Jamf vs Intune vs Iru (Kandji) vs FleetDM vs Apple Business MDM: Which Is Right for Your UK Business in 2026?
Introduction
Picture this. Your IT Director sits down to do an Apple MDM comparison. She opens five browser tabs. One for Jamf. for Intune. for something called Iru that used to be called Kandji. One for FleetDM, which someone on the engineering team swears by. And one for Apple Business, which apparently now includes free MDM built in.
Three hours later, she is more confused than when she started.
Every vendor claims to be the best. Every comparison article was written by someone trying to sell you something. And nobody is being straight about what each platform actually cannot do.
This guide is different. We are a vendor-neutral Apple MDM specialist. We implement and manage all five platforms covered here for UK businesses on regular basis. Our job is to put you on the right platform for your specific situation, not the one we prefer.
If you are new to MDM and want to understand the basics first, read our guide on what MDM is and how it works before coming back here.
If you are ready to compare, read on.
Apple MDM Comparison: The Five Platforms at a Glance
| Feature | Apple Business | Jamf for Mac | Iru (Kandji) | MS Intune | FleetDM |
|---|---|---|---|---|---|
| Price | Free | From £10/device/mo | £3–£7/device/mo | Included in M365 or £6/user/mo | Free or £6/host/mo |
| Best for | Small teams, no IT resource | Large enterprise Apple fleets | Growing teams, compliance | Mixed Windows and Apple | Engineering-led, Linux included |
| Apple-first? | ✓ | ✓ | ✓ | ✗ | ✗ |
| Cross-platform? | ✗ | Limited | Expanding | ✓ | ✓ |
| Zero-touch | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cyber Essentials | ✗ | ✓ | ✓ | ✓ | ✓ |
| Compliance reporting | ✗ | ✓ | ✓ | ✓ | ✓ |
| 3rd party security | ✗ | ✓ CrowdStrike, SentinelOne | ✓ CrowdStrike, Okta, Vanta | ✓ Defender | ✓ Splunk, Elastic |
| Automated patching | Basic | Advanced (policy-based, CVE-triggered) | Advanced (300+ apps, Mac and Windows) | OS only. No native 3rd party patching | ~50 app catalog. Munki needed for enterprise |
| BYOD support | ✗ | ✓ | ✓ | ✓ | ✓ |
| Linux support | ✗ | ✗ | ✗ | ✗ | ✓ |
| Open source | ✗ | ✗ | ✗ | ✗ | ✓ |
| Setup complexity | Low | High | Low–medium | Medium–high | High |
| Support quality | Apple standard | Good | Excellent (<2 min chat) | Poor (widely reported) | Community + paid |
| Ideal fleet size | 1–25 devices | 50+ devices | 25–500+ devices | Any (mixed) | Any (technical) |
| Free trial | N/A | 14 days | 14 days | 30 days | Permanent free tier |
Apple Business MDM: The Free Option That Launched in April 2026
What it is
Apple Business launched in the UK on 14 April 2026, replacing Apple Business Manager, Apple Business Essentials and Apple Business Connect. For the first time, Apple includes built-in device management natively, at no cost. Zero-touch deployment via Blueprints, app distribution, passcode enforcement and basic security policies are all included.
The real-life scenario where it works
You are a 12-person startup. Everyone uses a Mac. You have no dedicated IT person. You want devices enrolled and basic security policies in place before your first SOC 2 audit. Apple Business MDM gets you there for free, in an afternoon.
What it does well
Zero-touch deployment is genuinely impressive. A new Mac arrives, the employee unpacks it, it configures itself. App distribution works cleanly. Managed Apple Accounts keep work and personal data separate. For a business with a simple, Apple-only fleet and no complex compliance requirements, it covers the fundamentals competently.
Where it falls short
Apple designed this for businesses without dedicated IT resources. Once your compliance requirements mature, it hits clear limits fast.
There are no compliance reports for Cyber Essentials or ISO 27001. There are no compliance reports for Cyber Essentials or ISO 27001. Third-party security integrations such as CrowdStrike or SentinelOne are not supported. Scripting and automation at scale are beyond its capabilities. Android, BYOD management and advanced patch management are simply not part of what Apple designed this platform to do. And the companion employee app requires iOS 26, iPadOS 26 and macOS 26, none of which have launched yet.
What real users complain about: The lack of granular reporting is the most common complaint from businesses that outgrow it. There is no audit trail that satisfies Cyber Essentials assessors.
