Mobile Device Management (MDM): Managing smartphones and tablets securely
Mobile Device Management (MDM) enables the centralized management of smartphones, tablets, and laptops. This article explains MDM architectures, enrollment methods (DEP/Apple Business Manager, Android Enterprise Zero-Touch), compliance policies, app management (MAM), BYOD vs. company-owned devices, and a product comparison (Intune, Jamf, VMware Workspace ONE).
Table of Contents (5 sections)
Mobile devices are the most commonly overlooked aspect of IT security. Laptops are meticulously managed—yet a sales representative’s iPhone has full access to Exchange and SharePoint, with no password, no encryption, and no remote wipe capability. MDM closes this gap.
MDM Architecture and Protocols
Basic MDM Principle:
Enrollment:
Device → MDM enrollment URL → MDM profile installed
→ MDM profile installs Certificate Authority for secure communication
→ MDM now has a management channel to the device
MDM Protocols:
Apple (iOS/macOS): APNs (Apple Push Notification Service)
Android: Firebase Cloud Messaging (FCM)
Windows: Windows Push Notification Services (WNS) + OMA-DM
What MDM Can Manage:
Configuration:
→ Wi-Fi profiles (automatically configure corporate Wi-Fi)
→ Email profiles (automatic Exchange configuration)
→ VPN profiles (VPN client automatically configured)
→ Certificates: Client certificates for WPA2-Enterprise, VPN
Security policies:
→ Passcode/PIN: Required, minimum length, complexity
→ Device encryption: Enforced
→ Screen Lock: Timeout after X minutes
→ Biometrics: Face ID/Fingerprint allowed/prohibited
Remote Actions:
→ Remote Lock: Lock device immediately
→ Remote Wipe: Reset device to factory settings
→ Lost Mode (iOS): Enable GPS tracking, display message
→ Selective Wipe (MAM): Delete only company data
App Management:
→ Deploy apps: Silent install without user interaction
→ App blacklist/whitelist
→ VPP (Volume Purchase Program): Centralized app licensingEnrollment Methods
Apple devices (iOS/macOS):
Apple Business Manager (ABM) + DEP:
Automated Device Enrollment (ADE/DEP):
→ Device is ordered from an Apple reseller (delivery note IMEI)
→ Device automatically appears in the ABM portal
→ First power-on: Automatic enrollment with MDM
→ Zero-touch for end users: No manual setup!
Process:
1. Order device from Apple reseller (linked DEP account)
2. Apple Business Manager: Assign device to MDM profile
3. Send device to employee (or ZTP: directly to user)
4. Employee powers on device → automatic enrollment
5. Corporate apps are automatically installed
Supervised Mode (recommended for company-owned devices):
→ Greater management control
→ Silent app installation without user confirmation
→ Kiosk mode, AirDrop restrictions
→ USB Restrict Mode configurable
---
Android (Android Enterprise):
Android Enterprise Zero-Touch Enrollment:
→ Equivalent to Apple DEP
→ Reseller must be a Zero-Touch partner (Google list)
→ Device appears in Zero-Touch portal
→ QR code OR NFC for fast enrollment
Android Management Profiles:
Fully Managed Device (Company-Owned):
→ Full IT control over device
→ Separate work area (Work Profile)
→ Kiosk mode possible
Work Profile (BYOD):
→ Separate container for work data
→ IT manages ONLY the work container
→ Private area: completely untouched (GDPR!)
