Skip to content

Mobile Device Management (MDM)

[TBD]

Outcome

  • MDM is installed by default in all devices provided to employees
  • The MDM is configured with secure defaults and restrictions according to the organization's needs
  • Enable disk encryption
  • Standard applications per role are defined if needed
  • Enforce updates
  • Force device lock when inactive
  • SSH Keys are password protected
  • Enforce EDR
  • Disable remote logins
  • User has no admin permissions
  • There's a defined process to quarantine devices
  • Alerts are monitored and acted upon
  • There's a self serve way for users to gain admin access to the devices so they manage it as needed
  • There's a way for users to install applications for their needs, based on a pre-approved list

Metrics

  • Number/Percentage of devices under MDM
  • Number of detected occurrences
  • Percentage of False Positives
  • Number of confirmed occurrences
  • Devices not compliant with defined policies

Tools & Resources

  • Kandji (Paid)
  • Jamf (Paid)
  • JumpCloud (Paid)
  • ScaleFusion (Paid)
  • IMazing Profile Editor - GUI tool to help generating MacOS profiles (Free)
  • Santa - A tool to manage binary and file access for macOS (Free)
  • Munki - A tool to manage software installation and updates for macOS (Free)
  • Gorilla - Similar to Munki, for WIndows (Free)
  • NanoMDM - Open source MDM server for Apple devices (Free)
  • Elevate24 - Tool to require temporary admin access for MacOS (Free/Paid)

Further Reading