How to Set Up MDM for a Small Business
A step-by-step guide to choosing and deploying mobile device management for your small business. Kandji vs Jamf vs Intune compared.
MDM stands for mobile device management, but the name undersells it. It's really about controlling, securing, and monitoring every laptop and device your company owns. And if you're a small business without it, you're flying blind.
Here's the practical guide to choosing a platform, setting it up, and rolling it out without your employees revolting.
What MDM actually does
In plain terms, MDM lets you do three things:
See what's out there. How many devices does your company have? What OS versions are they running? Is encryption turned on? Without MDM, the honest answer is usually "I don't know."
Enforce security policies remotely. You can require disk encryption, force OS updates, set passcode requirements, and restrict certain apps or settings. All without touching the physical device.
Respond when things go wrong. Laptop stolen? Lock it and wipe it remotely. Employee leaves? Revoke access and remove company data. Device out of compliance? Get notified automatically.
If your company has more than 10 devices out in the wild, you need MDM. It's not a "nice to have."
When you need it
The short answer: before you think you do.
The trigger for most companies is one of these scenarios:
A laptop gets lost or stolen and you realize you have no way to wipe it. An employee leaves and you discover they still have company data on a personal device. A customer sends a security questionnaire asking about your device management policies and you don't have an answer.
If any of that sounds familiar, you needed MDM six months ago.
For most small businesses, the sweet spot is somewhere between 10 and 25 employees. Before that, you can get by with manual checks. After that, manual checks don't scale.
Choosing a platform: Kandji vs Jamf vs Intune
There are plenty of MDM options, but for small businesses, three platforms cover 90% of use cases.
Kandji
Best for: Mac-first teams under 200 people.
Kandji was built specifically for Apple devices and it shows. The setup experience is clean, the pre-built security templates are excellent, and it's significantly easier to learn than Jamf.
Kandji includes over 150 pre-built automations for common policies. It also has a solid auto-patching feature for third-party apps (Chrome, Zoom, Slack, etc.), which saves you from chasing updates manually.
Cost: Starts around $6-8 per device per month depending on the plan.
Downsides: Apple only. If you have Windows or Linux devices in the mix, you'll need a second solution for those.
Jamf
Best for: Larger Mac-first environments or companies with complex requirements.
Jamf is the industry standard for Apple device management. It's incredibly powerful but comes with a steeper learning curve. For a small team without a dedicated IT person, Jamf can feel like overkill.
That said, if you're in a regulated industry or have specific compliance requirements, Jamf's depth of configuration options is unmatched.
Cost: Starts around $8-12 per device per month.
Downsides: More complex to set up and manage. The admin interface assumes familiarity with enterprise IT concepts.
Microsoft Intune
Best for: Mixed Mac/Windows environments or Microsoft-heavy shops.
If your team runs on Microsoft 365 and has a mix of Mac and Windows devices, Intune is the logical choice. It's included with certain Microsoft 365 Business Premium and Enterprise plans, which can make it effectively free if you're already paying for those licenses.
Intune's Mac management has improved significantly in recent years, but it's still not as polished as Kandji or Jamf on the Apple side. Where it shines is managing Windows devices and integrating tightly with Entra ID and the Microsoft ecosystem.
Cost: Included with M365 Business Premium ($22/user/month) or as a standalone add-on starting around $8/user/month.
Downsides: The admin console can be confusing. Mac management is serviceable but not native-feeling.
My recommendation
If you're a Mac-first small business, start with Kandji. It's the fastest to set up, easiest to manage, and purpose-built for your use case.
If you have a mixed environment, Intune is probably the most cost-effective choice, especially if you're already on Microsoft 365.
Save Jamf for when your requirements outgrow what Kandji can handle, or when you need advanced Apple features specific to regulated industries.
Step-by-step setup
This walkthrough uses Kandji as the example, but the concepts apply to any platform.
Step 1: Create your account and connect your identity provider
Sign up for a Kandji account and connect it to your identity provider (Google Workspace, Okta, or Entra ID). This lets employees authenticate with their existing company credentials when enrolling their devices.
Step 2: Configure your security policies
Start with the essentials. Don't try to lock everything down on day one.
