Blog

Bringing Mac into Your Business: How Windows and Mac Work Together

Bringing Mac into Your Business: How Windows and Mac Work Together

For years, the assumption in business IT was straightforward: you standardise on Windows, you manage everything through Active Directory, and anything that does not fit gets left at the door.

That assumption no longer holds.

Across the UK, businesses are running Macs and Windows devices side by side. Developers prefer MacBooks. Designers have always used them. New hires arrive expecting the choice. Finance and operations teams stay on Windows. The result is a mixed fleet and for many IT teams and business owners, that feels like a problem waiting to happen.

It is not. With the right setup, Mac and Windows coexist without complexity, without doubling your IT overhead and without creating security gaps. This post explains how.

Why businesses end up with mixed fleets

Mixed environments rarely happen by design. They happen for practical reasons.

A fast-growing startup hires ten engineers who all request MacBooks. A creative agency has always run Mac. A fintech acquires a smaller company and inherits their Windows estate. A new operations director joins from a Windows-first business and their team follows.

Whatever the reason, the outcome is the same: two platforms, one IT team, one security posture to maintain.

The good news is that this is now one of the most common IT scenarios in UK businesses. The tools, the processes and the expertise to manage it well are mature and widely available.

The MacBook Neo is changing the conversation about cost

For years, the most common objection to introducing Macs in business was straightforward: they cost too much. A MacBook Air started at £999. Windows laptops at a similar spec could be had for £400 to £600. For finance teams managing device budgets across dozens of employees, that gap was hard to justify.

That changed in March 2026 when Apple launched the MacBook Neo – the company’s most affordable laptop ever, starting at $599. In the UK that lands at approximately £480, putting a genuine MacBook within reach of the same budget brackets that previously defaulted to Windows.

The Neo runs the full macOS operating system found across Apple’s entire laptop lineup, powered by the A18 Pro chip, the same family of silicon that powers the iPhone 16 Pro. Apple says it can run AI tasks up to three times faster than comparable PC laptops at the same price point.

The technology press has called it the “Mac for the masses” and a “near perfect starter Mac.” For businesses considering introducing Macs for the first time or expanding their Apple fleet to cover roles that previously defaulted to Windows out of budget constraints, the Neo removes the most cited barrier to doing so.

It is worth being clear about what the Neo is and what it is not. The base model comes with 8GB of unified memory and 256GB of storage, with no backlit keyboard. For knowledge workers running Microsoft 365, Google Workspace, Slack and browser-based tools day to day, that specification is more than sufficient. For developers running resource-intensive local environments or engineers with heavy computational needs, the MacBook Air M5 or MacBook Pro remains the right choice.

The practical implication for IT and business decision-makers is this: the cost argument against Mac has largely gone. A mixed fleet where developers and power users get MacBook Pros, general knowledge workers get MacBook Neos, and Windows-dependent roles stay on Windows is now financially viable in a way it was not twelve months ago.

Explore the MacBook Neo on Apple’s website

The myth that Mac and Windows cannot coexist

The idea that mixing Mac and Windows creates unmanageable complexity dates back to a time when Mac management genuinely was difficult. Active Directory did not support Macs natively. File sharing across platforms was unreliable. Security tooling was Windows-first and treated Macs as an afterthought.

None of that is true in 2026.

Modern cloud-first identity providers like Okta and Microsoft Entra ID manage users across both platforms from a single console. Microsoft 365 and Google Workspace run identically on Mac and Windows. Most business applications, CRM, HR, finance, collaboration tools, are browser-based or have native apps on both platforms.

The platforms are different under the hood. But from a user experience and IT management perspective, the gap between Mac and Windows has never been smaller.

What actually needs to be managed differently

Where Mac and Windows genuinely diverge is in device management. The two platforms use fundamentally different approaches and understanding this is key to running a mixed environment well.

Windows relies on Active Directory and Group Policy to push configurations, enforce policies and manage updates. Mac uses Apple Business Manager, configuration profiles and MDM to do the same job. The outcome is identical, IT control over the device, but the mechanism is different.

This means a business running a mixed fleet needs a management approach that handles both properly. The worst outcome is treating Mac as a secondary platform and applying Windows management logic to it. Generic IT providers often make this mistake, which is why Mac devices in mixed environments frequently end up under-managed, with gaps in security policy enforcement and update compliance.

How well-run businesses manage Mac and Windows together

The businesses that manage mixed fleets effectively share a few common characteristics:

1. They use a cloud identity provider as the single source of truth

Okta or Microsoft Entra ID sits at the centre, managing user identities across both platforms. When a new employee joins, their account is provisioned once and works on both Mac and Windows. When they leave, access is revoked everywhere simultaneously. The platform does not matter, the identity layer handles both.

2. They use the right MDM tool for each platform

Rather than forcing one tool to do everything badly, they use Jamf Pro or Iru for Mac management and Microsoft Intune for Windows. Both platforms are managed with specialist tools. Policies, security configurations and compliance reporting flow from each tool into a unified view.

3. They treat compliance as platform-agnostic

Frameworks like Cyber Essentials os ISO do not differentiate between Mac and Windows. All devices in scope must meet the same five controls, patching, access control, malware protection, firewalls and secure configuration. In a mixed fleet, both platforms need to be assessed and maintained against those controls. Businesses that do this well have a single compliance posture covering the whole fleet rather than two separate processes running in parallel.

4. They standardise on cloud-first applications

When the business runs on Microsoft 365 or Google Workspace, the operating system becomes largely irrelevant for day-to-day work. Documents, email, calendar, collaboration tools, all of it works the same on Mac and Windows. This removes the most common source of cross-platform friction for employees.

The business case for embracing Mac alongside Windows

Beyond managing the complexity, there is a genuine business case for running Mac in a mixed environment rather than resisting it.

Talent is the most immediate argument. 72% of employees prefer Mac when given a choice in enterprise environments. For businesses competing for developers, designers and technical talent, restricting device choice is a recruitment disadvantage. Offering Mac as an option is increasingly table stakes in the UK tech sector.

Support costs are the second argument. Mac fleets generate 60% fewer support tickets per device annually compared to Windows, and IT teams can manage twice as many Macs per FTE as Windows devices. In a mixed fleet, every Mac added is a device that requires less reactive support.

Security is the third. Enterprises using Mac fleets see up to 65% fewer successful cyber attacks than mixed environments managed poorly, and Mac provisioning takes five minutes versus sixty minutes for Windows devices. With zero-touch deployment through Apple Business Manager, new Macs arrive configured, enrolled and compliant before the employee opens the box.

The IBM story – what happened when a 400,000-person business went Mac

If you want to understand what introducing Macs into a large business actually looks like in practice, the most cited and best documented example is IBM.

In 2015, IBM launched its Mac@IBM programme – an employee choice initiative that let staff select a Mac instead of a Windows PC. IBM was deploying 1,900 Mac devices per week, supported by just 24 help desk staff members, one support person for every 5,400 Mac users. Only 5% of Mac users called the help desk for assistance, compared to 40% of PC users.

The numbers that followed are the ones that get cited most often in IT circles:
IBM found it could save between $265 and $535 per Mac versus a comparable PC over a four-year lifespan. With 90,000 Macs deployed and adding 1,300 more per month, that added up to more than $26 million in projected savings over four years.

By 2018, IBM was managing 277,000 Apple devices with just 78 IT staff members. Seven engineers supported 200,000 Macs, compared to 20 engineers required to support an equivalent number of Windows devices. That is a 186% increase in support engineering needed for Windows.

The compliance and security picture was similarly compelling. In 2015 alone, Windows 7 required 135 major critical patches versus 31 on Mac, meaning IBM had to manage the Mac environment 104 fewer times per year for security patches alone.
Beyond the cost and IT overhead numbers, IBM’s research revealed something that resonated across the business beyond IT: Mac-using employees were 22% more likely to exceed expectations in performance reviews compared to Windows users, and were 17% less likely to leave IBM.

IBM’s CIO Fletcher Previn put it plainly: “When did it become acceptable to live like the Jetsons at home but the Flintstones at work?”

IBM is an extreme case, very few UK businesses are managing 290,000 devices. But the principles hold at any scale. Fewer support tickets per Mac, lower IT overhead per device, faster patching cycles and higher employee satisfaction are outcomes that show up consistently whether you are running 20 Macs or 20,000.
The question is not whether Macs can work in your business. IBM answered that definitively a decade ago. The question is how to introduce them well, with the right Apple MDM setup, the right compliance posture and the right support structure from day one.

The one thing that makes or breaks a mixed environment

Everything above works when one condition is met: your IT team or IT partner has genuine expertise in both platforms.

This is where most mixed environments fall down. A Windows-first IT provider will manage Mac as a secondary concern. Apple-specialist knowledge how Apple Business Manager works, how to configure MDM profiles correctly, how to maintain Cyber Essentials compliance across an Apple fleet does not come from general IT experience.

The businesses that run mixed Mac and Windows environments well typically either have an in-house IT team with dedicated Apple expertise, or they work with an Apple specialist who understands how to integrate with their existing Windows infrastructure.

Half-measures create the complexity that people mistakenly attribute to mixed fleets. The right setup removes it.

What to look for in an IT partner for a mixed environment

If you are considering introducing Macs alongside your existing Windows estate or if you already have a mixed fleet and it feels harder to manage than it should, here is what to look for in an IT partner:

Genuine Apple MDM experience, not just familiarity. Ask specifically about Apple Business Manager setup, zero-touch deployment and Cyber Essentials compliance across Apple fleets.

Windows integration capability. An Apple-only specialist who cannot integrate with your existing Intune or Active Directory environment will create a silo rather than a unified setup.

A clear approach to compliance across both platforms. Ask how they maintain Cyber Essentials controls on Mac and Windows simultaneously.

References from businesses running mixed environments. The practical challenges of managing both platforms are specific. An IT partner with relevant client experience will have solved them before.

Ready to bring Mac into your business?

Whether you are introducing your first Macs or trying to get better control of an existing mixed fleet, the starting point is a clear picture of your current setup and what needs to change.

We work with UK businesses running Mac and Windows together managing Apple fleets, integrating with existing Windows infrastructure and keeping everything compliant. Book a free consultation with our team to talk through your environment and get practical recommendations.

