls Are Tighter

v3.3 tightens BYOD requirements significantly. If personal devices access organisational data, they must either meet the full Cyber Essentials technical controls or access must be limited to a managed, sandboxed environment such as a virtual desktop or managed mobile application container. Simply having a BYOD policy document is no longer sufficient. The technical controls must be demonstrable to your assessor.
For businesses with employees checking work email or Slack on personal iPhones, this is a significant change. MDM enrolment for personal devices through a proper BYOD programme is the correct technical response.

Remediation Must Now Be Estate-Wide

Under v3.3, if a vulnerability or control gap is identified during a Cyber Essentials Plus assessment, remediation applied across the entire device estate, not just the sampled devices that were tested. This closes a loophole where businesses would fix issues on the specific devices being assessed while leaving the same issues unaddressed elsewhere. For both Apple and Windows fleet managers this means MDM compliance reporting across every enrolled device is no longer optional, it is the evidence base your assessor will expect.

Where Most UK Businesses Fail, Especially Those Running Apple Fleets

We have helped businesses including Revolut and Kroo navigate their Complinance and Security challanges. These are the failure points we see most consistently.

Mixed fleet with inconsistent controls.
Windows devices managed through Intune and Group Policy, Macs treated as a separate and often less governed estate. Assessors look at every in-scope device. If your Mac controls do not match the rigour of your Windows controls, that gap is visible and will be challenged.

Personal devices that nobody mapped.
The most common reason UK scale-ups fail their first assessment. Employees have been checking work email on personal iPhones for two years. Nobody formally enrolled those devices or included them in scope. Under v3.3, personal devices accessing company data are in scope, with no exceptions.

Local administrator accounts on Macs.
Developers and power users running as local admins on their Macs with no central oversight. This fails the user access control requirement. MDM-enforced standard user accounts with controlled escalation is the fix.

MFA gaps on secondary cloud services.
Microsoft 365 MFA is enabled. But the CRM, the accounting platform and the project management tool were not audited. Under v3.3 each of those is an automatic failure point if MFA is not enabled.

Patch management that relies on users.
Macs configured to prompt users to update rather than enforce updates through MDM. Windows devices relying on manual patching or user-initiated updates. Assessors ask for evidence of patching within 14 days. Self-reported compliance from users is not evidence. MDM compliance reports are.

Outdated or unsupported OS versions.
Devices running macOS or Windows versions that are no longer receiving security patches. Fleet visibility via MDM is the only reliable way to identify and remediate these before assessment.

Scope defined too narrowly.
Attempting to exclude cloud services that are actively used by the business. Under v3.3 assessors are specifically looking for this and it is a straightforward route to failure.

How MDM Connects to Cyber Essentials on Apple and Windows

Cyber Essentials does not mandate MDM. But for any business managing more than a handful of devices, MDM is the only realistic way to evidence the controls your assessor requires.

On Windows, Microsoft Intune is the most common MDM platform and handles OS update management and configuration profiles well. However Intune has no native third-party app patching, and Mac-specific controls in Intune are less granular and slower to update than dedicated Apple MDM platforms. For businesses running a mixed fleet, many choose Intune for Windows management and a dedicated Apple MDM platform for Macs, accepting some tool overlap in exchange for stronger Apple coverage.

Here is how MDM maps directly to each of the five controls:

Firewalls – MDM configuration profiles enforce the macOS firewall and Windows Defender Firewall on every enrolled device. You can evidence this from your MDM compliance dashboard without asking individual users.

Secure Configuration – MDM profiles apply FileVault or BitLocker encryption, screen lock timers, Gatekeeper settings and restricted app installation across the fleet. CIS Level 1 benchmark templates in platforms like Jamf and Iru apply dozens of secure configuration controls in a single Apple profile. Microsoft Security Baseline templates do the same on Windows via Intune.

User Access Control – MDM integration with your identity provider enforces MFA, manages accounts and restricts local administrator access across both Mac and Windows. A unified identity layer via Okta or Microsoft Entra ID means access controls are enforced technically and consistently across your entire estate.

Malware Protection – MDM provides visibility into protection status across the fleet and enables deployment of third-party EDR solutions to every enrolled device regardless of platform.

Patch Management – MDM enforces OS update policies with defined timelines and generates compliance reports showing which devices are patched and which are not. On Mac, platforms like Jamf and Iru also handle third-party app patching natively. On Windows, a supplementary patching tool is required alongside Intune.

For the BYOD controls under v3.3, MDM enrolment for personal devices through a properly configured BYOD programme is the technical mechanism that allows you to evidence compliance on personal devices without accessing personal data.

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

The right choice depends on your client requirements, sector and risk profile.

Standard Cyber Essentials is the minimum required for most government contracts and supply chain requirements. It is a self-assessment verified by an accredited assessor. The process is faster and the cost is lower, typically from around £300 for the assessment fee. For businesses working toward certification for the first time or renewing in a relatively stable environment, standard Cyber Essentials is usually the right starting point.

Cyber Essentials Plus requires an independent assessor to perform technical testing of your systems. It carries significantly more weight with regulated clients, enterprise procurement teams and cyber insurers. Under the v3.3 update, Plus assessors will now test MFA enforcement, endpoint configuration and vulnerability remediation more rigorously across both Apple and Windows devices. Assessment fees typically start from around £1,500 and vary by organisation size.

Increasingly, public sector contracts and larger enterprise supply chains require Cyber Essentials Plus rather than standard certification. If you are planning to bid for government frameworks or supply large enterprise clients in financial services, legal or healthcare, pursuing Plus from the outset avoids having to repeat the process at a later stage.

How to Prepare: A Practical Checklist

Work through this list before creating your assessment account.