Disk encryption. Require FileVault (Mac) or BitLocker (Windows). This encrypts the entire drive so if a device is lost, the data is unreadable. This is non-negotiable.
OS updates. Set a policy that requires the latest major OS version within 30 days of release, and security patches within 14 days. Be reasonable with timelines. Giving people two weeks to update is better than forcing a reboot during a customer call.
Passcode requirements. Require a device passcode of at least 8 characters. Don't go crazy with complexity requirements. Length matters more than special characters.
Screen lock. Set auto-lock to 5 minutes of inactivity. This prevents someone from walking past an unlocked laptop and accessing everything.
Firewall. Enable the built-in firewall on all devices. On Mac, this is a simple toggle in Kandji.
Step 3: Set up app management
Use Kandji's auto-app feature to deploy and keep common applications up to date. At minimum, include your browser (Chrome or Firefox), communication tool (Slack or Teams), password manager (1Password), and any other company-standard apps.
This saves new hires from spending their first morning downloading and installing software.
Step 4: Create an enrollment workflow
You have two options:
Automated Device Enrollment (ADE). If you purchase devices through Apple Business Manager, they can be automatically enrolled in Kandji the first time they're powered on. This is the gold standard and what you should aim for with new device purchases.
Manual enrollment. For existing devices, employees will need to install an enrollment profile. Kandji makes this straightforward with a self-service enrollment URL. The employee visits the URL, authenticates with their company credentials, and follows the prompts.
Step 5: Test on a small group
Before rolling out to the entire company, test with 3-5 people. Ideally, pick employees who are tech-comfortable and can give you honest feedback. Watch for:
- Does the enrollment process work smoothly?
- Do any policies cause unexpected issues?
- Are the OS update timelines reasonable?
- Does any critical software break?
Fix issues before going company-wide.
How to roll it out without employees freaking out
This is where most companies mess up. You can have the perfect MDM configuration and still fail if you roll it out badly.
Communicate early and clearly. Send an all-hands message or email at least a week before enrollment explaining what's happening and why. Be specific about what MDM can and cannot see.
Address the privacy concern directly. Employees will worry that you're monitoring their personal activity. Be transparent. In most MDM configurations, you can see device name, OS version, installed apps, and compliance status. You cannot see browsing history, personal messages, photos, or files. Say this explicitly.
Make it about protecting them. Frame it correctly. MDM means that if their laptop is stolen, their data is protected. If they lose a device, it can be locked instantly. This isn't surveillance. It's security.
Give people a reasonable deadline. Don't demand same-day enrollment. Give the team a week. Send a reminder at the halfway point. Follow up individually with anyone who hasn't enrolled by the deadline.
Offer help. Some employees will have questions or run into issues. Have someone available (even just in a Slack channel) to help during the rollout window.
Common mistakes
Being too aggressive with policies on day one. If you enable every restriction simultaneously, you'll get pushback. Start with the essentials (encryption, passcode, OS updates) and add restrictions gradually based on actual needs.
Not testing first. Always test with a small group. There's always something you didn't expect.
Forgetting about BYOD. If employees use personal devices for work, you need a separate policy. Most MDM platforms support a "managed profile" that separates company data from personal data without controlling the entire device. Don't try to fully manage a personal device. That's a fast way to lose trust.
Ignoring the rollout communication. Technical setup is half the job. The other half is making sure your team understands what's happening and why. Skip this and you'll be dealing with complaints and conspiracy theories for weeks.
Not maintaining it. MDM isn't set-and-forget. You need to review compliance reports regularly, update policies as your needs change, and make sure new devices are enrolled.
What comes next
Once MDM is in place, you've got the foundation for real device security. The next steps are usually:
- Connecting MDM to your SSO and MFA setup so device compliance is part of your access policy
- Setting up endpoint security for threat detection
- Building MDM enrollment into your onboarding and offboarding processes
If you'd rather have someone handle all of this for you, that's exactly what I do for remote teams. I set up MDM, configure the policies, manage the rollout, and maintain it going forward on a flat monthly retainer. Book a call if you want to talk through your setup.