Cyber Essentials Certification for UK Businesses in 2026: The Complete Guide – With a Focus on Apple Fleets

Introduction

Three weeks before your Cyber Essentials assessment, your IT Director gets a call from your assessor.

Here are all the rewrites:

Microsoft 365 MFA works correctly. Your Macs are enrolled, patched and ready. Firewall policies are in place. You have done the work. You are confident.

Then the assessor asks about your project management tool. And your CRM. And the accounting platform your finance team has been using since 2023. Has your team enabled MFA controls on all of them?

You do not know. Nobody checked. Two of them offer MFA as a paid add-on and nobody ever switched it on. Under the rules that came into force on 27 April 2026, that is an automatic failure.

This is the new Cyber Essentials landscape. The five core controls have not changed. What has changed is how strictly assessors enforce them, how broadly the scheme defines scope, and where the new automatic failure points sit. Businesses that approach their 2026 renewal as a straightforward repeat of previous years will get a surprise.

This guide covers everything a UK business needs to know about Cyber Essentials in 2026. Whether you run a pure Apple fleet, a mixed Apple and Windows environment, or manage personal devices alongside company hardware, the same framework applies. We focus particularly on Apple fleets because that is where most generic Cyber Essentials advice falls short, but the principles here apply across your entire device estate.

What Is Cyber Essentials Certification?

The NCSC and IASME run Cyber Essentials, the UK government-backed certification scheme that verifies a business has the right technical controls in place. It certifies that a business has implemented five technical controls that defend against the most common cyber attacks. The scheme is not theoretical. The scheme targets the attack methods that cause the majority of real-world incidents affecting UK businesses.

According to the NCSC’s 2025 Annual Review, 84% of UK cyber incidents affecting small and medium businesses involved at least one of three things: missing MFA, weak passwords or misconfigured cloud services. Cyber Essentials directly targets all three.

There are two levels of certification. Standard Cyber Essentials is a verified self-assessment. You complete a questionnaire confirming your controls are in place, an accredited assessor reviews it and IASME issues the certificate if you pass. Cyber Essentials Plus goes further. An independent assessor performs technical testing of your systems to verify the controls actually work as claimed, not just that you have documented them.

Both certifications last 12 months. You renew them annually.

Why Cyber Essentials Matters More Than Ever in 2026

Cyber Essentials certification has moved from a nice-to-have to a genuine business requirement for a growing number of UK organisations.

Government contracts and public sector frameworks require it as a minimum. An increasing number of enterprise supply chains now require suppliers to hold valid Cyber Essentials certification before procurement processes can progress. Cyber insurers are tightening underwriting requirements and many now require certification as a condition of cover or offer significantly better premiums to certified businesses. In fintech, legal, healthtech and other regulated sectors, clients and investors are asking for evidence of certification as part of due diligence.

UK organisations also experienced a 36% year-on-year increase in cyber attacks per week in 2025, compared to a global average of 9.8%. That context is not incidental. It is the reason the NCSC updated the standard.

The Five Core Controls: What They Require

The five controls have not changed in the April 2026 update. What has changed is the strictness of enforcement and the breadth of scope. Here is what each control requires, with specific guidance for Apple fleets and mixed environments.

Firewalls

Every device must have a properly configured firewall. On Apple, this means enforcing the macOS firewall through MDM configuration profiles rather than relying on users to enable it themselves. Devices connecting from home networks or public WiFi are in scope. The firewall must be active and configured correctly on every in-scope device, including remote and hybrid workers’ Macs.

On Windows, this means Windows Defender Firewall enforced via Group Policy or Intune. For mixed environments, you need to evidence both sets of controls — one policy covering Macs, a separate policy covering Windows devices. A single MDM platform like Microsoft Intune can manage both, though Apple-specific controls are less granular than on dedicated Apple MDM platforms.

Under v3.3, the scheme removes the terms “untrusted” and “user-initiated” as qualifiers for internet connections. Any device connected to the internet now falls in scope, regardless of how that connection starts. There is no longer a way to argue that a home-working Mac or Windows laptop falls outside the boundary.

Secure Configuration

Devices must be securely configured from day one. For Apple fleets this means enforcing FileVault encryption, screen lock timers, Gatekeeper settings to prevent installation of unverified software, and removal of unnecessary applications and services. These controls apply via MDM configuration profiles, not through guidance documents asking users to configure their own devices.

The NCSC’s macOS guidance is explicit: MDM is the mechanism for enforcing secure configuration at scale. A written policy is not a technical control. An MDM profile is.

On Windows, Intune or Group Policy with CIS or Microsoft Security Baseline templates handles secure configuration. For mixed environments the principle holds across both platforms: enforce configuration technically on every in-scope device rather than trusting users to do it themselves.

User Access Control

Only authorised users should access your systems and data. Under v3.3, this control now explicitly references passwordless authentication methods including passkeys and FIDO2 security keys as preferred alternatives to traditional passwords. For Apple fleets, this means Managed Apple Accounts configured correctly, admin rights restricted to those who genuinely need them and identity provider integration – Okta, Microsoft Entra ID or Google Workspace, enforced via MDM.

Local administrator accounts on Macs are one of the most common reasons Apple-fleet businesses fail this control. Users running as local admins with no central oversight is not compliant. MDM-enforced standard user accounts with controlled escalation is.

In mixed environments, identity provider integration becomes even more important. Okta or Microsoft Entra ID as a single identity layer across both Apple and Windows devices ensures MFA and access controls are applied consistently regardless of which device an employee uses. Fragmented identity management – one policy for Windows, a different approach for Macs, is a common failure point in mixed-fleet assessments.

Malware Protection

Apple devices need active malware protection configured and verified, not just installed. macOS includes XProtect as a built-in malware detection layer but Cyber Essentials requires active protection that is demonstrably up to date and configured to scan files automatically. Most MDM platforms provide native visibility into XProtect events. For businesses pursuing Cyber Essentials Plus or operating in regulated sectors, a third-party endpoint detection and response solution such as CrowdStrike or SentinelOne provides deeper protection and better evidence for your assessor.

Windows 10 and 11 ship with Microsoft Defender, which meets the basic malware protection requirement when your team configures it correctly. For higher risk profiles or Cyber Essentials Plus, a more comprehensive EDR solution provides stronger assurance. For mixed environments, a unified EDR platform covering both Mac and Windows from a single console gives assessors the clearest evidence of consistent protection across the estate.

Patch Management

Keep all devices and software up to date at all times. Under v3.3, the 14-day patching requirement for high-risk and critical security updates has become an automatic failure point if not met. This is not new in principle, 14 days has been the standard for several versions. What is new is that failure to evidence it within 14 days now results in immediate failure rather than a warning with an opportunity to remediate.

For Apple fleets, this means OS updates and third-party application patches enforce via MDM policies with documented enforcement timelines. Relying on users to update their own Macs is not evidenceable. MDM-enforced update policies with compliance reporting are.

On Windows, Intune handles OS patching well through Windows Update for Business but has no native third-party app patching — a gap that requires additional tooling such as PatchMyPC. On Mac, dedicated Apple MDM platforms like Jamf and Iru handle both OS and third-party app patching natively, making the 14-day patching requirement significantly easier to evidence on Apple than on Windows-heavy Intune deployments.

What Changed in April 2026: The v3.3 Danzell Update

From 27 April 2026, all Cyber Essentials assessments use the new v3.3 requirements, known as the Danzell question set. Any assessment account your team creates on or after that date runs against these updated standards. Accounts created before the deadline continue under the previous version for up to six months.

The five core controls remain unchanged. What v3.3 changes is how strictly assessors enforce the controls, where the new automatic failure points sit and how broadly the scheme defines scope.These are the changes that matter most for UK businesses.

MFA Is Now an Automatic Failure Point

Under previous versions, if a cloud service offered MFA and you had not enabled it, you received a major non-compliance warning but could still pass. Under v3.3 that changes entirely. If any cloud service your business uses offers MFA, whether free, included in the subscription or available as a paid add-on, and you have not enabled it, your assessment fails automatically.

This applies to every cloud service your business uses. Microsoft 365. Google Workspace. Your CRM, accounting platform, project management tool etc.. Any SaaS application that stores or processes company data and offers MFA as an option is in scope. Cost is not an acceptable justification for not enabling it.

For Apple fleets this means identity provider integration via MDM is no longer optional for Cyber Essentials purposes. Your team needs to enforce Okta, Microsoft Entra ID and Google Workspace MFA across all user accounts, not just administrator accounts.

Cloud Services Cannot Be Excluded From Scope.

Under previous versions, businesses could argue that certain cloud services sat outside scope because they had segregated them from the main environment. Under v3.3 that argument no longer holds. Businesses need clear justification and credible evidence of proper segregation to exclude anything and most cannot provide it.

Any cloud service that stores or processes business data is in scope. This includes productivity suites, CRM platforms, accounting systems, HR software, project management tools and file sharing services. If company data touches it, it is in scope. For many UK businesses this will significantly expand their certification footprint compared to previous years.

14-Day Patching Is Now an Auto-Fail

Two patching questions have moved to automatic failure status under v3.3. If high-risk or critical security updates are not applied across your entire device estate within 14 days of release, your assessment fails immediately. Previously this was a major non-compliance with the ability to remediate. Under v3.3 it is an outright failure.

For Apple fleets this means MDM-enforced OS update policies with documented enforcement timelines are essential, not just good practice. For Windows devices, Windows Update for Business must be configured with 14-day enforcement timelines and third-party app patching must be handled through a supplementary tool. Relying on users to update their own devices on either platform does not meet this requirement.

BYOD Controls Are Tighter

v3.3 tightens BYOD requirements significantly. If personal devices access organisational data, they must either meet the full Cyber Essentials technical controls or access must be limited to a managed, sandboxed environment such as a virtual desktop or managed mobile application container. Simply having a BYOD policy document is no longer sufficient. The technical controls must be demonstrable to your assessor.
For businesses with employees checking work email or Slack on personal iPhones, this is a significant change. MDM enrolment for personal devices through a proper BYOD programme is the correct technical response.