The verdict
Apple Business MDM is the right starting point for early-stage businesses with simple Apple-only fleets and no regulated data. For anyone preparing for Cyber Essentials, ISO 27001, or managing a fleet of more than 25 devices with any complexity, it is the foundation, not the solution.
Jamf Pro: The Industry Standard for Apple. Now with a simpler entry point
What it is
Jamf has been the go-to Apple MDM platform for over two decades. In 2026 Jamf restructured its product offering significantly to address one of its biggest criticisms: complexity. The result is two important additions that change how businesses buy and use Jamf.
Jamf for Mac
Is a new all-in-one bundle that combines Jamf Pro (device management), Jamf Connect (identity and access management) and Jamf Protect (endpoint security) into a single subscription at approximately £10 per Mac per month. Previously these three products had to be purchased and configured separately. The bundle removes that complexity and gives businesses a complete Mac management and security stack in one package.
Jamf Elevate
Is a new unified management and security dashboard designed specifically for small and medium-sized businesses. Jamf offers it free of charge to qualifying SMBs. It is Jamf’s direct response to the criticism that Jamf Pro is too complex for smaller IT teams, providing a simplified interface on top of the same underlying platform.
The real-life scenario where it works
You are the IT Director at a 200-person fintech in London. You manage a global Apple fleet across three offices, you are working toward ISO 27001 certification and your security team has mandated CIS Level 1 benchmarks as the baseline across every endpoint, with CrowdStrike on every Mac. Your engineers run custom scripts to automate onboarding. Your auditor needs compliance reports that show exactly which devices are patched, encrypted and policy-compliant at any given moment.
This is the environment Jamf Pro was built for. But a Jamf deployment at this level is not something you configure in a weekend. Getting Smart Groups, policies, Jamf Protect and Jamf Connect working together correctly, integrated with your identity provider and mapped to your compliance framework, requires deep platform knowledge. Done well it is transformative. Done poorly it becomes the reason IT teams firefight all the time and then look for a new solution.
nDuo implements and manages Jamf Pro for clients at exactly this scale. We handle the configuration, the compliance mapping and the ongoing management so your IT team gets the power of Jamf without the overhead of becoming Jamf experts themselves.
What it does well
The depth of configuration is unmatched. Jamf Pro supports hundreds of granular configuration profiles, advanced patch management, full CIS benchmark enforcement and integrations with CrowdStrike, SentinelOne, Microsoft Defender and dozens of other security tools. Compliance reporting is detailed and audit-ready. Every new Apple OS feature lands in Jamf on day one.
Jamf Protect, included in the Jamf for Mac bundle, adds Mac-native endpoint detection and response, threat prevention, CVE-triggered automatic remediation and SIEM integration. For regulated industries this is a significant capability.
The Jamf for Mac bundle makes the full stack accessible at a predictable per-device price rather than requiring three separate negotiations.
Where it falls short
Cost remains the most consistent complaint even with the new bundle. At approximately £10 per Mac per month for the full bundle, a 100-device fleet costs around £1,000 per month before implementation or support costs. Volume discounts are negotiable but the 25-device minimum and annual billing commitment are fixed.
The underlying complexity of Jamf Pro has not gone away. Jamf Elevate simplifies the experience for SMBs but advanced configurations still require expertise. Some users consistently report that standard functions require scripting and workarounds that feel unnecessary compared to other MDM Platforms. The learning curve for new administrators is steep.
Jamf does not have strong cross-platform support. Android support has been introduced lately but Apple remains the core focus.
The verdict
Jamf Pro remains the right choice for larger Apple fleets with complex compliance requirements and regulated industries. The Jamf for Mac bundle makes the full stack more accessible. Jamf Elevate is worth exploring for SMBs who want Jamf’s platform without the administrative overhead.
Iru (Formerly Kandji)
What it is
Iru was Kandji until October 2025. The rebrand reflects a broader ambition: Iru is expanding from Apple-focused MDM into a full AI-powered platform covering identity and access, endpoint security and compliance automation across Apple, Windows and Android. The MDM core remains Apple-first and mature, with Windows and Android support expanding rapidly.
The real-life scenario where it works
You are a 60-person business. You have Apple Business MDM in place but you are three weeks from your Cyber Essentials audit and you have just discovered personal devices are in scope, your compliance reporting is non-existent and your patch management cannot be evidenced to an assessor. Your IT team of two is already stretched. You need a platform that handles the heavy lifting, and a partner who can configure it correctly from day one.