MDM and device management – Apple:

Every Mac enrolled in MDM with active MDM profile
MDM configuration profiles applying CIS Level 1 baseline as a minimum
FileVault enforced on all enrolled Macs
Screen lock timer set to 10 minutes or less
Gatekeeper set to hard enforcement
All users running as standard accounts, not local admins
Admin access granted only to named individuals with documented justification

MDM and device management – Windows:

Windows devices enrolled in Intune or equivalent MDM
Windows Defender Firewall enforced via policy
BitLocker encryption enforced on all Windows laptops
CIS or Microsoft Security Baseline applied
Local administrator accounts restricted

Patch management:

OS update enforcement policies active via MDM on all devices
Documented process for applying critical patches within 14 days
MDM compliance report showing patch status across all enrolled devices
Third-party application patching in place on both Mac and Windows – not reliant on user action
No devices running unsupported OS versions on either platform

MFA and identity:

MFA enabled on Microsoft 365 or Google Workspace for all users
MFA enabled on every cloud service that offers it – CRM, accounting, HR, project management
Identity provider integrated with MDM for consistent enforcement across Mac and Windows
No MFA exceptions for any user account

Cloud services and scope:

Full audit of cloud services that store or process company data
All identified services included in certification scope
Shared responsibility understood for each cloud platform
No cloud services excluded without documented segregation evidence

BYOD and personal devices:

Personal devices accessing company data enrolled in MDM under BYOD programme
BYOD MDM profile applied covering passcode, encryption and OS update requirements
Personal devices included in certification scope
Offboarding process confirmed for personal device unenrolment

Malware protection:

Active malware protection deployed and verified on all devices
MDM providing visibility into protection status across the fleet
Third-party EDR solution deployed for businesses pursuing Plus or operating in regulated sectors

Cyber Essentials and ISO 27001: How They Fit Together

They are separate frameworks with different scopes and different purposes, but they are complementary rather than competing.

Cyber Essentials focuses on five specific technical controls and is assessed against a defined checklist. ISO 27001 is a broader information security management standard covering people, processes and technology across the entire organisation. It requires a documented information security management system, a formal risk assessment process and ongoing management review.

For most growing UK businesses, Cyber Essentials is the right first step. It is faster to achieve, has a lower cost of entry and satisfies most immediate client and contract requirements. ISO 27001 becomes the natural progression as the business matures, takes on larger enterprise clients or enters regulated markets that require a more comprehensive assurance framework.

nDuo implements both. We build Cyber Essentials alignment into every MDM engagement from day one, with the ISO 27001 progression in mind from the outset. The device security controls that satisfy Cyber Essentials are the same controls that form the endpoint security component of an ISO 27001 programme. Getting them right once means you are not rebuilding from scratch when your compliance requirements grow.

Why Apple-Specific Expertise Matters for Cyber Essentials

Most Cyber Essentials consultants come from a Windows background. They are comfortable with Group Policy, Intune and Windows Defender. For businesses running purely Windows estates, that expertise is sufficient. But for businesses running Apple fleets, whether Apple-only or mixed Apple and Windows, the gaps in Apple-specific knowledge frequently cause problems that a Windows-focused consultant will not anticipate.

The result is that Apple-first businesses frequently receive generic advice that does not map correctly to their actual environment. Controls are implemented in ways that satisfy a Windows-focused assessor but leave genuine gaps on the Mac side. Or MDM is configured correctly but the compliance reporting structure does not produce the evidence format the assessor expects.

nDuo holds Cyber Essentials certification ourselves. We are an Apple Premium Technical Partner with Apple MDM expertise across Jamf Pro, Iru (formerly Kandji) and Microsoft Intune. We have guided businesses including Revolut and Kroo through Cyber Essentials certification and we build compliance alignment into every MDM deployment from day one.

If your team runs Apple devices, whether as your primary platform or alongside Windows, the difference between generic IT advice and Apple-specific expertise is frequently the difference between passing first time and needing to remediate and resubmit.

Get a Free Cyber Essentials Readiness Review

If you are working toward Cyber Essentials certification, renewing under the new v3.3 requirements, or simply not sure where your current device estate stands against the standard, we offer a free readiness review.

We will assess your current MDM configuration, device compliance posture and cloud service scope against the five Cyber Essentials controls and the v3.3 changes, and give you a clear picture of what needs to change before you create your assessment account. Whether you run a pure Apple fleet, a mixed environment or a BYOD programme, we will give you a straight answer on where you stand.

No jargon. No obligation. Just an honest assessment from a team that has done this for Apple fleets and mixed environments across UK fintech, scale-ups and regulated businesses.

Explore our Cyber Essentials service or book a free readiness review with our team today.

Which Is Right Apple MDM for Your UK Business in 2026?

Jamf vs Intune vs Iru (Kandji) vs FleetDM vs Apple Business MDM: Which Is Right for Your UK Business in 2026?

Introduction

Picture this. Your IT Director sits down to do an Apple MDM comparison. She opens five browser tabs. One for Jamf. for Intune. for something called Iru that used to be called Kandji. One for FleetDM, which someone on the engineering team swears by. And one for Apple Business, which apparently now includes free MDM built in.

Three hours later, she is more confused than when she started.

Every vendor claims to be the best. Every comparison article was written by someone trying to sell you something. And nobody is being straight about what each platform actually cannot do.

This guide is different. We are a vendor-neutral Apple MDM specialist. We implement and manage all five platforms covered here for UK businesses on regular basis. Our job is to put you on the right platform for your specific situation, not the one we prefer.

If you are new to MDM and want to understand the basics first, read our guide on what MDM is and how it works before coming back here.
If you are ready to compare, read on.

Apple MDM Comparison: The Five Platforms at a Glance

Feature	Apple Business	Jamf for Mac	Iru (Kandji)	MS Intune	FleetDM
Price	Free	From £10/device/mo	£3–£7/device/mo	Included in M365 or £6/user/mo	Free or £6/host/mo
Best for	Small teams, no IT resource	Large enterprise Apple fleets	Growing teams, compliance	Mixed Windows and Apple	Engineering-led, Linux included
Apple-first?	✓	✓	✓	✗	✗
Cross-platform?	✗	Limited	Expanding	✓	✓
Zero-touch	✓	✓	✓	✓	✓
Cyber Essentials	✗	✓	✓	✓	✓
Compliance reporting	✗	✓	✓	✓	✓
3rd party security	✗	✓ CrowdStrike, SentinelOne	✓ CrowdStrike, Okta, Vanta	✓ Defender	✓ Splunk, Elastic
Automated patching	Basic	Advanced (policy-based, CVE-triggered)	Advanced (300+ apps, Mac and Windows)	OS only. No native 3rd party patching	~50 app catalog. Munki needed for enterprise
BYOD support	✗	✓	✓	✓	✓
Linux support	✗	✗	✗	✗	✓
Open source	✗	✗	✗	✗	✓
Setup complexity	Low	High	Low–medium	Medium–high	High
Support quality	Apple standard	Good	Excellent (<2 min chat)	Poor (widely reported)	Community + paid
Ideal fleet size	1–25 devices	50+ devices	25–500+ devices	Any (mixed)	Any (technical)
Free trial	N/A	14 days	14 days	30 days	Permanent free tier