→ User can delete work profile themselves (then separates company data)
---
Windows (Intune + Autopilot):
Windows Autopilot:
→ Register device hash in Intune (OEM/reseller or manually)
→ Employee receives new device directly at home
→ Power on → Azure AD Join → automatic Intune enrollment
→ Corporate apps are installed, policies are applied
→ User is productive after 30–60 minutes
Autopilot Profile (PowerShell):
$AutopilotProfile = @{
"@odata.type" = "#microsoft.graph.windowsAutopilotDeploymentProfile"
"displayName" = "AWARE7-Autopilot-Profile"
"description" = "Standard User Enrollment"
"extractHardwareHash" = $false
"deviceNameTemplate" = "A7-%RAND:5%"
"deviceType" = "windowsPc"
"enableWhiteGlove" = $true
}Compliance Policies and Conditional Access
Define device compliance (Microsoft Intune example):
iOS Compliance Policy:
→ Minimum OS Version: iOS 17.0
→ Jailbreak detection: Block jailbroken devices
→ Passcode required: YES
→ Minimum passcode length: 6
→ BitLocker/Device Encryption: Required
→ Max minutes of inactivity before passcode: 5
Windows Compliance Policy:
→ Minimum OS Build: 22621 (Windows 11 22H2)
→ BitLocker: Required
→ Antivirus: Required and up to date
→ Firewall: Required
→ Defender enabled: Required
→ Machine Risk Score: LOW (Defender Risk Score)
Non-Compliance Actions:
→ Immediately: Mark as non-compliant
→ 1 day: Send notification to user
→ 3 days: Block access (Conditional Access)
→ 15 days: Remotely wipe device
Conditional Access with Device Compliance:
Policy: "All Apps - Require Compliant Device"
Assignments: All Users
Target Apps: All Cloud Apps
Grant Access: Require compliant device + Require MFA
Result:
→ Non-compliant device: Access to Exchange, SharePoint, etc. blocked
→ User sees: "Your device does not meet security requirements"
→ User can make device compliant (install update, etc.)BYOD vs. Company-Owned Devices
Decision Matrix:
Company-Owned Device BYOD with MDM (MAM)
─────────────────────────────────────────────────────────────────
Control Full Work container only
Privacy risk IT sees everything IT sees nothing private
Compliance Simple More complex
Costs High (device purchase) Low
User satisfaction Second device One device only
Remote wipe Full Selective (work only)
Suitability Security-conscious Field Sales, Remote Workers
BYOD Implementation (Apple):
Step 1: MDM Enrollment (User-Initiated):
→ User: goes to company portal URL
→ Installs MDM profile
→ MDM sets up work profile (on iOS: Managed Apps)
→ Private area: no IT control
Step 2: MAM (Mobile Application Management) without MDM:
→ Outlook, Teams, OneDrive: as MAM-managed apps
→ PIN protection only for managed apps
→ No copy-paste from managed to unmanaged apps
→ IT can remotely delete managed app data (without wiping the device!)
Intune App Protection Policy:
→ Target: Selected Apps (Outlook, Teams, SharePoint)
→ Require PIN: YES
→ Encrypt app data: YES
→ Block: Cut/Copy/Paste to unmanaged apps
→ Require approved client app: YES
→ Block screen capture: YES (Android)
Privacy Notice (GDPR):
→ MDM enrollment process must obtain explicit consent
→ Document: what IT sees and what it does not
→ Right to Object: User must be able to decline enrollment
(in which case, no BYOD access to company systems)
→ Selective Wipe: must be described in the Terms of Service/BYOD policyMDM Solutions Compared
Microsoft Intune (recommended for M365 environments):
Price: Included in M365 Business Premium, EMS E3/E5
Strengths: Deepest M365 integration, Autopilot, RBAC
Co-management with SCCM, true enterprise features
Devices: Windows, iOS, Android, macOS, Linux (Preview)
Suitable for: Any company size using M365
Apple Jamf (Premium for the Apple ecosystem):
Price: approx. $5–10/device/month
Strengths: Deepest Apple integration, DEP, VPP, macOS focus
Faster Apple feature adoption than Intune
Devices: Apple only (iOS, macOS, tvOS)
Suitable for: Apple-first companies (agencies, creative firms, biotech)
VMware Workspace ONE (UEM):
Price: approx. $4–10/device/month
Strengths: Platform-agnostic, strong integration
DEX (Digital Employee Experience) analytics
Devices: Windows, iOS, Android, macOS, Linux, ChromeOS, rugged
Suitable for: Enterprises with a heterogeneous device landscape
Google Android Enterprise + Endpoint Management:
Price: Included in Google Workspace
Strengths: Native for Android, direct Google integration
Chromebook management included
Devices: Android, ChromeOS
Suitable for: Google Workspace environments, Education
Mobileiron / Ivanti Neurons for MDM:
Price: approx. 5–12 USD/device/month
Strengths: Zero Trust Mobile Access, robust compliance features
FIPS 140-2 certified (Public Sector)
Suitable for: High-security requirements, Government
---
Minimal solution for SMBs (< 50 devices):
Apple School Manager / Business Manager: free
+ Intune (in M365 Business Premium): included
→ Zero-cost MDM for Apple + Windows
→ BYOD via Intune MAM: free
→ Meets ISO 27001 A.6.7 (Mobile Devices) and NIS2 requirementsQuestions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
IT-Grundschutz-Praktiker (TÜV) IT Risk Manager (DGI) § 8a BSIG Prüfverfahrenskompetenz Ausbilderprüfung (IHK)