Remediation Must Now Be Estate-Wide

Under v3.3, if a vulnerability or control gap is identified during a Cyber Essentials Plus assessment, remediation applied across the entire device estate, not just the sampled devices that were tested. This closes a loophole where businesses would fix issues on the specific devices being assessed while leaving the same issues unaddressed elsewhere. For both Apple and Windows fleet managers this means MDM compliance reporting across every enrolled device is no longer optional, it is the evidence base your assessor will expect.

Where Most UK Businesses Fail, Especially Those Running Apple Fleets

We have helped businesses including Revolut and Kroo navigate their Complinance and Security challanges. These are the failure points we see most consistently.

Mixed fleet with inconsistent controls.
Windows devices managed through Intune and Group Policy, Macs treated as a separate and often less governed estate. Assessors look at every in-scope device. If your Mac controls do not match the rigour of your Windows controls, that gap is visible and will be challenged.

Personal devices that nobody mapped.
The most common reason UK scale-ups fail their first assessment. Employees have been checking work email on personal iPhones for two years. Nobody formally enrolled those devices or included them in scope. Under v3.3, personal devices accessing company data are in scope, with no exceptions.

Local administrator accounts on Macs.
Developers and power users running as local admins on their Macs with no central oversight. This fails the user access control requirement. MDM-enforced standard user accounts with controlled escalation is the fix.

MFA gaps on secondary cloud services.
Microsoft 365 MFA is enabled. But the CRM, the accounting platform and the project management tool were not audited. Under v3.3 each of those is an automatic failure point if MFA is not enabled.

Patch management that relies on users.
Macs configured to prompt users to update rather than enforce updates through MDM. Windows devices relying on manual patching or user-initiated updates. Assessors ask for evidence of patching within 14 days. Self-reported compliance from users is not evidence. MDM compliance reports are.

Outdated or unsupported OS versions.
Devices running macOS or Windows versions that are no longer receiving security patches. Fleet visibility via MDM is the only reliable way to identify and remediate these before assessment.

Scope defined too narrowly.
Attempting to exclude cloud services that are actively used by the business. Under v3.3 assessors are specifically looking for this and it is a straightforward route to failure.

How MDM Connects to Cyber Essentials on Apple and Windows

Cyber Essentials does not mandate MDM. But for any business managing more than a handful of devices, MDM is the only realistic way to evidence the controls your assessor requires.

On Windows, Microsoft Intune is the most common MDM platform and handles OS update management and configuration profiles well. However Intune has no native third-party app patching, and Mac-specific controls in Intune are less granular and slower to update than dedicated Apple MDM platforms. For businesses running a mixed fleet, many choose Intune for Windows management and a dedicated Apple MDM platform for Macs, accepting some tool overlap in exchange for stronger Apple coverage.

Here is how MDM maps directly to each of the five controls:

Firewalls – MDM configuration profiles enforce the macOS firewall and Windows Defender Firewall on every enrolled device. You can evidence this from your MDM compliance dashboard without asking individual users.

Secure Configuration – MDM profiles apply FileVault or BitLocker encryption, screen lock timers, Gatekeeper settings and restricted app installation across the fleet. CIS Level 1 benchmark templates in platforms like Jamf and Iru apply dozens of secure configuration controls in a single Apple profile. Microsoft Security Baseline templates do the same on Windows via Intune.

User Access Control – MDM integration with your identity provider enforces MFA, manages accounts and restricts local administrator access across both Mac and Windows. A unified identity layer via Okta or Microsoft Entra ID means access controls are enforced technically and consistently across your entire estate.

Malware Protection – MDM provides visibility into protection status across the fleet and enables deployment of third-party EDR solutions to every enrolled device regardless of platform.

Patch Management – MDM enforces OS update policies with defined timelines and generates compliance reports showing which devices are patched and which are not. On Mac, platforms like Jamf and Iru also handle third-party app patching natively. On Windows, a supplementary patching tool is required alongside Intune.

For the BYOD controls under v3.3, MDM enrolment for personal devices through a properly configured BYOD programme is the technical mechanism that allows you to evidence compliance on personal devices without accessing personal data.

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

The right choice depends on your client requirements, sector and risk profile.

Standard Cyber Essentials is the minimum required for most government contracts and supply chain requirements. It is a self-assessment verified by an accredited assessor. The process is faster and the cost is lower, typically from around £300 for the assessment fee. For businesses working toward certification for the first time or renewing in a relatively stable environment, standard Cyber Essentials is usually the right starting point.

Cyber Essentials Plus requires an independent assessor to perform technical testing of your systems. It carries significantly more weight with regulated clients, enterprise procurement teams and cyber insurers. Under the v3.3 update, Plus assessors will now test MFA enforcement, endpoint configuration and vulnerability remediation more rigorously across both Apple and Windows devices. Assessment fees typically start from around £1,500 and vary by organisation size.

Increasingly, public sector contracts and larger enterprise supply chains require Cyber Essentials Plus rather than standard certification. If you are planning to bid for government frameworks or supply large enterprise clients in financial services, legal or healthcare, pursuing Plus from the outset avoids having to repeat the process at a later stage.

How to Prepare: A Practical Checklist

Work through this list before creating your assessment account.

MDM and device management – Apple:

Every Mac enrolled in MDM with active MDM profile
MDM configuration profiles applying CIS Level 1 baseline as a minimum
FileVault enforced on all enrolled Macs
Screen lock timer set to 10 minutes or less
Gatekeeper set to hard enforcement
All users running as standard accounts, not local admins
Admin access granted only to named individuals with documented justification

MDM and device management – Windows:

Windows devices enrolled in Intune or equivalent MDM
Windows Defender Firewall enforced via policy
BitLocker encryption enforced on all Windows laptops
CIS or Microsoft Security Baseline applied
Local administrator accounts restricted

Patch management:

OS update enforcement policies active via MDM on all devices
Documented process for applying critical patches within 14 days
MDM compliance report showing patch status across all enrolled devices
Third-party application patching in place on both Mac and Windows – not reliant on user action
No devices running unsupported OS versions on either platform

MFA and identity:

MFA enabled on Microsoft 365 or Google Workspace for all users
MFA enabled on every cloud service that offers it – CRM, accounting, HR, project management
Identity provider integrated with MDM for consistent enforcement across Mac and Windows
No MFA exceptions for any user account

Cloud services and scope:

Full audit of cloud services that store or process company data
All identified services included in certification scope
Shared responsibility understood for each cloud platform
No cloud services excluded without documented segregation evidence

BYOD and personal devices:

Personal devices accessing company data enrolled in MDM under BYOD programme
BYOD MDM profile applied covering passcode, encryption and OS update requirements
Personal devices included in certification scope
Offboarding process confirmed for personal device unenrolment

Malware protection:

Active malware protection deployed and verified on all devices
MDM providing visibility into protection status across the fleet
Third-party EDR solution deployed for businesses pursuing Plus or operating in regulated sectors

Cyber Essentials and ISO 27001: How They Fit Together

They are separate frameworks with different scopes and different purposes, but they are complementary rather than competing.

Cyber Essentials focuses on five specific technical controls and is assessed against a defined checklist. ISO 27001 is a broader information security management standard covering people, processes and technology across the entire organisation. It requires a documented information security management system, a formal risk assessment process and ongoing management review.

For most growing UK businesses, Cyber Essentials is the right first step. It is faster to achieve, has a lower cost of entry and satisfies most immediate client and contract requirements. ISO 27001 becomes the natural progression as the business matures, takes on larger enterprise clients or enters regulated markets that require a more comprehensive assurance framework.

nDuo implements both. We build Cyber Essentials alignment into every MDM engagement from day one, with the ISO 27001 progression in mind from the outset. The device security controls that satisfy Cyber Essentials are the same controls that form the endpoint security component of an ISO 27001 programme. Getting them right once means you are not rebuilding from scratch when your compliance requirements grow.

Why Apple-Specific Expertise Matters for Cyber Essentials

Most Cyber Essentials consultants come from a Windows background. They are comfortable with Group Policy, Intune and Windows Defender. For businesses running purely Windows estates, that expertise is sufficient. But for businesses running Apple fleets, whether Apple-only or mixed Apple and Windows, the gaps in Apple-specific knowledge frequently cause problems that a Windows-focused consultant will not anticipate.

The result is that Apple-first businesses frequently receive generic advice that does not map correctly to their actual environment. Controls are implemented in ways that satisfy a Windows-focused assessor but leave genuine gaps on the Mac side. Or MDM is configured correctly but the compliance reporting structure does not produce the evidence format the assessor expects.

nDuo holds Cyber Essentials certification ourselves. We are an Apple Premium Technical Partner with Apple MDM expertise across Jamf Pro, Iru (formerly Kandji) and Microsoft Intune. We have guided businesses including Revolut and Kroo through Cyber Essentials certification and we build compliance alignment into every MDM deployment from day one.

If your team runs Apple devices, whether as your primary platform or alongside Windows, the difference between generic IT advice and Apple-specific expertise is frequently the difference between passing first time and needing to remediate and resubmit.

Get a Free Cyber Essentials Readiness Review

If you are working toward Cyber Essentials certification, renewing under the new v3.3 requirements, or simply not sure where your current device estate stands against the standard, we offer a free readiness review.

We will assess your current MDM configuration, device compliance posture and cloud service scope against the five Cyber Essentials controls and the v3.3 changes, and give you a clear picture of what needs to change before you create your assessment account. Whether you run a pure Apple fleet, a mixed environment or a BYOD programme, we will give you a straight answer on where you stand.

No jargon. No obligation. Just an honest assessment from a team that has done this for Apple fleets and mixed environments across UK fintech, scale-ups and regulated businesses.

Explore our Cyber Essentials service or book a free readiness review with our team today.

Which Is Right Apple MDM for Your UK Business in 2026?

Jamf vs Intune vs Iru (Kandji) vs FleetDM vs Apple Business MDM: Which Is Right for Your UK Business in 2026?

Introduction

Picture this. Your IT Director sits down to do an Apple MDM comparison. She opens five browser tabs. One for Jamf. for Intune. for something called Iru that used to be called Kandji. One for FleetDM, which someone on the engineering team swears by. And one for Apple Business, which apparently now includes free MDM built in.

Three hours later, she is more confused than when she started.

Every vendor claims to be the best. Every comparison article was written by someone trying to sell you something. And nobody is being straight about what each platform actually cannot do.