Apple Business MDM: The Free Option That Launched in April 2026

What it is

Apple Business launched in the UK on 14 April 2026, replacing Apple Business Manager, Apple Business Essentials and Apple Business Connect. For the first time, Apple includes built-in device management natively, at no cost. Zero-touch deployment via Blueprints, app distribution, passcode enforcement and basic security policies are all included.

The real-life scenario where it works

You are a 12-person startup. Everyone uses a Mac. You have no dedicated IT person. You want devices enrolled and basic security policies in place before your first SOC 2 audit. Apple Business MDM gets you there for free, in an afternoon.

What it does well

Zero-touch deployment is genuinely impressive. A new Mac arrives, the employee unpacks it, it configures itself. App distribution works cleanly. Managed Apple Accounts keep work and personal data separate. For a business with a simple, Apple-only fleet and no complex compliance requirements, it covers the fundamentals competently.

Where it falls short

Apple designed this for businesses without dedicated IT resources. Once your compliance requirements mature, it hits clear limits fast.

There are no compliance reports for Cyber Essentials or ISO 27001. There are no compliance reports for Cyber Essentials or ISO 27001. Third-party security integrations such as CrowdStrike or SentinelOne are not supported. Scripting and automation at scale are beyond its capabilities. Android, BYOD management and advanced patch management are simply not part of what Apple designed this platform to do. And the companion employee app requires iOS 26, iPadOS 26 and macOS 26, none of which have launched yet.

What real users complain about: The lack of granular reporting is the most common complaint from businesses that outgrow it. There is no audit trail that satisfies Cyber Essentials assessors.

The verdict

Apple Business MDM is the right starting point for early-stage businesses with simple Apple-only fleets and no regulated data. For anyone preparing for Cyber Essentials, ISO 27001, or managing a fleet of more than 25 devices with any complexity, it is the foundation, not the solution.

Jamf Pro: The Industry Standard for Apple. Now with a simpler entry point

What it is

Jamf has been the go-to Apple MDM platform for over two decades. In 2026 Jamf restructured its product offering significantly to address one of its biggest criticisms: complexity. The result is two important additions that change how businesses buy and use Jamf.

Jamf for Mac

Is a new all-in-one bundle that combines Jamf Pro (device management), Jamf Connect (identity and access management) and Jamf Protect (endpoint security) into a single subscription at approximately £10 per Mac per month. Previously these three products had to be purchased and configured separately. The bundle removes that complexity and gives businesses a complete Mac management and security stack in one package.

Jamf Elevate

Is a new unified management and security dashboard designed specifically for small and medium-sized businesses. Jamf offers it free of charge to qualifying SMBs. It is Jamf’s direct response to the criticism that Jamf Pro is too complex for smaller IT teams, providing a simplified interface on top of the same underlying platform.

The real-life scenario where it works

You are the IT Director at a 200-person fintech in London. You manage a global Apple fleet across three offices, you are working toward ISO 27001 certification and your security team has mandated CIS Level 1 benchmarks as the baseline across every endpoint, with CrowdStrike on every Mac. Your engineers run custom scripts to automate onboarding. Your auditor needs compliance reports that show exactly which devices are patched, encrypted and policy-compliant at any given moment.

This is the environment Jamf Pro was built for. But a Jamf deployment at this level is not something you configure in a weekend. Getting Smart Groups, policies, Jamf Protect and Jamf Connect working together correctly, integrated with your identity provider and mapped to your compliance framework, requires deep platform knowledge. Done well it is transformative. Done poorly it becomes the reason IT teams firefight all the time and then look for a new solution.

nDuo implements and manages Jamf Pro for clients at exactly this scale. We handle the configuration, the compliance mapping and the ongoing management so your IT team gets the power of Jamf without the overhead of becoming Jamf experts themselves.

What it does well

The depth of configuration is unmatched. Jamf Pro supports hundreds of granular configuration profiles, advanced patch management, full CIS benchmark enforcement and integrations with CrowdStrike, SentinelOne, Microsoft Defender and dozens of other security tools. Compliance reporting is detailed and audit-ready. Every new Apple OS feature lands in Jamf on day one.

Jamf Protect, included in the Jamf for Mac bundle, adds Mac-native endpoint detection and response, threat prevention, CVE-triggered automatic remediation and SIEM integration. For regulated industries this is a significant capability.

The Jamf for Mac bundle makes the full stack accessible at a predictable per-device price rather than requiring three separate negotiations.

Where it falls short

Cost remains the most consistent complaint even with the new bundle. At approximately £10 per Mac per month for the full bundle, a 100-device fleet costs around £1,000 per month before implementation or support costs. Volume discounts are negotiable but the 25-device minimum and annual billing commitment are fixed.

The underlying complexity of Jamf Pro has not gone away. Jamf Elevate simplifies the experience for SMBs but advanced configurations still require expertise. Some users consistently report that standard functions require scripting and workarounds that feel unnecessary compared to other MDM Platforms. The learning curve for new administrators is steep.

Jamf does not have strong cross-platform support. Android support has been introduced lately but Apple remains the core focus.

The verdict

Jamf Pro remains the right choice for larger Apple fleets with complex compliance requirements and regulated industries. The Jamf for Mac bundle makes the full stack more accessible. Jamf Elevate is worth exploring for SMBs who want Jamf’s platform without the administrative overhead.

Iru (Formerly Kandji)

What it is

Iru was Kandji until October 2025. The rebrand reflects a broader ambition: Iru is expanding from Apple-focused MDM into a full AI-powered platform covering identity and access, endpoint security and compliance automation across Apple, Windows and Android. The MDM core remains Apple-first and mature, with Windows and Android support expanding rapidly.

