What is a Mobile Device Management system?
A Mobile Device Management system (MDM for short) is a software solution that is installed on an organization’s devices, which it can then administer remotely.
Many companies use MDM systems to monitor how employees use company devices, remotely lock, unlock or wipe them, and more.
MDM systems might also be called endpoint management solutions. In business jargon, an “endpoint” is a device that connects to a company’s servers, cloud storage system, database, or any other such software.
There are many MDM solutions available today, but some of the most popular ones include Microsoft Intune, Manage Engine or AppTec360.
It’s important to note that an MDM only provides the software to manage a company’s devices, but not the actual devices. The company must either purchase or rent the devices themselves.
How does an MDM system work?
To implement an MDM, a company first needs an actual person that can act as the administrator of the MDM. Typically this is the system administrator (sysadmin) or IT department.
In smaller companies, the MDM administrator might even be the CEO or a high-ranking manager.
In most MDM tools, the administrator will then create configuration profiles that govern what a device can or cannot do.
These configuration profiles are then applied to certain types of employees, depending on their role within the organization.
For example, a configuration profile for managers might allow unrestricted use of the device. However, a configuration profile for junior employees might restrict access to certain websites, applications, enforcing password security etc.
Thus, an organization will first set up the MDM dashboard and/or server. The next step is to install and configure the MDM on the employee’s device.
Depending on the MDM software, this can be done one-by-one or in bulk.
The entire installation process is greatly simplified through various programs tools such as Apple Business Manager, Android Zer-touch enrolment, etc.
Some MDM tools, such as Intune, allow users to set up an MDM on their device through a company portal.
By this point, the set up process of an MDM, and its installation on user devices is more or less complete. The next step is for the MDM administrator to continually monitor the devices.
How much control does an MDM program have over a device?
MDM typically has near-complete control over enrolled devices. Organizations can enforce strict policies, manage all aspects of device configuration, and perform full wipes.
Here are just a few examples of how much control an MDM tool has over a device:
App Updates and Removal: Most MDMs can manage app updates and remotely uninstall applications from managed devices.
Connectivity: Configuring Wi-Fi networks (including pre-shared keys, certificates), VPN settings (various protocols, connection rules), and cellular settings (eSIM profiles).
Security: Enforcing password complexity and length, setting screen lock timeouts, managing encryption (e.g., BitLocker on Windows, FileVault on macOS), configuring firewall rules, and managing certificates for authentication.
Device Functionality: Controlling features like Bluetooth, camera access, location services, screen capture, and factory reset capabilities.
Email and Calendars: Configuring native email clients with server details, authentication methods, and synchronization settings.
Browser Settings: Managing settings for browsers like Microsoft Edge and Safari, including allowed/blocked websites, default search engines, and security settings.
Endpoint Protection: Configuring Microsoft Defender Antivirus settings on Windows and managing security settings on other platforms.
Certificates: Deploying and managing digital certificates for authentication to Wi-Fi, VPN, and other resources.
App Protection Policies (APP): Primarily for BYOD scenarios, APP policies manage and protect corporate data within apps without requiring full device management. This includes restricting actions like cut, copy, paste, and save as between managed and unmanaged apps.
Remote Lock: Locks the device, so that even players with password can no longer access it.
Wipe: Erases all data from the device (selective wipe for corporate data on personally owned Android and iOS/iPadOS devices).
Restart: Remotely restarts the device.
Sync: Forces the device to immediately check in with the MDM tool.
Locate Device: For lost or stolen devices, administrators can attempt to locate them (user permission may be required).
Retire/Remove: Unenrolls the device from the MDM system, removing policies and corporate data.
On-premise vs cloud MDM
Companies that want to set up an MDM system to manage their devices will have to choose where to host their MDM system: on-premise or on the cloud.
On-Premise: The MDM software is installed and runs on servers physically located within your organization’s own data center or server room. You own and manage all the necessary hardware (servers, storage, networking).
Cloud: The MDM software is hosted and managed by the MDM vendor on their infrastructure (or a public cloud provider like AWS, Azure, Google Cloud). You access the MDM console through a web browser over the internet. You don’t need to purchase or maintain any server hardware for the MDM system itself.
Choosing where to host the MDM has multiple ramifications:
Cost Structure: For on-premise, the company must purchase the actual hardware and have specialized staff to manage it, or contract an outsourcing service. For cloud, this is handled by the MDM provider.
Maintenance & Updates: On-premise must do the maintenance themselves, including backups, software updates for the MDM itself and disaster prevention. For cloud, the MDM provider handles this.
Control & Customization: On-premise offers maximum control over network configuration, security settings, data storage and integrations with other tools. On-cloud usually locks you into the MDM provider’s way of doing things.
Security & Data Residency: With on-premise your company keeps all its data on its own data centers. With cloud systems, the data is kept in shared databases with other clients.
Choose On-Premise if you need maximum control, have strict data residency requirements keeping data in-house, already have significant infrastructure investment and skilled IT staff, and prefer CapEx spending.
Choose Cloud if you prioritize faster deployment, easier scalability, predictable OpEx costs, reduced infrastructure management burden, and are comfortable with the vendor’s security and data handling practices.
Can you install an MDM system on an employee’s personal device?
Normally, MDM systems are installed on company-owned devices, which are then given to employees.
However, there are cases where an MDM system can be installed on the employees’ personal device, but this raises serious privacy and legal concerns.
Privacy is the most important aspect. Depending on how the MDM system is configured, it can access and “see” almost everything that happens on the device.
This means internet search history, messages, phone calls, files, passwords etc.