This guide is different. We are a vendor-neutral Apple MDM specialist. We implement and manage all five platforms covered here for UK businesses on regular basis. Our job is to put you on the right platform for your specific situation, not the one we prefer.

If you are new to MDM and want to understand the basics first, read our guide on what MDM is and how it works before coming back here.
If you are ready to compare, read on.

Apple MDM Comparison: The Five Platforms at a Glance

Feature	Apple Business	Jamf for Mac	Iru (Kandji)	MS Intune	FleetDM
Price	Free	From £10/device/mo	£3–£7/device/mo	Included in M365 or £6/user/mo	Free or £6/host/mo
Best for	Small teams, no IT resource	Large enterprise Apple fleets	Growing teams, compliance	Mixed Windows and Apple	Engineering-led, Linux included
Apple-first?	✓	✓	✓	✗	✗
Cross-platform?	✗	Limited	Expanding	✓	✓
Zero-touch	✓	✓	✓	✓	✓
Cyber Essentials	✗	✓	✓	✓	✓
Compliance reporting	✗	✓	✓	✓	✓
3rd party security	✗	✓ CrowdStrike, SentinelOne	✓ CrowdStrike, Okta, Vanta	✓ Defender	✓ Splunk, Elastic
Automated patching	Basic	Advanced (policy-based, CVE-triggered)	Advanced (300+ apps, Mac and Windows)	OS only. No native 3rd party patching	~50 app catalog. Munki needed for enterprise
BYOD support	✗	✓	✓	✓	✓
Linux support	✗	✗	✗	✗	✓
Open source	✗	✗	✗	✗	✓
Setup complexity	Low	High	Low–medium	Medium–high	High
Support quality	Apple standard	Good	Excellent (<2 min chat)	Poor (widely reported)	Community + paid
Ideal fleet size	1–25 devices	50+ devices	25–500+ devices	Any (mixed)	Any (technical)
Free trial	N/A	14 days	14 days	30 days	Permanent free tier

Apple Business MDM: The Free Option That Launched in April 2026

What it is

Apple Business launched in the UK on 14 April 2026, replacing Apple Business Manager, Apple Business Essentials and Apple Business Connect. For the first time, Apple includes built-in device management natively, at no cost. Zero-touch deployment via Blueprints, app distribution, passcode enforcement and basic security policies are all included.

The real-life scenario where it works

You are a 12-person startup. Everyone uses a Mac. You have no dedicated IT person. You want devices enrolled and basic security policies in place before your first SOC 2 audit. Apple Business MDM gets you there for free, in an afternoon.

What it does well

Zero-touch deployment is genuinely impressive. A new Mac arrives, the employee unpacks it, it configures itself. App distribution works cleanly. Managed Apple Accounts keep work and personal data separate. For a business with a simple, Apple-only fleet and no complex compliance requirements, it covers the fundamentals competently.

Where it falls short

Apple designed this for businesses without dedicated IT resources. Once your compliance requirements mature, it hits clear limits fast.

There are no compliance reports for Cyber Essentials or ISO 27001. There are no compliance reports for Cyber Essentials or ISO 27001. Third-party security integrations such as CrowdStrike or SentinelOne are not supported. Scripting and automation at scale are beyond its capabilities. Android, BYOD management and advanced patch management are simply not part of what Apple designed this platform to do. And the companion employee app requires iOS 26, iPadOS 26 and macOS 26, none of which have launched yet.

What real users complain about: The lack of granular reporting is the most common complaint from businesses that outgrow it. There is no audit trail that satisfies Cyber Essentials assessors.

The verdict

Apple Business MDM is the right starting point for early-stage businesses with simple Apple-only fleets and no regulated data. For anyone preparing for Cyber Essentials, ISO 27001, or managing a fleet of more than 25 devices with any complexity, it is the foundation, not the solution.

Jamf Pro: The Industry Standard for Apple. Now with a simpler entry point

What it is

Jamf has been the go-to Apple MDM platform for over two decades. In 2026 Jamf restructured its product offering significantly to address one of its biggest criticisms: complexity. The result is two important additions that change how businesses buy and use Jamf.

Jamf for Mac

Is a new all-in-one bundle that combines Jamf Pro (device management), Jamf Connect (identity and access management) and Jamf Protect (endpoint security) into a single subscription at approximately £10 per Mac per month. Previously these three products had to be purchased and configured separately. The bundle removes that complexity and gives businesses a complete Mac management and security stack in one package.

Jamf Elevate

Is a new unified management and security dashboard designed specifically for small and medium-sized businesses. Jamf offers it free of charge to qualifying SMBs. It is Jamf’s direct response to the criticism that Jamf Pro is too complex for smaller IT teams, providing a simplified interface on top of the same underlying platform.

The real-life scenario where it works

You are the IT Director at a 200-person fintech in London. You manage a global Apple fleet across three offices, you are working toward ISO 27001 certification and your security team has mandated CIS Level 1 benchmarks as the baseline across every endpoint, with CrowdStrike on every Mac. Your engineers run custom scripts to automate onboarding. Your auditor needs compliance reports that show exactly which devices are patched, encrypted and policy-compliant at any given moment.

This is the environment Jamf Pro was built for. But a Jamf deployment at this level is not something you configure in a weekend. Getting Smart Groups, policies, Jamf Protect and Jamf Connect working together correctly, integrated with your identity provider and mapped to your compliance framework, requires deep platform knowledge. Done well it is transformative. Done poorly it becomes the reason IT teams firefight all the time and then look for a new solution.

nDuo implements and manages Jamf Pro for clients at exactly this scale. We handle the configuration, the compliance mapping and the ongoing management so your IT team gets the power of Jamf without the overhead of becoming Jamf experts themselves.

What it does well

The depth of configuration is unmatched. Jamf Pro supports hundreds of granular configuration profiles, advanced patch management, full CIS benchmark enforcement and integrations with CrowdStrike, SentinelOne, Microsoft Defender and dozens of other security tools. Compliance reporting is detailed and audit-ready. Every new Apple OS feature lands in Jamf on day one.

Jamf Protect, included in the Jamf for Mac bundle, adds Mac-native endpoint detection and response, threat prevention, CVE-triggered automatic remediation and SIEM integration. For regulated industries this is a significant capability.

The Jamf for Mac bundle makes the full stack accessible at a predictable per-device price rather than requiring three separate negotiations.

Where it falls short

Cost remains the most consistent complaint even with the new bundle. At approximately £10 per Mac per month for the full bundle, a 100-device fleet costs around £1,000 per month before implementation or support costs. Volume discounts are negotiable but the 25-device minimum and annual billing commitment are fixed.

The underlying complexity of Jamf Pro has not gone away. Jamf Elevate simplifies the experience for SMBs but advanced configurations still require expertise. Some users consistently report that standard functions require scripting and workarounds that feel unnecessary compared to other MDM Platforms. The learning curve for new administrators is steep.

Jamf does not have strong cross-platform support. Android support has been introduced lately but Apple remains the core focus.

The verdict

Jamf Pro remains the right choice for larger Apple fleets with complex compliance requirements and regulated industries. The Jamf for Mac bundle makes the full stack more accessible. Jamf Elevate is worth exploring for SMBs who want Jamf’s platform without the administrative overhead.

Iru (Formerly Kandji)

What it is

Iru was Kandji until October 2025. The rebrand reflects a broader ambition: Iru is expanding from Apple-focused MDM into a full AI-powered platform covering identity and access, endpoint security and compliance automation across Apple, Windows and Android. The MDM core remains Apple-first and mature, with Windows and Android support expanding rapidly.

The real-life scenario where it works

You are a 60-person business. You have Apple Business MDM in place but you are three weeks from your Cyber Essentials audit and you have just discovered personal devices are in scope, your compliance reporting is non-existent and your patch management cannot be evidenced to an assessor. Your IT team of two is already stretched. You need a platform that handles the heavy lifting, and a partner who can configure it correctly from day one.

Iru is the platform we commonly recommend in this situation. But the platform alone does not get you audit-ready. The configuration, policy design, compliance mapping and ongoing management is where nDuo’s involvement makes the difference between passing your assessment and failing it.

What it does well

The interface is where Iru consistently outperforms other MDMs in user reviews. Setup is smooth, the admin console is cleaner, and common tasks that require scripting in other platforms are handled natively in Iru. The Auto Apps library now covers over 300 Mac and Windows applications with automated patching that requires no manual package management. Zero-touch deployment works most of the time reliably out of the box.

Third-party security integrations have expanded significantly since the Iru rebrand. The platform now integrates with CrowdStrike, SentinelOne, Okta, Microsoft Entra ID, Google Workspace and major compliance frameworks including Vanta, Drata, Sprinto and Secureframe.

Customer support is consistently praised across hundreds of reviews, with live chat responses typically under two minutes. For IT teams without deep MDM expertise, this matters enormously.

Where it falls short

Pricing is not published and minimum contract tiers can make it expensive for very small teams. Some users report rigid pricing structures with no flexibility for SMEs. Windows and Android support is maturing but not yet at parity with Apple management. If you have a genuinely mixed fleet with heavy Windows requirements, Intune is probably still the safer choice.

The verdict

Iru is the right choice for Apple-first teams that want enterprise compliance and automation with simplicity. It is particularly well suited to smaller teams in regulated market and tech that need Cyber Essentials or SOC 2 readiness without a large IT team. The platform handles the heavy lifting well. Getting the configuration, compliance mapping and policy design right from day one is where having the right implementation partner turns a good platform into a great outcome.

Microsoft Intune: Potentially the right answer if you are already in Microsoft

What it is

Microsoft Intune is a cloud-based endpoint management platform built for mixed environments. It manages Windows, macOS, iOS, iPadOS and Android from a single console. For businesses already running Microsoft 365, it is often already included in their licence at no extra cost.

The real-life scenario where it works

You are the IT Manager at a 150-person professional services firm. Half your team uses MacBooks, half uses Windows laptops, and everyone is in Microsoft 365 Business Premium. You already pay for Intune. Your Mac requirements are straightforward: devices enrolled, basic security policies applied, OS updates managed. No complex compliance framework, no CIS benchmarks, no scripting requirements. Using a second dedicated MDM platform purely for basic Mac management would double your complexity and cost for capabilities you do not yet need. For this specific situation, Intune gets the job done.