The real-life scenario where it works

You are a 60-person business. You have Apple Business MDM in place but you are three weeks from your Cyber Essentials audit and you have just discovered personal devices are in scope, your compliance reporting is non-existent and your patch management cannot be evidenced to an assessor. Your IT team of two is already stretched. You need a platform that handles the heavy lifting, and a partner who can configure it correctly from day one.

Iru is the platform we commonly recommend in this situation. But the platform alone does not get you audit-ready. The configuration, policy design, compliance mapping and ongoing management is where nDuo’s involvement makes the difference between passing your assessment and failing it.

What it does well

The interface is where Iru consistently outperforms other MDMs in user reviews. Setup is smooth, the admin console is cleaner, and common tasks that require scripting in other platforms are handled natively in Iru. The Auto Apps library now covers over 300 Mac and Windows applications with automated patching that requires no manual package management. Zero-touch deployment works most of the time reliably out of the box.

Third-party security integrations have expanded significantly since the Iru rebrand. The platform now integrates with CrowdStrike, SentinelOne, Okta, Microsoft Entra ID, Google Workspace and major compliance frameworks including Vanta, Drata, Sprinto and Secureframe.

Customer support is consistently praised across hundreds of reviews, with live chat responses typically under two minutes. For IT teams without deep MDM expertise, this matters enormously.

Where it falls short

Pricing is not published and minimum contract tiers can make it expensive for very small teams. Some users report rigid pricing structures with no flexibility for SMEs. Windows and Android support is maturing but not yet at parity with Apple management. If you have a genuinely mixed fleet with heavy Windows requirements, Intune is probably still the safer choice.

The verdict

Iru is the right choice for Apple-first teams that want enterprise compliance and automation with simplicity. It is particularly well suited to smaller teams in regulated market and tech that need Cyber Essentials or SOC 2 readiness without a large IT team. The platform handles the heavy lifting well. Getting the configuration, compliance mapping and policy design right from day one is where having the right implementation partner turns a good platform into a great outcome.

Microsoft Intune: Potentially the right answer if you are already in Microsoft

What it is

Microsoft Intune is a cloud-based endpoint management platform built for mixed environments. It manages Windows, macOS, iOS, iPadOS and Android from a single console. For businesses already running Microsoft 365, it is often already included in their licence at no extra cost.

The real-life scenario where it works

You are the IT Manager at a 150-person professional services firm. Half your team uses MacBooks, half uses Windows laptops, and everyone is in Microsoft 365 Business Premium. You already pay for Intune. Your Mac requirements are straightforward: devices enrolled, basic security policies applied, OS updates managed. No complex compliance framework, no CIS benchmarks, no scripting requirements. Using a second dedicated MDM platform purely for basic Mac management would double your complexity and cost for capabilities you do not yet need. For this specific situation, Intune gets the job done.

The moment your Mac requirements grow beyond the basics, however, Intune starts to show its limitations. No native third-party app patching, Apple features that lag behind dedicated platforms, and an interface that was built for Windows first. At that point a conversation about a dedicated Apple MDM platform becomes worthwhile.

What it does well

If your organisation is deeply embedded in the Microsoft ecosystem, Intune is the natural choice. Integration with Microsoft Entra ID for conditional access, Microsoft Defender for endpoint security and the broader Microsoft 365 suite is seamless. For mixed Apple and Windows environments, Intune reduces tool sprawl significantly.
The fact that Intune is included in Microsoft 365 Business Premium, E3 and E5 means many businesses are already paying for it. For OS update management on both Windows and macOS, Intune kinds of works via Windows Update for Business and Apple MDM protocols respectively.

Where it falls short

Third-party app patching is the biggest gap. Intune has no native support for patching non-Microsoft third-party applications.E.g. Chrome, Slack, Zoom, Adobe, anything outside the Microsoft Store requires manual packaging, custom scripts, or a third-party tool like PatchMyPC. For businesses with a large and varied software estate, this is a significant operational burden.

Apple-specific features consistently lag behind dedicated Apple platforms. When Apple releases a new OS or management feature, other MDM Platforms typically support it on day one. Intune often takes weeks or months to catch up.

Device action speed on Mac is a consistent complaint from Intune users. Sending a wipe, lock or any other commands to a Mac through Intune can take hours and in some cases over 24 hours to execute, on top of that commands frequently fail silently with no clear error. This is a fundamental limitation of how Intune communicates with Apple devices compared to dedicated Apple platforms where the same actions are near-instant. For IT teams managing time-sensitive incidents, this is a significant operational risk.

Licensing is genuinely confusing. The base Plan 1 is £6 per user per month but many enterprise features require add-ons that push the cost to £12 to £16 per user per month.

The verdict

Intune is a reasonable choice if you are already in Microsoft 365, managing a mixed Windows and Apple environment, and your Mac requirements are straightforward. For basic enrolment, OS update management and simple policy enforcement on Macs, it works. The fact that it is already included in your Microsoft 365 licence makes it hard to argue against as a starting point.

But Intune was built for Windows first and it shows, increasingly becomes a liability rather than an asset. Many businesses start with Intune for Macs and find themselves looking for a dedicated Apple MDM platform within 12 to 18 months as their requirements mature.

If your Mac estate is growing, your compliance requirements are increasing, or your IT team is spending meaningful time working around Intune’s Mac limitations, that conversation is worth having sooner rather than later.

FleetDM: The Open Source Option for Engineering-Led Teams

What it is

FleetDM is an open source, cross-platform device management platform built on osquery. It manages macOS, Windows, Linux, iOS, Android and ChromeOS from a single console. The self-hosted version has no device limits and no feature gates on core functionality.

The real-life scenario where it works

You are the IT lead at a 1000-person software company. Half your engineers use Apple and Linux. The other half use Windows. Your security team wants near-real-time visibility into every device. Your engineering team manages device policies as code, version-controlled in Git, reviewed in pull requests. No other platform on this list supports this natively.

