Last year, a Fortune 500 company suffered a data breach because a single unmanaged iPad—synced to a VP's corporate email—was left unlocked in an airport lounge. The device had no encryption policy, no remote wipe capability, and no conditional access rules. It was invisible to the security team. If that scenario keeps you up at night, this post is for you.
Why MDM Is a Security Control, Not Just an IT Convenience
Mobile Device Management has evolved far beyond its early days of distributing email profiles. In a modern enterprise, MDM is a critical enforcement layer in your zero-trust architecture. It answers a fundamental question before granting access: Is this device trustworthy right now?
A mature MDM deployment gives your security operations team the ability to:
- Enforce encryption, OS version minimums, and passcode complexity at scale
- Integrate device compliance into conditional access decisions (Azure AD, Okta)
- Remotely wipe or selectively wipe corporate data from compromised devices
- Deploy certificates and VPN configurations without user intervention
- Maintain a real-time inventory of every endpoint touching corporate resources
Without MDM, your identity provider is making access decisions with incomplete information. You're authenticating the user but not the device.
Choosing an Enrollment Strategy
Your enrollment model determines your level of control. The three primary approaches are:
| Strategy | Ownership | Control Level | Use Case |
|---|---|---|---|
| DEP/ADE (Automated Device Enrollment) | Corporate | Full (Supervised) | Company-issued iPhones, iPads |
| Android Enterprise (Fully Managed) | Corporate | Full | Company-issued Android devices |
| BYOD (Work Profile / MAM) | Employee | Partial (App-level) | Personal devices accessing corporate data |
For corporate-owned devices, always use supervised/fully managed enrollment. On Apple devices, this is configured through Apple Business Manager and your MDM. Supervised mode unlocks critical security controls that are otherwise unavailable—silent app installation, preventing VPN removal, and blocking iMessage/AirDrop for data exfiltration.
Practical Configuration: Enforcing Compliance with Microsoft Intune
Here's a real-world example. Suppose you want to block non-compliant devices from accessing Exchange Online. First, define a compliance policy via the Microsoft Graph API:
# Create a compliance policy requiring encryption and minimum OS
curl -X POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"@odata.type": "#microsoft.graph.iosCompliancePolicy",
"displayName": "iOS Security Baseline",
"osMinimumVersion": "17.0",
"securityBlockJailbrokenDevices": true,
"passcodeRequired": true,
"passcodeMinimumLength": 6,
"storageRequireEncryption": true
}'Then, pair it with an Azure AD Conditional Access policy that requires device compliance as a grant control. Devices failing the compliance check are quarantined—users see a remediation portal instead of their inbox.
For quick device audits from the command line, you can pull non-compliant devices:
# List devices marked non-compliant
az graph query -q "Resources | where type == 'microsoft.intune/manageddevices' \
| where properties.complianceState == 'noncompliant'" \
--output tableOperational Hardening Checklist
Beyond basic enrollment, harden your MDM deployment with these often-overlooked controls:
- Certificate-based authentication: Replace passwords for Wi-Fi and VPN with SCEP/PKCS certificates distributed via MDM. Certificates are phishing-resistant and automatically rotate.
- Network compliance: Use compliance policies that flag devices connecting from unexpected geolocations or networks.
- Jailbreak/root detection: Both Apple and Android enterprise platforms support detecting tampered OS states. Treat jailbroken devices as compromised—trigger an automatic selective wipe.
- App protection policies (MAM): For BYOD, enforce cut/copy/paste restrictions, require app-level PINs, and prevent "Save As" to personal cloud storage—all without managing the device itself.
Final Thoughts
MDM is not a "set and forget" deployment. Treat it like any other security control: audit policies quarterly, review compliance reports weekly, and integrate device signals into your SIEM. The device your CEO carries in their pocket has access to the same data as the hardened workstation in your SOC. It deserves the same rigor.
The endpoint you can't see is the one that will hurt you.
Have questions about mobile device management (mdm) for enterprise? I'm always happy to talk shop — reach out or connect with me on LinkedIn.