The moment your Mac requirements grow beyond the basics, however, Intune starts to show its limitations. No native third-party app patching, Apple features that lag behind dedicated platforms, and an interface that was built for Windows first. At that point a conversation about a dedicated Apple MDM platform becomes worthwhile.

What it does well

If your organisation is deeply embedded in the Microsoft ecosystem, Intune is the natural choice. Integration with Microsoft Entra ID for conditional access, Microsoft Defender for endpoint security and the broader Microsoft 365 suite is seamless. For mixed Apple and Windows environments, Intune reduces tool sprawl significantly.
The fact that Intune is included in Microsoft 365 Business Premium, E3 and E5 means many businesses are already paying for it. For OS update management on both Windows and macOS, Intune kinds of works via Windows Update for Business and Apple MDM protocols respectively.

Where it falls short

Third-party app patching is the biggest gap. Intune has no native support for patching non-Microsoft third-party applications.E.g. Chrome, Slack, Zoom, Adobe, anything outside the Microsoft Store requires manual packaging, custom scripts, or a third-party tool like PatchMyPC. For businesses with a large and varied software estate, this is a significant operational burden.

Apple-specific features consistently lag behind dedicated Apple platforms. When Apple releases a new OS or management feature, other MDM Platforms typically support it on day one. Intune often takes weeks or months to catch up.

Device action speed on Mac is a consistent complaint from Intune users. Sending a wipe, lock or any other commands to a Mac through Intune can take hours and in some cases over 24 hours to execute, on top of that commands frequently fail silently with no clear error. This is a fundamental limitation of how Intune communicates with Apple devices compared to dedicated Apple platforms where the same actions are near-instant. For IT teams managing time-sensitive incidents, this is a significant operational risk.

Licensing is genuinely confusing. The base Plan 1 is £6 per user per month but many enterprise features require add-ons that push the cost to £12 to £16 per user per month.

The verdict

Intune is a reasonable choice if you are already in Microsoft 365, managing a mixed Windows and Apple environment, and your Mac requirements are straightforward. For basic enrolment, OS update management and simple policy enforcement on Macs, it works. The fact that it is already included in your Microsoft 365 licence makes it hard to argue against as a starting point.

But Intune was built for Windows first and it shows, increasingly becomes a liability rather than an asset. Many businesses start with Intune for Macs and find themselves looking for a dedicated Apple MDM platform within 12 to 18 months as their requirements mature.

If your Mac estate is growing, your compliance requirements are increasing, or your IT team is spending meaningful time working around Intune’s Mac limitations, that conversation is worth having sooner rather than later.

FleetDM: The Open Source Option for Engineering-Led Teams

What it is

FleetDM is an open source, cross-platform device management platform built on osquery. It manages macOS, Windows, Linux, iOS, Android and ChromeOS from a single console. The self-hosted version has no device limits and no feature gates on core functionality.

The real-life scenario where it works

You are the IT lead at a 1000-person software company. Half your engineers use Apple and Linux. The other half use Windows. Your security team wants near-real-time visibility into every device. Your engineering team manages device policies as code, version-controlled in Git, reviewed in pull requests. No other platform on this list supports this natively.

What it does well

The osquery foundation delivers near real-time device reporting. Where most MDMs poll devices every few hours, FleetDM can return data in under 30 seconds. For security teams running incident response, this changes everything.

GitOps-native configuration management is a genuine differentiator. Policies are defined in YAML, version-controlled, peer-reviewed and deployed through CI/CD pipelines. For engineering-led organisations that manage everything else as code, this feels natural rather than bolted on.

The open source model means no vendor lock-in. You own your data, your deployment and your infrastructure. For privacy-conscious organisations or those with data sovereignty requirements, this matters.

Where it falls short

Third-party app patching is a significant limitation for enterprise use. FleetDM’s built-in Fleet-maintained app catalog covers approximately 50 to 60 common applications. For organisations managing a large and varied software estate, this is not enough. Most IT teams running FleetDM at enterprise scale use Munki alongside it for comprehensive Mac third-party patch management. Munki is a free, open source tool but it requires additional infrastructure, configuration and ongoing maintenance. This means meaningful extra overhead compared to other MDM Platforms where patching is largely native.

For custom packages outside the Fleet-maintained catalog, administrators must upload packages manually and configure policy automations to trigger installs. This works but requires considerably more effort.

FleetDM is not a SaaS product you sign up for and use in five minutes. Self-hosting requires Docker, MySQL, S3-compatible storage, TLS certificates and ongoing server maintenance. For non-technical IT teams, this overhead is prohibitive.

Pre-built compliance blueprints and automated patch management libraries are not as extensive as dedicated Apple platforms.

The verdict

FleetDM is the right choice for engineering-led organisations with Apple and mixed device environments, where GitOps workflows and real-time visibility matter more than a simple UI and turnkey patching. It is not the right choice for non-technical IT teams.

How to Choose: A Decision Framework

Fewer than 25 Apple devices, no IT team, no compliance requirements:
Start with Apple Business MDM. It is free and covers the fundamentals. Revisit when you grow.

Apple-only fleet, need Cyber Essentials or ISO 27001, want simplicity:
Iru (formerly Kandji) is the good choice. Faster to implement than other MDM, 300+ app Auto Apps library, excellent support, strong compliance automation.

Large Apple fleet, regulated environment, ISO 27001, CIS benchmarks, complex scripting requirements:
Jamf Pro or Jamf for Mac bundle. The depth of configuration and compliance capability is unmatched at this level. The implementation complexity is real, having the right partner from day one determines whether Jamf becomes your strongest asset or your biggest headache.

Mixed Windows and Apple environment, already in Microsoft 365, straightforward Mac requirements:
Microsoft Intune. You may already be paying for it. Supplement with a third-party patching tool for non-Microsoft apps and plan for a dedicated Apple MDM conversation as your Mac requirements grow.

Engineering-led team, run Linux alongside Apple, want open source with real-time visibility and GitOps:
FleetDM. Real-time osquery visibility, GitOps-native policy management and no vendor lock-in make it a natural fit for technical teams. Pair it with Munki for comprehensive Mac patching and you have a powerful, fully open source device management stack that most commercial platforms cannot match for this specific use case.

Not sure which applies to you? Book a free call with our team and we will work it out together in 15 minutes. No jargon, no sales pitch, just a straight answer from someone who implements all five platforms for UK businesses every day.

Book your free Apple MDM assessment today.

Is Apple MDM Free? What UK Businesses Need to Know in 2026

Is Apple MDM Free? What UK Businesses Need to Know in 2026

Three weeks from now, Apple Business Manager will no longer exist.

On March 24 2026, Apple announced Apple Business, a new all-in-one platform that replaces Apple Business Manager, Apple Business Essentials, and Apple Business Connect in one move. It launches on April 14 2026, free of charge, in more than 200 countries including the UK.

If your company uses Apple Business Manager today, your account will automatically migrate. Nothing will break. But a lot will change.

And if you are an IT Director or CTO at a UK scale-up with an Apple fleet, there is a more important question to answer than what is changing. It is whether Apple’s built-in MDM is actually enough for your business, or whether you still need a dedicated MDM platform like Jamf or Mosyle alongside it.

The honest answer is nuanced. And that is exactly what this guide covers.

What Is Apple Business and What Replaced What?

Apple Business is Apple’s attempt to bring everything a business needs into one platform. It consolidates three previously separate products.

Apple Business Manager was the free portal that IT teams used to enrol devices, distribute apps, and create Managed Apple Accounts. It was the backbone of every enterprise Apple deployment but was not an MDM itself. It needed Jamf, Mosyle, Addigy or Intune to actually manage devices.

Apple Business Essentials was Apple’s own paid MDM service, available in the US since 2021 but never fully rolled out in the UK. It was designed for small businesses without IT teams and offered basic device management at around $2.99 per device per month.

Apple Business Connect was the tool businesses used to manage how their brand appeared across Apple Maps, Wallet and other Apple services.

All three are being retired on April 14 and replaced by Apple Business. One platform, free of charge.

What Apple Business Actually Does

Apple Business is built around four areas.

Built-in MDM

This is the headline feature and the one most relevant to IT teams. Apple Business includes device management natively, no separate subscription required. You can configure device settings, push apps, enforce security policies, and create Blueprints to enable zero-touch deployment.

Blueprints are preconfigured templates that define exactly how a device should be set up. Which apps are installed, which security policies are enforced, which settings are applied. When a new Mac or iPhone arrives, it checks Apple’s servers, picks up its Blueprint, and configures itself automatically. Your new employee unpacks their device and it is ready to use.

This zero-touch deployment capability was previously only available through Apple Business Manager combined with a third-party MDM. It is now built in.

Managed Apple Accounts

Managed Apple Accounts separate company data from personal data on the same device, using cryptographic separation enforced at the operating system level. Account creation can be automated through integration with Google Workspace, Microsoft Entra ID, and other identity providers.

Business Email, Calendar and Directory

Apple Business now includes business email and calendar services with custom domain support. This is genuinely new for UK businesses. Apple is positioning itself as a lightweight alternative to Google Workspace or Microsoft 365 for smaller companies.

Brand Management

Everything that was in Apple Business Connect now moves into Apple Business. This includes managing how your business appears in Apple Maps, Wallet, Mail and other Apple services, rich place cards, brand profiles, location insights, and showcases.

What Apple Business MDM Can Do: The Full Picture

For UK businesses evaluating whether Apple Business MDM is sufficient, here is a clear breakdown of capabilities.

Zero-touch deployment via Blueprints Devices purchased through Apple or authorised resellers can be automatically enrolled and configured without IT touching them. A new employee can unbox a Mac and be working within minutes.

App distribution Push apps to individual employees, teams or the whole organisation directly through the App Store. No Apple ID required on the device.

Device and security settings Configure passcode requirements, screen lock, encryption settings, and OS update policies across your fleet.

Managed Apple Accounts Cryptographic separation of work and personal data. Automated account provisioning through your identity provider.

Employee groups and role management Create groups by team or function. Assign specific apps and permissions to each group. Create custom roles for more granular access control.

Admin API Programmatic access to device, user, audit, and MDM data for larger deployments or automation workflows.