What it does well

The osquery foundation delivers near real-time device reporting. Where most MDMs poll devices every few hours, FleetDM can return data in under 30 seconds. For security teams running incident response, this changes everything.

GitOps-native configuration management is a genuine differentiator. Policies are defined in YAML, version-controlled, peer-reviewed and deployed through CI/CD pipelines. For engineering-led organisations that manage everything else as code, this feels natural rather than bolted on.

The open source model means no vendor lock-in. You own your data, your deployment and your infrastructure. For privacy-conscious organisations or those with data sovereignty requirements, this matters.

Where it falls short

Third-party app patching is a significant limitation for enterprise use. FleetDM’s built-in Fleet-maintained app catalog covers approximately 50 to 60 common applications. For organisations managing a large and varied software estate, this is not enough. Most IT teams running FleetDM at enterprise scale use Munki alongside it for comprehensive Mac third-party patch management. Munki is a free, open source tool but it requires additional infrastructure, configuration and ongoing maintenance. This means meaningful extra overhead compared to other MDM Platforms where patching is largely native.

For custom packages outside the Fleet-maintained catalog, administrators must upload packages manually and configure policy automations to trigger installs. This works but requires considerably more effort.

FleetDM is not a SaaS product you sign up for and use in five minutes. Self-hosting requires Docker, MySQL, S3-compatible storage, TLS certificates and ongoing server maintenance. For non-technical IT teams, this overhead is prohibitive.

Pre-built compliance blueprints and automated patch management libraries are not as extensive as dedicated Apple platforms.

The verdict

FleetDM is the right choice for engineering-led organisations with Apple and mixed device environments, where GitOps workflows and real-time visibility matter more than a simple UI and turnkey patching. It is not the right choice for non-technical IT teams.

How to Choose: A Decision Framework

Fewer than 25 Apple devices, no IT team, no compliance requirements:
Start with Apple Business MDM. It is free and covers the fundamentals. Revisit when you grow.

Apple-only fleet, need Cyber Essentials or ISO 27001, want simplicity:
Iru (formerly Kandji) is the good choice. Faster to implement than other MDM, 300+ app Auto Apps library, excellent support, strong compliance automation.

Large Apple fleet, regulated environment, ISO 27001, CIS benchmarks, complex scripting requirements:
Jamf Pro or Jamf for Mac bundle. The depth of configuration and compliance capability is unmatched at this level. The implementation complexity is real, having the right partner from day one determines whether Jamf becomes your strongest asset or your biggest headache.

Mixed Windows and Apple environment, already in Microsoft 365, straightforward Mac requirements:
Microsoft Intune. You may already be paying for it. Supplement with a third-party patching tool for non-Microsoft apps and plan for a dedicated Apple MDM conversation as your Mac requirements grow.

Engineering-led team, run Linux alongside Apple, want open source with real-time visibility and GitOps:
FleetDM. Real-time osquery visibility, GitOps-native policy management and no vendor lock-in make it a natural fit for technical teams. Pair it with Munki for comprehensive Mac patching and you have a powerful, fully open source device management stack that most commercial platforms cannot match for this specific use case.

Not sure which applies to you? Book a free call with our team and we will work it out together in 15 minutes. No jargon, no sales pitch, just a straight answer from someone who implements all five platforms for UK businesses every day.

Book your free Apple MDM assessment today.

Is Apple MDM Free? What UK Businesses Need to Know in 2026

Is Apple MDM Free? What UK Businesses Need to Know in 2026

Three weeks from now, Apple Business Manager will no longer exist.

On March 24 2026, Apple announced Apple Business, a new all-in-one platform that replaces Apple Business Manager, Apple Business Essentials, and Apple Business Connect in one move. It launches on April 14 2026, free of charge, in more than 200 countries including the UK.

If your company uses Apple Business Manager today, your account will automatically migrate. Nothing will break. But a lot will change.

And if you are an IT Director or CTO at a UK scale-up with an Apple fleet, there is a more important question to answer than what is changing. It is whether Apple’s built-in MDM is actually enough for your business, or whether you still need a dedicated MDM platform like Jamf or Mosyle alongside it.

The honest answer is nuanced. And that is exactly what this guide covers.

What Is Apple Business and What Replaced What?

Apple Business is Apple’s attempt to bring everything a business needs into one platform. It consolidates three previously separate products.

Apple Business Manager was the free portal that IT teams used to enrol devices, distribute apps, and create Managed Apple Accounts. It was the backbone of every enterprise Apple deployment but was not an MDM itself. It needed Jamf, Mosyle, Addigy or Intune to actually manage devices.

Apple Business Essentials was Apple’s own paid MDM service, available in the US since 2021 but never fully rolled out in the UK. It was designed for small businesses without IT teams and offered basic device management at around $2.99 per device per month.

Apple Business Connect was the tool businesses used to manage how their brand appeared across Apple Maps, Wallet and other Apple services.

All three are being retired on April 14 and replaced by Apple Business. One platform, free of charge.

What Apple Business Actually Does

Apple Business is built around four areas.

Built-in MDM

This is the headline feature and the one most relevant to IT teams. Apple Business includes device management natively, no separate subscription required. You can configure device settings, push apps, enforce security policies, and create Blueprints to enable zero-touch deployment.

Blueprints are preconfigured templates that define exactly how a device should be set up. Which apps are installed, which security policies are enforced, which settings are applied. When a new Mac or iPhone arrives, it checks Apple’s servers, picks up its Blueprint, and configures itself automatically. Your new employee unpacks their device and it is ready to use.

This zero-touch deployment capability was previously only available through Apple Business Manager combined with a third-party MDM. It is now built in.

Managed Apple Accounts

Managed Apple Accounts separate company data from personal data on the same device, using cryptographic separation enforced at the operating system level. Account creation can be automated through integration with Google Workspace, Microsoft Entra ID, and other identity providers.

Business Email, Calendar and Directory

Apple Business now includes business email and calendar services with custom domain support. This is genuinely new for UK businesses. Apple is positioning itself as a lightweight alternative to Google Workspace or Microsoft 365 for smaller companies.

Brand Management

Everything that was in Apple Business Connect now moves into Apple Business. This includes managing how your business appears in Apple Maps, Wallet, Mail and other Apple services, rich place cards, brand profiles, location insights, and showcases.

