It was 10 PM on a Tuesday. An employee sent a message: "I lost my laptop. Somewhere in the city. I have no idea where it is."
Inside that laptop: access to work tools, internal conversations, probably cached authentication tokens. Potentially a way into systems that had nothing to do with the device itself.
We locked it remotely in a few minutes. No panic. No emergency calls. No incident post-mortem the next morning.
And then we just went to sleep.
That's what MDM actually is — not technology for technology's sake, but the ability to not turn a bad moment into a crisis. The difference between "we handled it" and "we need to talk about what happened."
Prevention Is Invisible. That's the Point.
Most of the work MDM does is boring. It runs in the background, silently, and you never notice it — which is exactly the goal.
Encrypted disks on every device. Not because something happened. Because something could. Full-disk encryption means a lost laptop is an inconvenience, not a breach.
OS updates that actually happen. Not "we sent a Slack message asking people to update by Friday." The system enforces it. The update happens. The vulnerability window closes.
Password policies enforced automatically. Minimum length, complexity, rotation — configured once, applied everywhere. No more chasing people down to change a password they've had since 2019.
App deployment without user involvement. Required tools appear on new machines. Unauthorized software gets blocked. No ticket, no wait, no "can you install this for me."
When everything is quiet — the system is working.
The problem with invisible work is that it's easy to undervalue. You don't see the incidents that didn't happen. You don't measure the breaches that never occurred. MDM is infrastructure, and infrastructure only gets attention when it fails.
How We Got Here: From JumpCloud to a Split Setup
We didn't start with Jamf and Intune. We started where a lot of growing teams start — with a single, universal solution that handled the basics.
JumpCloud was that solution for us. Cross-platform, straightforward to configure, good enough when the fleet was small and the requirements were simple. It worked. We don't regret starting there.
But "universal" comes with trade-offs. A tool designed to handle everything across every platform ends up optimized for none of them. As the device count grew and requirements got more specific, the gaps became visible.
Mac management is genuinely hard. Apple's device management stack — profiles, MDM commands, APNS, declarative management — is powerful, but it rewards tools built specifically around it. Generic cross-platform solutions handle the basics. Jamf handles everything.
Windows and Android have their own ecosystem. Microsoft Intune is native to it. The integration with Microsoft 365, Azure AD, Conditional Access — it's not something you replicate with a third-party tool. It's already there.
So we made a deliberate choice: split responsibilities.
Two Tools, One Strategy
🍎 Jamf Pro — Everything Apple
Jamf was built for Apple devices. Not adapted for them — built for them. The depth of Mac management it provides isn't something you find elsewhere.
What that means in practice:
Zero-touch deployment via Apple Business Manager. A new Mac arrives, the employee turns it on, and it configures itself. Correct profile, correct apps, correct settings — without IT touching the machine.
Configuration profiles that go beyond basic MDM: screen time policies, kernel extension management, system preferences lockdown, privacy controls.
Patch management with granular control over what gets pushed, when, and to which machines.
Jamf Pro Self Service — a curated app catalog where users can install approved tools themselves, without filing a ticket.
Compliance and inventory in real time. Device health, OS version, encryption status, last check-in — visible at a glance.
The tradeoff: Jamf is Apple-only. It does one ecosystem, and it does it exceptionally well. If your fleet is mixed, you need something else for the rest.
🪟 Microsoft Intune — Windows and Android
Intune is Microsoft's endpoint management platform, and its strongest argument is integration. If your organization runs Microsoft 365, Intune is already in the picture.
Key capabilities:
Conditional Access — device compliance is a condition of accessing Microsoft services. A non-compliant device can't reach Exchange, SharePoint, or Teams, regardless of whether credentials are valid.
Windows Autopilot — the Windows equivalent of zero-touch enrollment. New devices configure themselves from first boot.
App protection policies — you can enforce MDM-like controls on corporate data inside apps (Outlook, Teams, OneDrive) without fully enrolling personal devices. Useful for BYOD situations.
Android Enterprise — work profile separation that keeps personal and corporate data isolated on the same device.
Deep M365 integration — compliance status feeds into Azure AD, which feeds into Conditional Access, which feeds into every Microsoft service the organization uses. It's a coherent system.
Why Two Tools?
The honest answer: because the alternative is worse.