Companion employee app Employees can install work apps, view the company directory, and request IT support from a dedicated app. Important caveat: this requires iOS 26, iPadOS 26, or macOS 26, operating system versions that have not been released yet.

What Apple Business MDM Cannot Do: The Honest Assessment

This is where the conversation gets important for growing UK businesses.

Apple Business MDM is designed explicitly for small businesses without dedicated IT resources. Apple has been transparent about this positioning. For companies with a simple, non-regulated setup and no dedicated IT requirements, it is likely sufficient and the price is unbeatable.

But once your compliance requirements mature, your fleet grows in complexity, or your business becomes subject to regulatory scrutiny, Apple Business MDM hits clear limits.

No advanced configuration profiles

Jamf Pro and Mosyle offer hundreds of granular configuration options that go far beyond what Apple Business MDM supports. Custom security baselines, CIS benchmark enforcement, and bespoke workflow automation are simply not available.

No Cyber Essentials or ISO 27001 compliance reporting

If you are working toward Cyber Essentials certification or ISO 27001, you need to evidence your compliance posture to an auditor. Apple Business MDM does not generate the compliance reports your auditor needs. Jamf and Mosyle do.

No third-party security integrations

Jamf integrates with CrowdStrike, SentinelOne, Microsoft Defender and dozens of other security tools. Apple Business MDM does not. For regulated industries such as fintech, legal, and healthcare, this is a significant gap.

No Android or cross-platform management

Apple Business MDM manages Apple devices only. If your team uses Android phones or personal devices, you need a separate solution. Intune handles this, as does a properly configured BYOD programme with Jamf or Mosyle.

No advanced patch management automation

Keeping macOS and app versions up to date across a fleet requires more sophistication than Apple Business MDM offers. Jamf Pro’s patch management capabilities automate this at scale. Apple Business MDM requires more manual oversight.

No scripting or automation at scale

Running custom scripts across your fleet, whether for configuration, diagnostics, or automation, requires Jamf or a comparable platform. This is a critical capability for IT teams managing more complex environments.

Limited support for regulated environments

Companies in financial services, healthcare, and other regulated sectors need to demonstrate precise control over their device estate. Apple Business MDM is not designed for this level of governance.

Companion app requires OS versions not yet released

The Apple Business employee app and the email, calendar and directory features require iOS 26, iPadOS 26 and macOS 26. These operating systems have not launched yet. Businesses expecting full functionality from day one on April 14 will need to wait.

Who Apple Business MDM Is Right For

Apple Business MDM is a genuinely good solution for the right type of company. These are the businesses it was designed for.

It is designed for businesses with a small, straightforward Apple-only fleet of up to 25 devices, no dedicated IT team, no complex compliance requirements, and no regulated data. If you are an early-stage startup getting Apple management in place for the first time, Apple Business MDM is a solid, free starting point.

For these businesses, Apple Business MDM is a significant step forward from having no device management at all. It is free, it is built by Apple, and it handles the fundamentals competently.

Who Still Needs Jamf, Iru(Kandji), Mosyle or a Dedicated MDM

Businesses that need a dedicated MDM platform are those with a complex setup regardless of fleet size, whether that is 20 devices in a regulated fintech or 200 across multiple locations. This includes companies working toward Cyber Essentials certification or ISO 27001, operating in regulated industries such as fintech, legal, or healthcare, or running a mixed fleet with Android devices or BYOD. If your IT team manages scripts, automation and custom workflows, or you need compliance reporting for an auditor, third-party security integrations, or a platform that scales with rapid growth, Apple Business MDM will not cover your requirements.

For these businesses, which describes the majority of nDuo’s clients, Apple Business MDM is a starting point, not a destination. It handles enrolment and basic configuration well. It does not handle the security, compliance, and governance requirements of a business operating under scrutiny, regardless of size.

What Happens to Your Current Apple Business Manager Setup?

If you are currently using Apple Business Manager with a third-party MDM like Jamf, Mosyle or Addigy, the transition to Apple Business is largely transparent. Your existing device enrolments, app licences, and Managed Apple Accounts will migrate automatically. Your MDM integration will continue to work as before.

Apple Business is additive for existing ABM users. You get the new features without losing what you already have. The MDM relationship between Apple Business and your third-party MDM remains exactly as it was with Apple Business Manager.

The main change is that Apple Business Essentials customers in the US will no longer pay the monthly per-device fee after April 14 2026. The device management capability becomes free as part of Apple Business.

What nDuo Recommends for UK Businesses

Apple Business is a welcome development. Making device management accessible to every UK business regardless of size or IT budget is genuinely good for the ecosystem. Small businesses that previously had no device management at all now have a solid, free starting point built directly into Apple’s platform.

But for UK businesses with compliance obligations, regulated clients, or any complex MDM requirements regardless of fleet size, Apple Business MDM is the foundation, not the full solution. You still need a dedicated MDM platform to handle the depth of configuration, compliance reporting, and security integration that your business requires.

The best approach for most growing UK businesses is Apple Business for enrolment and identity management, combined with Jamf Pro or Mosyle for device management, security policies and compliance.

nDuo configures exactly this kind of setup for UK businesses every day. As an Apple Premium Technical Partner with 14 years of Apple experience, we can assess your current Apple fleet, recommend the right MDM platform for your requirements, and get everything configured and compliant including for Cyber Essentials certification.

Ready to Find Out If Apple Business MDM Is Right for Your Business?

Apple Business launches in the UK on April 14. Whether you are an existing Apple Business Manager user wondering what changes, a business considering MDM for the first time, or a growing company unsure whether Apple’s built-in MDM covers your needs, now is the right time to get clarity.

As an Apple Premium Technical Partner, nDuo offers a free assessment to help you understand whether Apple Business MDM is the right fit for your business or whether a dedicated MDM platform like Jamf or Mosyle is the better path.

If Apple Business MDM is right for you, we can guide you through the setup and deployment so you are ready from day one. If your business needs something more advanced, we will tell you honestly and help you build the right solution.

No obligation. No jargon. Just a straight conversation with an Apple specialist who knows this platform inside out.

Book your free Apple Business MDM assessment today.

BYOD Security and Policy Guide for UK Businesses

BYOD Security and Policy Guide for UK Businesses

It is 9am on a Tuesday and you are three weeks away from your Cyber Essentials audit.

Your IT infrastructure is in good shape. Your Macs are enrolled in Jamf, your security policies are configured, your firewall is solid. You have done the work. You are ready.

Then your auditor sends over the pre-assessment questionnaire.

One question stops you cold.

“How many personal devices currently have access to your company email, Slack, or business applications?”

You stare at it. A new tab opens. Closes again. The honest answer is: you have no idea.

You think about your sales team. Three of them check Slack on their personal iPhones on the weekend. Your Head of Engineering accesses the company GitHub on his personal MacBook when he is travelling. Your CEO has had company email on her personal phone since the day she joined. Nobody ever set this up formally. It just happened, one device at a time, over years of rapid growth.

And now, three weeks before your Cyber Essentials audit, you are realising that your carefully managed Apple fleet is only part of the picture. The other part the unmanaged, unseen, uncontrolled part is sitting in people’s pockets right now.

This is the BYOD problem. And if you are reading this, there is a very good chance it is your problem too.

You Are Not Alone

A 2024 survey by Cisco found that over 70% of employees use personal devices to access company data at least occasionally. In fast-growing UK scale-ups, that number is almost certainly higher. When companies grow quickly, formal IT policies struggle to keep pace with the reality of how people actually work.

Personal devices creep into the workflow gradually. Someone checks their work email on their personal iPhone during a bank holiday. A developer pushes a hotfix from their home MacBook. A new starter connects to company Slack before their work laptop arrives. Each of these moments feels harmless. Collectively, they create a sprawling, invisible attack surface that your IT team has no visibility over and no control of.

The problem is not your people. The problem is the absence of a framework that allows personal device use to happen securely, with the right boundaries in place.

That framework is called BYOD. And getting it right is one of the most important things a growing UK business can do.

What BYOD Actually Is

BYOD stands for Bring Your Own Device. It describes any situation where employees use personally owned devices, iPhones, Android phones, personal MacBooks, iPads, to access company systems, data, or applications.

BYOD is not inherently risky. In fact, when managed correctly, it can reduce hardware costs, improve employee satisfaction, and give your team the flexibility to work the way they want to work. The problem is not BYOD itself. The problem is unmanaged BYOD personal devices accessing company data with no security policy, no visibility, and no controls in place.

Managed BYOD means:

Your IT team knows which personal devices have access to company systems. Security policies are applied to those devices without invasive monitoring of personal content. Employees can use their personal devices freely for personal use, with company data kept separate and protected. If a device is lost or stolen, company data can be remotely wiped without touching personal photos, messages or apps. If an employee leaves, company access is revoked instantly, without affecting anything personal on the device.

This is the goal. A clear separation between work and personal, enforced by technology, understood by everyone.

Why BYOD Matters More Than Ever

Three forces have converged to make BYOD one of the most pressing IT challenges for UK scale-ups right now.

The first is hybrid working. Since 2020, the boundary between work devices and personal devices has blurred significantly. People work from home, from coffee shops, from airports. They switch between devices constantly. The idea that company data only lives on company-owned hardware is no longer realistic for most organisations.

The second is Cyber Essentials. The UK government’s Cyber Essentials certification scheme, which is increasingly required by enterprise clients, investors, and regulated industries, now explicitly includes personal devices in scope if those devices access company data. This is the question that stopped you cold in your audit questionnaire. If personal devices are accessing your systems and they are not enrolled in your MDM, you cannot certify. It is that simple.

The third is the talent market. Top candidates, particularly in tech and fintech, expect flexibility. A rigid “company devices only” policy is increasingly seen as a red flag. A well-designed BYOD programme lets you offer flexibility without compromising security.

When It Goes Wrong: The Story of a Leak That Changed Everything

In 2020, one of the most significant social media security breaches in history was traced back partly to compromised contractor devices. The attackers used social engineering to gain access to internal tools, eventually taking over high-profile accounts. The investigation revealed that the attack surface included personal and contractor devices that were not under centralised security control.

But you do not need to look at headline breaches to understand the risk. The more common story is quieter and closer to home.