Iru is the platform we commonly recommend in this situation. But the platform alone does not get you audit-ready. The configuration, policy design, compliance mapping and ongoing management is where nDuo’s involvement makes the difference between passing your assessment and failing it.
What it does well
The interface is where Iru consistently outperforms other MDMs in user reviews. Setup is smooth, the admin console is cleaner, and common tasks that require scripting in other platforms are handled natively in Iru. The Auto Apps library now covers over 300 Mac and Windows applications with automated patching that requires no manual package management. Zero-touch deployment works most of the time reliably out of the box.
Third-party security integrations have expanded significantly since the Iru rebrand. The platform now integrates with CrowdStrike, SentinelOne, Okta, Microsoft Entra ID, Google Workspace and major compliance frameworks including Vanta, Drata, Sprinto and Secureframe.
Customer support is consistently praised across hundreds of reviews, with live chat responses typically under two minutes. For IT teams without deep MDM expertise, this matters enormously.
Where it falls short
Pricing is not published and minimum contract tiers can make it expensive for very small teams. Some users report rigid pricing structures with no flexibility for SMEs. Windows and Android support is maturing but not yet at parity with Apple management. If you have a genuinely mixed fleet with heavy Windows requirements, Intune is probably still the safer choice.
The verdict
Iru is the right choice for Apple-first teams that want enterprise compliance and automation with simplicity. It is particularly well suited to smaller teams in regulated market and tech that need Cyber Essentials or SOC 2 readiness without a large IT team. The platform handles the heavy lifting well. Getting the configuration, compliance mapping and policy design right from day one is where having the right implementation partner turns a good platform into a great outcome.
Microsoft Intune: Potentially the right answer if you are already in Microsoft
What it is
Microsoft Intune is a cloud-based endpoint management platform built for mixed environments. It manages Windows, macOS, iOS, iPadOS and Android from a single console. For businesses already running Microsoft 365, it is often already included in their licence at no extra cost.
The real-life scenario where it works
You are the IT Manager at a 150-person professional services firm. Half your team uses MacBooks, half uses Windows laptops, and everyone is in Microsoft 365 Business Premium. You already pay for Intune. Your Mac requirements are straightforward: devices enrolled, basic security policies applied, OS updates managed. No complex compliance framework, no CIS benchmarks, no scripting requirements. Using a second dedicated MDM platform purely for basic Mac management would double your complexity and cost for capabilities you do not yet need. For this specific situation, Intune gets the job done.
The moment your Mac requirements grow beyond the basics, however, Intune starts to show its limitations. No native third-party app patching, Apple features that lag behind dedicated platforms, and an interface that was built for Windows first. At that point a conversation about a dedicated Apple MDM platform becomes worthwhile.
What it does well
If your organisation is deeply embedded in the Microsoft ecosystem, Intune is the natural choice. Integration with Microsoft Entra ID for conditional access, Microsoft Defender for endpoint security and the broader Microsoft 365 suite is seamless. For mixed Apple and Windows environments, Intune reduces tool sprawl significantly.
The fact that Intune is included in Microsoft 365 Business Premium, E3 and E5 means many businesses are already paying for it. For OS update management on both Windows and macOS, Intune kinds of works via Windows Update for Business and Apple MDM protocols respectively.
Where it falls short
Third-party app patching is the biggest gap. Intune has no native support for patching non-Microsoft third-party applications.E.g. Chrome, Slack, Zoom, Adobe, anything outside the Microsoft Store requires manual packaging, custom scripts, or a third-party tool like PatchMyPC. For businesses with a large and varied software estate, this is a significant operational burden.
Apple-specific features consistently lag behind dedicated Apple platforms. When Apple releases a new OS or management feature, other MDM Platforms typically support it on day one. Intune often takes weeks or months to catch up.
Device action speed on Mac is a consistent complaint from Intune users. Sending a wipe, lock or any other commands to a Mac through Intune can take hours and in some cases over 24 hours to execute, on top of that commands frequently fail silently with no clear error. This is a fundamental limitation of how Intune communicates with Apple devices compared to dedicated Apple platforms where the same actions are near-instant. For IT teams managing time-sensitive incidents, this is a significant operational risk.
Licensing is genuinely confusing. The base Plan 1 is £6 per user per month but many enterprise features require add-ons that push the cost to £12 to £16 per user per month.
