Mobile Device Management (MDM)
[TBD]
Outcome
- MDM is installed by default in all devices provided to employees
- The MDM is configured with secure defaults and restrictions according to the organization's needs
- Enable disk encryption
- Standard applications per role are defined if needed
- Enforce updates
- Force device lock when inactive
- SSH Keys are password protected
- Enforce EDR
- Disable remote logins
- User has no admin permissions
- There's a defined process to quarantine devices
- Alerts are monitored and acted upon
- There's a self serve way for users to gain admin access to the devices so they manage it as needed
- There's a way for users to install applications for their needs, based on a pre-approved list
Metrics
- Number/Percentage of devices under MDM
- Number of detected occurrences
- Percentage of False Positives
- Number of confirmed occurrences
- Devices not compliant with defined policies
Tools & Resources
- Kandji (Paid)
- Jamf (Paid)
- JumpCloud (Paid)
- ScaleFusion (Paid)
- IMazing Profile Editor - GUI tool to help generating MacOS profiles (Free)
- Santa - A tool to manage binary and file access for macOS (Free)
- Munki - A tool to manage software installation and updates for macOS (Free)
- Gorilla - Similar to Munki, for WIndows (Free)
- NanoMDM - Open source MDM server for Apple devices (Free)
- Elevate24 - Tool to require temporary admin access for MacOS (Free/Paid)