Picture this. A sales manager at a London fintech resigns after three years. She has been a high performer, well-liked, no bad blood. Her company laptop is wiped and collected on her last day. Standard offboarding, done properly.

What nobody checks is her personal iPhone. For two years, she has had the company CRM accessible through a mobile app on her personal phone. She has company email in her native mail app. She has the shared Slack workspace. None of it was formally enrolled or managed because it was her personal device and nobody thought to include personal devices in the offboarding checklist.

Three months later, a competitor wins a pitch using detailed knowledge of your pricing structure, your client relationships, and your sales methodology. The information was accurate. It was recent.

You will never be able to prove what happened. But you know.

This is not a hypothetical. Variations of this story happen across UK businesses every week. The device that walks out the door on an employee’s last day is rarely their work laptop. It is the personal phone in their pocket that nobody ever enrolled, monitored, or offboarded.

The Privacy Question: What Can Your Company Actually See?

This is the question every employee asks when BYOD is mentioned. And it is a completely reasonable one.

The short answer is: when BYOD is set up correctly using MDM, your company cannot see your personal data. Full stop.

Here is what that means in practice when nDuo sets up BYOD MDM enrolment for personal devices using tools like Jamf, Intune, Kandji, FleetDM:

What your company CAN see and manage on a personal device enrolled in BYOD MDM: whether the device has a passcode set, whether the operating system is up to date, whether the device is encrypted, which work apps are installed, and the status of work-related security policies.

What your company CANNOT see: your personal photos, messages, emails, browsing history, personal apps, location outside of work hours, or any personal data on the device.

The MDM profile creates a managed container for work data. Everything outside that container is invisible to your IT team. Your personal life remains entirely private.

This separation is not just a policy choice, it is a technical reality built into how modern MDM platforms work on iOS and macOS. Apple’s architecture specifically prevents MDM from accessing personal data. It is enforced at the operating system level, not just through company promises.

When we roll out BYOD MDM to employees, we always walk through exactly what is and is not visible. Transparency builds trust. Employees who understand the privacy boundaries re far more likely to enrol their devices willingly and maintain compliance going forward.

BYOD and Cyber Essentials: What You Need to Know

If your business is working toward Cyber Essentials or Cyber Essentials Plus certification, BYOD is not optional, it is in scope.

The Cyber Essentials framework requires that all devices accessing company data meet a minimum security standard. This includes personal devices. If an employee’s personal iPhone has your company email configured on it, that device falls within the scope of your Cyber Essentials assessment.

The practical implications are significant. Your personal devices must have a passcode or biometric lock enabled. The operating system must be up to date. The device must not be jailbroken or rooted. Access to company applications must be revocable by your IT team.

Without MDM enrolment, you cannot evidence any of this to your auditor. You are relying on self-reporting from employees, which is not sufficient for certification.

This is one of the most common reasons UK scale-ups fail their first Cyber Essentials assessment. Not because their core infrastructure is insecure, but because personal devices were not in scope and nobody had visibility of them.

nDuo has helped companies including Revolut, Kroo and BOXPARK navigate this exact challenge. Getting personal devices into scope, enrolled, and compliant before an audit is one of the highest-value things we do.

GDPR and Personal Devices: The Legal Dimension

If your employees access personal data, customer records, employee information, financial data on personal devices, you have a GDPR obligation to ensure that data is protected.

Under GDPR, your organisation is responsible for the security of personal data regardless of what device it sits on. If an employee’s unmanaged personal phone is lost or stolen and it contains customer data, you may have a reportable data breach on your hands. The ICO does not accept “it was on their personal phone” as a defence.

A proper BYOD policy with MDM enrolment gives you the ability to demonstrate to the ICO that appropriate technical measures were in place. Remote wipe capability, encryption requirements, and access controls are all things you can evidence with the right setup.

Without a BYOD policy and MDM enrolment, you cannot demonstrate any of this. And in the event of a breach, that absence will be noticed.

nDuo’s BYOD Discovery and Setup Process

When a new client comes to us with a BYOD challenge, here is exactly how we approach it.

Step 1: Discovery

We start by understanding the full picture. Which company systems can be accessed from personal devices? Which applications have mobile access? What does your current onboarding and offboarding process look like for personal devices? Are there any existing MDM policies in place? This discovery phase typically takes one to two days and involves conversations with IT, HR, and senior leadership.

Step 2: Risk Assessment

Once we know the landscape, we assess the risk. We identify which personal device access points represent the highest risk to your business, typically company email, messaging platforms like Slack, and any CRM or financial applications. We look at your Cyber Essentials and ISO 27001 requirements and map them against your current personal device posture.

Step 3: Policy Design

Before any technical implementation begins, we design your BYOD policy. This is a written document that sets out what personal device use is permitted, what security requirements apply, what employees consent to when they enroll, and what happens when they leave. Clear policy documentation is essential for Cyber Essentials certification and for employee trust.

Step 4: MDM Configuration

We configure your chosen MDM platform, such as Jamf, Intune, Kandji, FleetDM and more to support BYOD enrolment. This involves creating a separate enrolment profile specifically for personal devices, configuring the managed container for work applications, setting security policies including passcode requirements and OS update enforcement, and testing the enrolment flow on both iOS and macOS.

Step 5: Employee Communication and Enrolment

This is the step most companies underestimate. How you communicate the BYOD rollout to employees determines how smoothly enrolment goes. We prepare clear communications that explain what enrolment involves, what privacy protections are in place, and why it matters. We run a short walkthrough session for employees and handle any questions about privacy directly. Typically we achieve enrolment rates of 90% or higher when communication is handled well.

Step 6: Offboarding Integration

We update your offboarding checklist to include personal device unenrolment as a standard step. This is the gap that causes the data leak scenarios described earlier. With MDM in place, unenrolling a personal device on an employee’s last day takes 30 seconds and ensures company data is removed completely.

Step 7: Ongoing Monitoring

Once BYOD MDM is live, your IT team has a dashboard showing all enrolled personal devices, their compliance status, and any security issues. You can see at a glance which devices are up to date, which have outstanding issues, and which have been unenrolled. The invisible attack surface becomes visible.

What Good BYOD Looks Like in Practice

A well-run BYOD programme is one that employees barely notice day to day. They enroll their device once, they use their work apps as normal, and they have complete confidence that their personal data is untouched.

For your IT team, it means the question “how many personal devices have access to our systems?” has an immediate, accurate answer at any point in time. Your Cyber Essentials audit goes smoothly because personal devices are in scope, enrolled, and compliant. GDPR posture is defensible. Offboarding is complete

And when the next talented employee joins and wants to check Slack on their personal iPhone, the answer is not “we do not allow that” it is “here is how to enrol in two minutes.”

Ready to Get Your BYOD Under Control?

If reading this has raised questions about your own personal device posture, you are not alone, and the good news is that getting control of BYOD is straightforward when you have the right partner.

nDuo offers a free BYOD readiness review for UK businesses. We will assess your current personal device posture, identify your key risk areas, and give you a clear picture of what a managed BYOD programme would look like for your organisation.

No obligation. No jargon. Just a clear, honest conversation about where you stand.

Book your free BYOD readiness review today.

Book a free consultation

What is MDM and DDM? Apple Device Management Explained

What is MDM and DDM? Apple Device Management Explained

If you run a business on Apple devices and have started looking into how to manage them properly, you have probably come across the terms MDM and DDM. They sound similar, they are related, but they work in fundamentally different ways.

This guide starts from the beginning with no assumed knowledge and builds up to the real differences between the two, what they mean for your Apple fleet today, and where device management is heading.

What is MDM?

MDM stands for Mobile Device Management. Despite the name, it is not just for mobile phones. MDM is the technology that allows businesses to manage, configure and secure all their Apple devices including Macs, iPhones and iPads from a central platform.

Think of MDM as the control layer between your IT team and every device in your organisation. Without it, every device is essentially independent. With it, you can push settings, enforce security policies, install apps, wipe devices remotely and much more, all without touching the device physically.

MDM was introduced by Apple in 2010 and has become the standard approach to managing Apple fleets in business environments. Every major Apple device management platform including Jamf, Kandji, FleetDM, Intune and others is built on top of the Apple MDM Framework

How does MDM work?

When a device is enrolled in MDM, it establishes a persistent connection with your MDM server. The server can then send commands to the device, and the device reports back its status and compliance.

Here is a simplified version of how that works in practice:

Step 1: Enrolment A device is enrolled in your MDM platform either during initial setup or manually. The most effective way to enrol devices at scale is through Apple Business Manager.

What is Apple Business Manager?

Apple Business Manager is a free web-based portal provided by Apple for organisations. It acts as the central hub that links your Apple devices to your MDM platform automatically.

When you purchase Apple devices through an authorised reseller or directly from Apple, those devices can be added to your Apple Business Manager account before they even leave the warehouse. The moment a new employee turns on their device for the first time, it automatically connects to your MDM platform and begins configuring itself with the right settings, apps and security policies.

This is called Zero Touch Deployment. The device arrives at the employee’s desk, they turn it on, and within minutes it is fully configured and compliant, without an IT engineer needing to touch it.

Apple Business Manager also manages Apple IDs for your organisation, app purchases through Volume Purchase Programme, and content distribution across your fleet.

Once a device is enrolled through Apple Business Manager it trusts the MDM server to send it instructions and cannot easily be removed from management, which is important for security and compliance.

Step 2: Profiles and policies Your IT team creates configuration profiles, which are sets of rules and settings, and pushes them to devices. These might include password requirements, firewall settings, Wi-Fi configurations, app restrictions and more.

Step 3: Commands The MDM server can send commands to devices such as install this app, update the OS, lock the screen or wipe this device. The device receives the command and carries it out.

Step 4: Reporting Devices regularly report back to the MDM server with their current state including what OS version they are running, whether policies are applied and whether they are compliant. This gives IT teams visibility across the entire fleet.

What can MDM do?

MDM gives IT teams a significant amount of control over Apple devices. Common capabilities include:

Enforcing passcodes, screen lock and encryption
Pushing and removing applications silently without user interaction
Configuring Wi-Fi, VPN and email settings automatically
Restricting access to certain features or applications
Enforcing OS and security updates
Remotely locking or wiping lost or stolen devices
Monitoring device compliance against security policies
Automating onboarding so new starters receive a fully configured device from day one

For businesses working toward Cyber Essentials, ISO 27001 or similar frameworks, MDM is the primary tool for enforcing and evidencing the required controls across an Apple fleet.