What Apple Business MDM Can Do: The Full Picture

For UK businesses evaluating whether Apple Business MDM is sufficient, here is a clear breakdown of capabilities.

Zero-touch deployment via Blueprints Devices purchased through Apple or authorised resellers can be automatically enrolled and configured without IT touching them. A new employee can unbox a Mac and be working within minutes.

App distribution Push apps to individual employees, teams or the whole organisation directly through the App Store. No Apple ID required on the device.

Device and security settings Configure passcode requirements, screen lock, encryption settings, and OS update policies across your fleet.

Managed Apple Accounts Cryptographic separation of work and personal data. Automated account provisioning through your identity provider.

Employee groups and role management Create groups by team or function. Assign specific apps and permissions to each group. Create custom roles for more granular access control.

Admin API Programmatic access to device, user, audit, and MDM data for larger deployments or automation workflows.

Companion employee app Employees can install work apps, view the company directory, and request IT support from a dedicated app. Important caveat: this requires iOS 26, iPadOS 26, or macOS 26, operating system versions that have not been released yet.

What Apple Business MDM Cannot Do: The Honest Assessment

This is where the conversation gets important for growing UK businesses.

Apple Business MDM is designed explicitly for small businesses without dedicated IT resources. Apple has been transparent about this positioning. For companies with a simple, non-regulated setup and no dedicated IT requirements, it is likely sufficient and the price is unbeatable.

But once your compliance requirements mature, your fleet grows in complexity, or your business becomes subject to regulatory scrutiny, Apple Business MDM hits clear limits.

No advanced configuration profiles

Jamf Pro and Mosyle offer hundreds of granular configuration options that go far beyond what Apple Business MDM supports. Custom security baselines, CIS benchmark enforcement, and bespoke workflow automation are simply not available.

No Cyber Essentials or ISO 27001 compliance reporting

If you are working toward Cyber Essentials certification or ISO 27001, you need to evidence your compliance posture to an auditor. Apple Business MDM does not generate the compliance reports your auditor needs. Jamf and Mosyle do.

No third-party security integrations

Jamf integrates with CrowdStrike, SentinelOne, Microsoft Defender and dozens of other security tools. Apple Business MDM does not. For regulated industries such as fintech, legal, and healthcare, this is a significant gap.

No Android or cross-platform management

Apple Business MDM manages Apple devices only. If your team uses Android phones or personal devices, you need a separate solution. Intune handles this, as does a properly configured BYOD programme with Jamf or Mosyle.

No advanced patch management automation

Keeping macOS and app versions up to date across a fleet requires more sophistication than Apple Business MDM offers. Jamf Pro’s patch management capabilities automate this at scale. Apple Business MDM requires more manual oversight.

No scripting or automation at scale

Running custom scripts across your fleet, whether for configuration, diagnostics, or automation, requires Jamf or a comparable platform. This is a critical capability for IT teams managing more complex environments.

Limited support for regulated environments

Companies in financial services, healthcare, and other regulated sectors need to demonstrate precise control over their device estate. Apple Business MDM is not designed for this level of governance.

Companion app requires OS versions not yet released

The Apple Business employee app and the email, calendar and directory features require iOS 26, iPadOS 26 and macOS 26. These operating systems have not launched yet. Businesses expecting full functionality from day one on April 14 will need to wait.

Who Apple Business MDM Is Right For

Apple Business MDM is a genuinely good solution for the right type of company. These are the businesses it was designed for.

It is designed for businesses with a small, straightforward Apple-only fleet of up to 25 devices, no dedicated IT team, no complex compliance requirements, and no regulated data. If you are an early-stage startup getting Apple management in place for the first time, Apple Business MDM is a solid, free starting point.

For these businesses, Apple Business MDM is a significant step forward from having no device management at all. It is free, it is built by Apple, and it handles the fundamentals competently.

Who Still Needs Jamf, Iru(Kandji), Mosyle or a Dedicated MDM

Businesses that need a dedicated MDM platform are those with a complex setup regardless of fleet size, whether that is 20 devices in a regulated fintech or 200 across multiple locations. This includes companies working toward Cyber Essentials certification or ISO 27001, operating in regulated industries such as fintech, legal, or healthcare, or running a mixed fleet with Android devices or BYOD. If your IT team manages scripts, automation and custom workflows, or you need compliance reporting for an auditor, third-party security integrations, or a platform that scales with rapid growth, Apple Business MDM will not cover your requirements.

For these businesses, which describes the majority of nDuo’s clients, Apple Business MDM is a starting point, not a destination. It handles enrolment and basic configuration well. It does not handle the security, compliance, and governance requirements of a business operating under scrutiny, regardless of size.

What Happens to Your Current Apple Business Manager Setup?

If you are currently using Apple Business Manager with a third-party MDM like Jamf, Mosyle or Addigy, the transition to Apple Business is largely transparent. Your existing device enrolments, app licences, and Managed Apple Accounts will migrate automatically. Your MDM integration will continue to work as before.

Apple Business is additive for existing ABM users. You get the new features without losing what you already have. The MDM relationship between Apple Business and your third-party MDM remains exactly as it was with Apple Business Manager.

The main change is that Apple Business Essentials customers in the US will no longer pay the monthly per-device fee after April 14 2026. The device management capability becomes free as part of Apple Business.

What nDuo Recommends for UK Businesses

Apple Business is a welcome development. Making device management accessible to every UK business regardless of size or IT budget is genuinely good for the ecosystem. Small businesses that previously had no device management at all now have a solid, free starting point built directly into Apple’s platform.

But for UK businesses with compliance obligations, regulated clients, or any complex MDM requirements regardless of fleet size, Apple Business MDM is the foundation, not the full solution. You still need a dedicated MDM platform to handle the depth of configuration, compliance reporting, and security integration that your business requires.

The best approach for most growing UK businesses is Apple Business for enrolment and identity management, combined with Jamf Pro or Mosyle for device management, security policies and compliance.

nDuo configures exactly this kind of setup for UK businesses every day. As an Apple Premium Technical Partner with 14 years of Apple experience, we can assess your current Apple fleet, recommend the right MDM platform for your requirements, and get everything configured and compliant including for Cyber Essentials certification.