The verdict
Intune is a reasonable choice if you are already in Microsoft 365, managing a mixed Windows and Apple environment, and your Mac requirements are straightforward. For basic enrolment, OS update management and simple policy enforcement on Macs, it works. The fact that it is already included in your Microsoft 365 licence makes it hard to argue against as a starting point.
But Intune was built for Windows first and it shows, increasingly becomes a liability rather than an asset. Many businesses start with Intune for Macs and find themselves looking for a dedicated Apple MDM platform within 12 to 18 months as their requirements mature.
If your Mac estate is growing, your compliance requirements are increasing, or your IT team is spending meaningful time working around Intune’s Mac limitations, that conversation is worth having sooner rather than later.
FleetDM: The Open Source Option for Engineering-Led Teams
What it is
FleetDM is an open source, cross-platform device management platform built on osquery. It manages macOS, Windows, Linux, iOS, Android and ChromeOS from a single console. The self-hosted version has no device limits and no feature gates on core functionality.
The real-life scenario where it works
You are the IT lead at a 1000-person software company. Half your engineers use Apple and Linux. The other half use Windows. Your security team wants near-real-time visibility into every device. Your engineering team manages device policies as code, version-controlled in Git, reviewed in pull requests. No other platform on this list supports this natively.
What it does well
The osquery foundation delivers near real-time device reporting. Where most MDMs poll devices every few hours, FleetDM can return data in under 30 seconds. For security teams running incident response, this changes everything.
GitOps-native configuration management is a genuine differentiator. Policies are defined in YAML, version-controlled, peer-reviewed and deployed through CI/CD pipelines. For engineering-led organisations that manage everything else as code, this feels natural rather than bolted on.
The open source model means no vendor lock-in. You own your data, your deployment and your infrastructure. For privacy-conscious organisations or those with data sovereignty requirements, this matters.
Where it falls short
Third-party app patching is a significant limitation for enterprise use. FleetDM’s built-in Fleet-maintained app catalog covers approximately 50 to 60 common applications. For organisations managing a large and varied software estate, this is not enough. Most IT teams running FleetDM at enterprise scale use Munki alongside it for comprehensive Mac third-party patch management. Munki is a free, open source tool but it requires additional infrastructure, configuration and ongoing maintenance. This means meaningful extra overhead compared to other MDM Platforms where patching is largely native.
For custom packages outside the Fleet-maintained catalog, administrators must upload packages manually and configure policy automations to trigger installs. This works but requires considerably more effort.
FleetDM is not a SaaS product you sign up for and use in five minutes. Self-hosting requires Docker, MySQL, S3-compatible storage, TLS certificates and ongoing server maintenance. For non-technical IT teams, this overhead is prohibitive.
Pre-built compliance blueprints and automated patch management libraries are not as extensive as dedicated Apple platforms.
The verdict
FleetDM is the right choice for engineering-led organisations with Apple and mixed device environments, where GitOps workflows and real-time visibility matter more than a simple UI and turnkey patching. It is not the right choice for non-technical IT teams.
How to Choose: A Decision Framework
Fewer than 25 Apple devices, no IT team, no compliance requirements:
Start with Apple Business MDM. It is free and covers the fundamentals. Revisit when you grow.
Apple-only fleet, need Cyber Essentials or ISO 27001, want simplicity:
Iru (formerly Kandji) is the good choice. Faster to implement than other MDM, 300+ app Auto Apps library, excellent support, strong compliance automation.
Large Apple fleet, regulated environment, ISO 27001, CIS benchmarks, complex scripting requirements:
Jamf Pro or Jamf for Mac bundle. The depth of configuration and compliance capability is unmatched at this level. The implementation complexity is real, having the right partner from day one determines whether Jamf becomes your strongest asset or your biggest headache.
Mixed Windows and Apple environment, already in Microsoft 365, straightforward Mac requirements:
Microsoft Intune. You may already be paying for it. Supplement with a third-party patching tool for non-Microsoft apps and plan for a dedicated Apple MDM conversation as your Mac requirements grow.
Engineering-led team, run Linux alongside Apple, want open source with real-time visibility and GitOps:
FleetDM. Real-time osquery visibility, GitOps-native policy management and no vendor lock-in make it a natural fit for technical teams. Pair it with Munki for comprehensive Mac patching and you have a powerful, fully open source device management stack that most commercial platforms cannot match for this specific use case.
Not sure which applies to you? Book a free call with our team and we will work it out together in 15 minutes. No jargon, no sales pitch, just a straight answer from someone who implements all five platforms for UK businesses every day.