The limitations of MDM

MDM is powerful but it has a fundamental architectural limitation in that it is command-based and server-dependent.

Every action in traditional MDM follows this pattern: the server sends a command, the device waits to receive it, the device executes it and reports back. This works well in most situations, but it creates some real-world problems.

Latency: If a device is offline or has a poor connection, commands queue up and are not executed until the device reconnects. A security policy change might not reach a remote worker’s device for hours.

Scalability: As fleets grow, the volume of commands the server needs to send and track grows with it. Large organisations can experience delays and performance issues at scale.

Reliability: If a command fails silently, the IT team may not know a policy is not applied until they actively check. Compliance drift can happen gradually without anyone noticing.

Complexity: Managing thousands of devices with overlapping profiles and commands can become difficult to audit and troubleshoot.

These are not dealbreakers. MDM has been the industry standard for over a decade and continues to work well for the majority of businesses. But they are the problems that Apple’s newer approach, DDM, was designed to solve.

What is DDM?

DDM stands for Declarative Device Management. Apple introduced it in 2021 as a fundamentally different approach to how devices are managed.

The key difference is this: with MDM, the server tells the device what to do. With DDM, the server tells the device what state it should be in, and the device figures out how to get there itself.

This might sound like a subtle difference but the implications are significant.

How does DDM work?

Instead of sending commands, DDM sends declarations. A declaration is a description of the desired state of the device, not an instruction but a definition.

For example, instead of sending a command that says “install this security profile now”, DDM sends a declaration that says “this device should always have this security profile applied.” The device receives the declaration, understands what it needs to look like, and autonomously works to achieve and maintain that state even when it is offline.

The device also monitors itself continuously. If something changes such as a setting drifting, a profile being removed or an OS update changing a configuration, the device detects the discrepancy and corrects it without waiting for the server to notice and send a new command.

This is the core of what makes DDM different: intelligence moves from the server to the device.

MDM vs DDM: the key differences

	MDM	DDM
How it works	Server sends commands to device	Server sends declarations, device self-manages
Offline behaviour	Commands queue until device reconnects	Device maintains desired state autonomously
Compliance	Server checks and enforces	Device self-monitors and self-corrects
Speed	Depends on server response	Near-instant, device acts independently
Scalability	Can struggle at large scale	Built for scale
Current status	Established standard	Current standard for updates, rapidly expanding across all workflows

Do MDM and DDM replace each other?

No, and this is an important point. DDM does not replace MDM. It works alongside it.

Apple designed DDM as an extension of the existing MDM protocol. Devices that support DDM can use both simultaneously. MDM handles the commands and interactions that DDM does not yet cover, while DDM takes over the configuration and compliance management that it does better.

Think of it as MDM handling the conversations between server and device, and DDM handling the device’s own internal understanding of what it should look like.

The transition is already well underway. Apple deprecated legacy MDM software update commands in 2025 and will remove them entirely in 2026. DDM is no longer a future consideration for software updates it is the current requirement. For other device management workflows, DDM adoption is expanding rapidly with each OS release.

Which platforms support DDM?

All major Apple MDM platforms now support DDM including Jamf Pro, Kandji, FleetDM and Microsoft Intune. Apple deprecated legacy MDM software update commands in 2025, meaning DDM is now the required method for managing software updates across all platforms, with full removal of legacy commands due in 2026.

To take advantage of DDM your devices need to be running recent versions of macOS, iOS and iPadOS. Older devices or older OS versions fall back to traditional MDM automatically, so there is no disruption during a transition.

What does this mean for your Apple fleet?

If you are setting up or reviewing your Apple fleet management today, here is the practical takeaway.

MDM is the foundation. You need it, it works and every reputable MDM platform supports it well. If you are not yet using MDM to manage your Apple devices, getting that in place is the first priority.

DDM is already the standard for software update management following Apple’s deprecation of legacy MDM update commands in 2025, and is rapidly becoming the standard for all other device management workflows too.

When evaluating MDM platforms, it is worth asking how deeply each platform has integrated DDM support, not just whether they support it, but how much of their compliance and configuration workflow runs through DDM declarations versus legacy MDM commands.

Summary

MDM has been the standard for Apple device management for over a decade. It gives IT teams centralised control over configuration, security and compliance across an entire fleet.

DDM is Apple’s next step, a smarter and more autonomous approach where devices understand what state they should be in and maintain it themselves, with or without a server connection.

For most UK businesses today, MDM is the foundation and DDM is the direction of travel. Getting MDM right now puts you in the best position to take advantage of DDM as it matures.

nDuo manages Apple fleets for UK scale-ups using both MDM and DDM, across Jamf Pro, FleetDM, Kandji and Intune. If you are reviewing your Apple device management setup, we offer a free consultation to assess your current environment and recommend the right approach.

Book a free consultation

Apple IT Support Checklist for UK Businesses

Apple IT Support | Apple Premium Technical Partner

Apple IT Support Checklist for UK Businesses

If your business relies on Macs, iPhones and iPads, good Apple IT support is not just about fixing issues when they happen.

It is about giving your team a reliable, secure and well-managed Apple environment that works properly every day.

For most businesses, problems start when Apple devices are treated as an exception. A few Macs get added over time, iPhones are configured differently across teams, and support becomes reactive. Devices work, but only until something breaks, a new joiner starts, or the business needs tighter security and compliance.

This checklist is designed to help UK businesses review whether their Apple environment is properly set up to support growth.

1. Do you have visibility across all Apple devices?

You should be able to answer basic questions quickly:

How many Macs, iPhones and iPads are in use?
Who is using each device?
Which devices are encrypted, compliant and up to date?
Which devices are missing apps, policies or security controls?

If you cannot answer those questions easily, your Apple estate is harder to support than it should be.

A strong Apple support setup starts with clear visibility across devices, users and configurations.

2. Is Apple Business Manager set up correctly?

Apple Business Manager should be part of the foundation of your Apple environment.

It helps you bring devices under business control from the start, assign them properly, and make enrolment more consistent for new hardware. Without it, device setup is often manual, slower and more prone to inconsistency.

If your business is growing, Apple Business Manager should not be an afterthought. It should be part of your onboarding and lifecycle process.

3. Are your devices enrolled in Apple MDM?

For most businesses, MDM is what turns Apple support from reactive to proactive.

Without MDM, your team is left managing devices one by one. That usually means:

inconsistent settings
slow onboarding
weak update control
limited security enforcement
poor visibility when issues occur

With the right MDM setup, you can standardise policies, deploy apps, manage settings, support users more efficiently and reduce repeat issues.

If your Apple devices are not properly enrolled and maintained, support becomes harder, slower and less secure.

4. Is device setup consistent for every new starter?

A new employee should not need a long manual setup every time they receive a Mac or iPhone.

A good Apple IT support process should make sure new users receive devices that are already prepared with:

the right apps
the right access
the right security settings
the right restrictions
the right support process from day one

If onboarding depends on tribal knowledge or last-minute manual work, it is worth fixing.

5. Do you have a clear joiner, mover and leaver process?

Apple support is not only about devices. It is also about users, access and change.

When people join, change roles or leave, you need a repeatable process for:

device assignment
app access
identity and authentication changes
recovery keys and security checks
access removal
device return or reassignment

Weak lifecycle management creates unnecessary risk and makes support more difficult over time.

6. Are updates and patching under control?

Apple devices are generally straightforward to maintain, but only if patching is managed properly.

You should know:

whether devices are updating on time
which versions of macOS and iOS are in use
whether critical updates are being delayed
how exceptions are handled

If updates depend on end users remembering to do them, your environment will drift and support issues will build up over time.

7. Are security settings applied consistently?

Security should not vary from one device to another.

Your Apple environment should have a defined baseline covering areas such as:

FileVault and encryption
password and authentication settings
screen lock policies
app permissions
device restrictions
lost device procedures
access control

Consistency matters. The more variation you have across devices, the more support becomes reactive and the harder it is to maintain a secure environment.

8. Can users get help quickly when something goes wrong?

Even in a well-managed environment, users still need support.

The question is whether support is structured properly.

Think about:

how users request help
how quickly issues are triaged
whether Apple-specific issues are understood first time
whether recurring problems are identified and reduced
whether MDM, access and device issues are handled together

If support is slow, unclear or split across too many teams, productivity suffers.

9. Are you supporting mixed Apple and Windows environments properly?

Many UK businesses do not run Apple alone.

If your organisation uses both Apple and Windows, your support model needs to reflect that reality. Apple devices should not be treated as edge cases inside a Windows-first process.

The goal should be a support setup where Apple devices are managed properly, users get the same quality of experience, and security standards remain consistent across the business.

10. Are you reviewing and improving the environment regularly?

Good Apple IT support is not a one-off project.

Your setup should be reviewed regularly to identify:

support bottlenecks
repeat device issues
outdated policies
gaps in onboarding
compliance risks
opportunities to simplify management

The best Apple environments are maintained over time, not left untouched after the initial setup.

Signs your Apple IT support needs improvement

If any of the following sound familiar, your current setup may need attention:

Devices are configured differently across teams
New starters take too long to set up
Support tickets keep repeating
Apple devices are harder to manage than they should be
Security settings are inconsistent
Your team lacks visibility across the fleet
Apple support depends on one person internally
Your business has outgrown its original setup

Final checklist

Before you scale further, ask yourself:

Are our Apple devices fully visible and properly managed?
Is Apple Business Manager set up and being used correctly?
Is MDM supporting the environment properly?
Are onboarding and offboarding processes consistent?
Are updates, apps and policies under control?
Can users get fast, specialist support when needed?
Is our Apple environment secure, stable and easy to support?

If the answer to several of those questions is no, it is usually a sign that the business needs a more structured Apple support model.

Need help reviewing your Apple environment?

If you want a clearer picture of how well your current setup is working, explore our Apple IT Support service page to see how we help UK businesses support Macs, iPhones and iPads more effectively.

You can also review your wider device management approach through our Apple MDM services if MDM setup and maintenance is one of the gaps.