Ready to Find Out If Apple Business MDM Is Right for Your Business?

Apple Business launches in the UK on April 14. Whether you are an existing Apple Business Manager user wondering what changes, a business considering MDM for the first time, or a growing company unsure whether Apple’s built-in MDM covers your needs, now is the right time to get clarity.

As an Apple Premium Technical Partner, nDuo offers a free assessment to help you understand whether Apple Business MDM is the right fit for your business or whether a dedicated MDM platform like Jamf or Mosyle is the better path.

If Apple Business MDM is right for you, we can guide you through the setup and deployment so you are ready from day one. If your business needs something more advanced, we will tell you honestly and help you build the right solution.

No obligation. No jargon. Just a straight conversation with an Apple specialist who knows this platform inside out.

Book your free Apple Business MDM assessment today.

BYOD Security and Policy Guide for UK Businesses

BYOD Security and Policy Guide for UK Businesses

It is 9am on a Tuesday and you are three weeks away from your Cyber Essentials audit.

Your IT infrastructure is in good shape. Your Macs are enrolled in Jamf, your security policies are configured, your firewall is solid. You have done the work. You are ready.

Then your auditor sends over the pre-assessment questionnaire.

One question stops you cold.

“How many personal devices currently have access to your company email, Slack, or business applications?”

You stare at it. A new tab opens. Closes again. The honest answer is: you have no idea.

You think about your sales team. Three of them check Slack on their personal iPhones on the weekend. Your Head of Engineering accesses the company GitHub on his personal MacBook when he is travelling. Your CEO has had company email on her personal phone since the day she joined. Nobody ever set this up formally. It just happened, one device at a time, over years of rapid growth.

And now, three weeks before your Cyber Essentials audit, you are realising that your carefully managed Apple fleet is only part of the picture. The other part the unmanaged, unseen, uncontrolled part is sitting in people’s pockets right now.

This is the BYOD problem. And if you are reading this, there is a very good chance it is your problem too.

You Are Not Alone

A 2024 survey by Cisco found that over 70% of employees use personal devices to access company data at least occasionally. In fast-growing UK scale-ups, that number is almost certainly higher. When companies grow quickly, formal IT policies struggle to keep pace with the reality of how people actually work.

Personal devices creep into the workflow gradually. Someone checks their work email on their personal iPhone during a bank holiday. A developer pushes a hotfix from their home MacBook. A new starter connects to company Slack before their work laptop arrives. Each of these moments feels harmless. Collectively, they create a sprawling, invisible attack surface that your IT team has no visibility over and no control of.

The problem is not your people. The problem is the absence of a framework that allows personal device use to happen securely, with the right boundaries in place.

That framework is called BYOD. And getting it right is one of the most important things a growing UK business can do.

What BYOD Actually Is

BYOD stands for Bring Your Own Device. It describes any situation where employees use personally owned devices, iPhones, Android phones, personal MacBooks, iPads, to access company systems, data, or applications.

BYOD is not inherently risky. In fact, when managed correctly, it can reduce hardware costs, improve employee satisfaction, and give your team the flexibility to work the way they want to work. The problem is not BYOD itself. The problem is unmanaged BYOD personal devices accessing company data with no security policy, no visibility, and no controls in place.

Managed BYOD means:

Your IT team knows which personal devices have access to company systems. Security policies are applied to those devices without invasive monitoring of personal content. Employees can use their personal devices freely for personal use, with company data kept separate and protected. If a device is lost or stolen, company data can be remotely wiped without touching personal photos, messages or apps. If an employee leaves, company access is revoked instantly, without affecting anything personal on the device.

This is the goal. A clear separation between work and personal, enforced by technology, understood by everyone.

Why BYOD Matters More Than Ever

Three forces have converged to make BYOD one of the most pressing IT challenges for UK scale-ups right now.

The first is hybrid working. Since 2020, the boundary between work devices and personal devices has blurred significantly. People work from home, from coffee shops, from airports. They switch between devices constantly. The idea that company data only lives on company-owned hardware is no longer realistic for most organisations.

The second is Cyber Essentials. The UK government’s Cyber Essentials certification scheme, which is increasingly required by enterprise clients, investors, and regulated industries, now explicitly includes personal devices in scope if those devices access company data. This is the question that stopped you cold in your audit questionnaire. If personal devices are accessing your systems and they are not enrolled in your MDM, you cannot certify. It is that simple.

The third is the talent market. Top candidates, particularly in tech and fintech, expect flexibility. A rigid “company devices only” policy is increasingly seen as a red flag. A well-designed BYOD programme lets you offer flexibility without compromising security.

When It Goes Wrong: The Story of a Leak That Changed Everything

In 2020, one of the most significant social media security breaches in history was traced back partly to compromised contractor devices. The attackers used social engineering to gain access to internal tools, eventually taking over high-profile accounts. The investigation revealed that the attack surface included personal and contractor devices that were not under centralised security control.

But you do not need to look at headline breaches to understand the risk. The more common story is quieter and closer to home.

Picture this. A sales manager at a London fintech resigns after three years. She has been a high performer, well-liked, no bad blood. Her company laptop is wiped and collected on her last day. Standard offboarding, done properly.

What nobody checks is her personal iPhone. For two years, she has had the company CRM accessible through a mobile app on her personal phone. She has company email in her native mail app. She has the shared Slack workspace. None of it was formally enrolled or managed because it was her personal device and nobody thought to include personal devices in the offboarding checklist.

Three months later, a competitor wins a pitch using detailed knowledge of your pricing structure, your client relationships, and your sales methodology. The information was accurate. It was recent.

You will never be able to prove what happened. But you know.

This is not a hypothetical. Variations of this story happen across UK businesses every week. The device that walks out the door on an employee’s last day is rarely their work laptop. It is the personal phone in their pocket that nobody ever enrolled, monitored, or offboarded.

The Privacy Question: What Can Your Company Actually See?

This is the question every employee asks when BYOD is mentioned. And it is a completely reasonable one.

The short answer is: when BYOD is set up correctly using MDM, your company cannot see your personal data. Full stop.