Another problematic aspect is that the administrator of the MDM can remotely lock or even completely wipe the data on the employee’s personal device.
In theory, the company can configure the MDM system in such a way that it only has access to a “portion” of the device, without access to personal information, or the ability to control the device remotely.
However, an employee doesn’t know how much control an MDM has over their device, because most MDMs do not communicate this.
Because of this, an employee should not install an MDM on their personal device without a legal document that clearly indicates what information the MDM system has access to.
The second important aspect of an MDM is a legal one. If an employee’s company has legal problems, then it’s possible for the employee’s own device to be seized as evidence by the law enforcement authorities.
In the worst-case scenario, an MDM might even incriminate the employee, since an MDM installed on a personal device blurs the line between “work time” and “personal time”.
MDM vs MAM systems
A common misconception is confusing Mobile Device Management (MDM) with Mobile Application Management (MAM).
These two types of software have many similarities but are also very different from one another in key aspects.
In principle, an MDM controls the entire device, while an MAM system has far less control, since it only controls individual applications on a user’s device, and not the whole device.
| Feature | MDM | MAM |
| Management Focus | Entire Device (hardware, OS, apps) | Individual Applications (primarily corporate) |
| Control Level | Device-wide, broad control | Application-specific, granular control |
| Primary Use Case | Corporate-owned devices (strong control) | BYOD (protecting corporate data) |
| Privacy Impact | Can raise privacy concerns on BYOD | Less intrusive on personal devices |
| Wipe Capability | Full device wipe (selective on some) | Selective wipe of corporate app data |
| Policy Scope | Device-level settings and restrictions | Application-level settings and restrictions |
| App Management | Basic deployment, updates, removal | Advanced configuration, protection, lifecycle |
Top 5 MDM Systems
Microsoft Intune
Unique Features/Strengths: Intune’s primary strength lies in its seamless integration with the broader Microsoft 365 and Azure ecosystem.
It offers robust management capabilities for Windows devices alongside iOS, macOS, and Android.
Key unique aspects include deep integration with Azure Active Directory (Entra ID) for identity-driven security, Conditional Access policies (controlling access based on device compliance), and integrated endpoint security features within the Microsoft Defender suite.
It’s particularly strong for organizations already invested in Microsoft services.
Pricing : Intune is typically licensed on a per-user, per-month basis. It’s included in many Microsoft 365 enterprise bundles or can be purchased standalone.
Standalone pricing often starts around $4-$10 per user/month, with more advanced plans (like the Intune Suite) adding features at a higher cost.
Jamf Pro
Unique Features/Strengths: Jamf Pro is widely considered the gold standard for managing Apple devices (macOS, iOS, iPadOS, tvOS).
Its unique strength is its deep integration with Apple’s frameworks and services like Apple Business Manager/Apple School Manager for zero-touch deployment (devices configure themselves automatically out of the box).
It offers extensive policy customization, powerful scripting capabilities for macOS, and a Self Service app catalog empowering users while maintaining IT control.
If your organization primarily uses Apple devices, Jamf offers unparalleled depth.
Pricing System: Jamf Pro typically uses a per-device, per-month model, usually billed annually.
Pricing often starts at $5.75 for iPhones/iPads, to $10 per device Mac, but exact costs can vary based on volume and specific support needs.
AppTec 360
Unique Features/Strengths: This MDM’s strengths are in flexibility, device compatibility and data security.
It can manage a wide range of operating systems including Android, iOS, macOS, and Windows.
AppTec 360 offers significant flexibility, available as a Cloud service, an On-Premise installation, or a Hybrid model
In addition, it emphasizes high security standards with features like containerization (Android Enterprise, Samsung Knox, iOS), separation of corporate/personal data (BYOD/COPE support), certificate management, compliance checks, remote lock/wipe, and optional integrated Anti-Virus for Android.
Pricing System: Offers a free full version for on-premises deployment for managing up to 25 devices.
When exceeding 25 devices, AppTec 360 offers a variety of pricing plans, ranging from 0.49 to 2.79 euro per device.
ManageEngine
Unique Features/Strengths: ManageEngine is often highlighted for offering a comprehensive set of endpoint management features at a competitive price point, making it appealing to SMBs as well as larger enterprises.
Unique aspects include strong capabilities for managing diverse device types (including Windows, macOS, iOS, Android, ChromeOS), robust app management, remote control/troubleshooting features, and features focused on separating corporate and personal data on BYOD devices.
Endpoint Central (which includes MDM) also offers traditional desktop management features like OS imaging and patch management. They offer both cloud and on-premises versions.
Pricing System: ManageEngine’s pricing system is fairly complex, but in general it depends on 1) number of enrolled devices 2) whether the MDM is installed in the cloud or on premise and 3) which MDM package is chosen.
For companies with up to 50 devices, the monthly price can be as low as $0.17 per device or as high as $2.83 per device.
JumpCloud
Unique Features/Strengths: JumpCloud takes a unique approach by integrating MDM tightly with its core cloud directory platform (Directory-as-a-Service).
Its distinguishing feature is combining user identity management (like SSO, MFA, user lifecycle management) with device management (macOS, Windows, Linux, iOS, Android) under one roof.
This allows for policies based on both user identity and device posture, aligning well with Zero Trust security principles.
It’s excellent for organizations looking for a unified identity and device management solution, especially in heterogeneous OS environments.
Pricing System: JumpCloud offers a free tier for up to 10 users and 10 devices. Paid plans are typically per-user, per-month, often billed annually.
Core directory plans start around $9 per user/month (billed annually), with add-on bundles for features like MDM, SSO, PAM, etc., increasing the cost based on selected modules.