A universal MDM that covers Apple, Windows, and Android in a single pane of glass sounds appealing. In practice, it means accepting mediocre support for each platform instead of excellent support for any of them.
Mac-specific features get implemented late or not at all. Windows integration is through workarounds rather than native APIs. Edge cases — and there are always edge cases — require more effort to resolve.
Two tools means slightly more complexity in day-to-day operations. It means two admin consoles, two billing relationships, two sets of documentation to maintain. That's a real cost.
It's a cost we consciously accepted because the alternative — one tool that does everything adequately — creates different costs. More troubleshooting. More workarounds. More moments where the tool doesn't quite do what you need it to do.
Better a tool built for the job than a universal one that does everything but nothing particularly well.
What MDM Actually Gives You
To put it plainly:
🔒 Security baselines, enforced. Encryption, screen lock, password policies — applied to every device automatically, without relying on users to configure them.
📦 Software management without helpdesk tickets. Apps deployed remotely, updates pushed on schedule, unauthorized software blocked or flagged.
👁️ Visibility. At any moment, you can see every managed device: OS version, compliance status, last check-in, installed applications. Not a spreadsheet someone manually updates — live data.
🔄 Zero-touch enrollment. New devices configure themselves. IT doesn't need to touch a machine before it's ready for use.
🚨 Lost or compromised device response. Lock or wipe remotely within minutes. Contain the incident before it becomes a breach.
The lost laptop story from the beginning isn't rare. Devices get left in taxis, forgotten in cafes, stolen from bags. Without MDM, each of those events starts a chain of manual steps: who has the credentials to revoke access, which systems were accessible, is there any sensitive data on disk, how long has it been since we noticed.
With MDM, it's: find the device in the console, send a lock or wipe command, confirm execution. Done in minutes rather than hours.
What Does It Actually Cost?
This is where people sometimes get surprised — in either direction.
Solution | Approximate Cost |
|---|---|
Jamf Now (basic Apple MDM) | ~$4/device/month |
Jamf Pro (full Apple management) | $3.67–$7.89/device/month |
Microsoft Intune (standalone) | ~$8/user/month |
Intune via M365 Business Premium | Already included |
That last line is worth emphasizing: if your organization is on Microsoft 365 Business Premium, you already have Intune. It's part of the license. Not an add-on, not an upgrade — included.
A significant number of organizations are paying for Business Premium, have Intune available, and have never turned it on. The capability is there. The protection is not.
The cost of MDM is known and predictable. The cost of an incident — a data breach, a compliance violation, a lost device with unencrypted data — is neither.
Practical Considerations for Getting Started
If you're evaluating MDM for the first time, or reconsidering your current setup, a few things worth thinking through:
Start with what you have. If you're on M365 Business Premium, enable Intune before you evaluate anything else. You're already paying for it.
Define your compliance baseline first. Before deploying MDM, decide what "compliant" means for your organization. Encryption required? OS version minimum? Screen lock timeout? Getting this right upfront makes configuration much cleaner.
Enrollment experience matters. Zero-touch enrollment isn't just convenient — it ensures devices are enrolled correctly from day one, rather than relying on users to complete setup steps that may or may not happen.
Personal devices are a different conversation. BYOD (bring your own device) requires a different approach than corporate-owned devices. Intune's app protection policies are specifically designed for this — protecting corporate data in apps without full device enrollment.
MDM is not a substitute for identity. Device management and identity management (who can access what) work together. MDM can enforce that a device is healthy; your identity provider enforces that the right person is using it. Both matter.
Closing Thought
The 10 PM message about the lost laptop could have been a bad night. Instead, it was a fifteen-minute exercise — find the device, send the command, confirm it's locked, go back to sleep.
That's the actual value of MDM. Not the feature list. Not the admin console. The ability to respond to something going wrong without it turning into something worse.
Most of the time, nothing goes wrong. The encryption is there, the updates are applied, the policies are enforced, and none of it requires anyone's attention. That's the system working.
When something does go wrong, the system is still working.
What are you using for device management? One tool or several? Drop a comment — curious what setups people are running and what's actually working.
#MDM #ITSecurity #Jamf #MicrosoftIntune #EndpointManagement #ZeroTrust #ITOperations #CyberSecurity #ITManagement