Here is what that means in practice when nDuo sets up BYOD MDM enrolment for personal devices using tools like Jamf, Intune, Kandji, FleetDM:

What your company CAN see and manage on a personal device enrolled in BYOD MDM: whether the device has a passcode set, whether the operating system is up to date, whether the device is encrypted, which work apps are installed, and the status of work-related security policies.

What your company CANNOT see: your personal photos, messages, emails, browsing history, personal apps, location outside of work hours, or any personal data on the device.

The MDM profile creates a managed container for work data. Everything outside that container is invisible to your IT team. Your personal life remains entirely private.

This separation is not just a policy choice, it is a technical reality built into how modern MDM platforms work on iOS and macOS. Apple’s architecture specifically prevents MDM from accessing personal data. It is enforced at the operating system level, not just through company promises.

When we roll out BYOD MDM to employees, we always walk through exactly what is and is not visible. Transparency builds trust. Employees who understand the privacy boundaries re far more likely to enrol their devices willingly and maintain compliance going forward.

BYOD and Cyber Essentials: What You Need to Know

If your business is working toward Cyber Essentials or Cyber Essentials Plus certification, BYOD is not optional, it is in scope.

The Cyber Essentials framework requires that all devices accessing company data meet a minimum security standard. This includes personal devices. If an employee’s personal iPhone has your company email configured on it, that device falls within the scope of your Cyber Essentials assessment.

The practical implications are significant. Your personal devices must have a passcode or biometric lock enabled. The operating system must be up to date. The device must not be jailbroken or rooted. Access to company applications must be revocable by your IT team.

Without MDM enrolment, you cannot evidence any of this to your auditor. You are relying on self-reporting from employees, which is not sufficient for certification.

This is one of the most common reasons UK scale-ups fail their first Cyber Essentials assessment. Not because their core infrastructure is insecure, but because personal devices were not in scope and nobody had visibility of them.

nDuo has helped companies including Revolut, Kroo and BOXPARK navigate this exact challenge. Getting personal devices into scope, enrolled, and compliant before an audit is one of the highest-value things we do.

GDPR and Personal Devices: The Legal Dimension

If your employees access personal data, customer records, employee information, financial data on personal devices, you have a GDPR obligation to ensure that data is protected.

Under GDPR, your organisation is responsible for the security of personal data regardless of what device it sits on. If an employee’s unmanaged personal phone is lost or stolen and it contains customer data, you may have a reportable data breach on your hands. The ICO does not accept “it was on their personal phone” as a defence.

A proper BYOD policy with MDM enrolment gives you the ability to demonstrate to the ICO that appropriate technical measures were in place. Remote wipe capability, encryption requirements, and access controls are all things you can evidence with the right setup.

Without a BYOD policy and MDM enrolment, you cannot demonstrate any of this. And in the event of a breach, that absence will be noticed.

nDuo’s BYOD Discovery and Setup Process

When a new client comes to us with a BYOD challenge, here is exactly how we approach it.

Step 1: Discovery

We start by understanding the full picture. Which company systems can be accessed from personal devices? Which applications have mobile access? What does your current onboarding and offboarding process look like for personal devices? Are there any existing MDM policies in place? This discovery phase typically takes one to two days and involves conversations with IT, HR, and senior leadership.

Step 2: Risk Assessment

Once we know the landscape, we assess the risk. We identify which personal device access points represent the highest risk to your business, typically company email, messaging platforms like Slack, and any CRM or financial applications. We look at your Cyber Essentials and ISO 27001 requirements and map them against your current personal device posture.

Step 3: Policy Design

Before any technical implementation begins, we design your BYOD policy. This is a written document that sets out what personal device use is permitted, what security requirements apply, what employees consent to when they enroll, and what happens when they leave. Clear policy documentation is essential for Cyber Essentials certification and for employee trust.

Step 4: MDM Configuration

We configure your chosen MDM platform, such as Jamf, Intune, Kandji, FleetDM and more to support BYOD enrolment. This involves creating a separate enrolment profile specifically for personal devices, configuring the managed container for work applications, setting security policies including passcode requirements and OS update enforcement, and testing the enrolment flow on both iOS and macOS.

Step 5: Employee Communication and Enrolment

This is the step most companies underestimate. How you communicate the BYOD rollout to employees determines how smoothly enrolment goes. We prepare clear communications that explain what enrolment involves, what privacy protections are in place, and why it matters. We run a short walkthrough session for employees and handle any questions about privacy directly. Typically we achieve enrolment rates of 90% or higher when communication is handled well.

Step 6: Offboarding Integration

We update your offboarding checklist to include personal device unenrolment as a standard step. This is the gap that causes the data leak scenarios described earlier. With MDM in place, unenrolling a personal device on an employee’s last day takes 30 seconds and ensures company data is removed completely.

Step 7: Ongoing Monitoring

Once BYOD MDM is live, your IT team has a dashboard showing all enrolled personal devices, their compliance status, and any security issues. You can see at a glance which devices are up to date, which have outstanding issues, and which have been unenrolled. The invisible attack surface becomes visible.

What Good BYOD Looks Like in Practice

A well-run BYOD programme is one that employees barely notice day to day. They enroll their device once, they use their work apps as normal, and they have complete confidence that their personal data is untouched.

For your IT team, it means the question “how many personal devices have access to our systems?” has an immediate, accurate answer at any point in time. Your Cyber Essentials audit goes smoothly because personal devices are in scope, enrolled, and compliant. GDPR posture is defensible. Offboarding is complete

And when the next talented employee joins and wants to check Slack on their personal iPhone, the answer is not “we do not allow that” it is “here is how to enrol in two minutes.”

Ready to Get Your BYOD Under Control?

If reading this has raised questions about your own personal device posture, you are not alone, and the good news is that getting control of BYOD is straightforward when you have the right partner.

nDuo offers a free BYOD readiness review for UK businesses. We will assess your current personal device posture, identify your key risk areas, and give you a clear picture of what a managed BYOD programme would look like for your organisation.

No obligation. No jargon. Just a clear, honest conversation about where you stand.

Book your free BYOD readiness review today.

Book a free consultation