Everything your Phoenix business needs to deploy and manage Macs properly
Unlock full access
Section 1: Apple Business Manager Fundamentals
What Is Apple Business Manager?
Apple Business Manager (ABM) is Apple's free web-based portal for organizations. It's the foundation for enterprise Mac, iPhone, and iPad management. If your business uses Apple devices without ABM enrollment, you're operating without the foundation that makes everything else easier.
ABM provides:
Feature | What It Does | Business Impact |
Automated Device Enrollment (ADE) | Enrolls devices in MDM automatically at first boot | Zero-touch provisioning: new Macs configure themselves |
Device supervision | Allows deeper MDM management and user restrictions | More policy control; users can't bypass MDM enrollment |
Managed Apple IDs | Org-controlled Apple IDs for iCloud, App Store, collaboration | Corporate identity; survives employee departure |
Volume Purchase Program (VPP) | Centrally purchase and distribute apps and books | App licenses assigned to devices; reclaimed on departure |
Content Caching | Local Apple update server for faster OS and app updates | Reduces bandwidth; faster device updates across fleet |
Setting Up Apple Business Manager
PREREQUISITES
□ ☐ A domain name you control (your company's email domain).
□ ☐ A D-U-N-S number for your organization (free from Dun & Bradstreet; used by Apple to verify your organization).
□ ☐ An Apple ID that is NOT currently associated with personal iCloud content (create a new one or use an IT-specific account).
ENROLLMENT STEPS
1. Go to business.apple.com and click 'Get Started.'
2. Enter your organization details, D-U-N-S number, and verification contact information.
3. Apple verifies your organization (typically 2–3 business days).
4. Once approved, sign in with your enrollment Apple ID.
5. Set up your organization's Administrator account with a dedicated IT email address.
6. Add your MDM server: Settings → MDM Servers → Add MDM Server. Enter the server name and upload your MDM's ABM certificate.
7. Configure Automated Device Enrollment in MDM → Device Enrollment → Assign to your MDM server.
8. Purchase or add devices: newly purchased Apple devices from Apple or Apple Authorized Resellers can be linked to your ABM account automatically by providing your ABM Customer ID at purchase.
POST-SETUP VERIFICATION
□ ☐ MDM server is listed in ABM and shows active connection.
□ ☐ Test device (a new or factory-reset Mac) auto-enrolls in MDM at first boot.
□ ☐ Device appears in both ABM and MDM console after enrollment.
□ ☐ Managed Apple ID creation is configured for your domain.
Section 2: MDM Configuration Baseline
Once ABM is set up and connected to your MDM, these are the policies that should be in place before any Mac reaches an employee's hands.
Required Configuration Profiles
SECURITY POLICIES — APPLY TO ALL DEVICES
□ ☐ FileVault 2 enabled: full-disk encryption enforced, recovery key escrowed to MDM (not just user Apple ID).
□ ☐ Screen lock: maximum 10 minutes of inactivity before lock; password required to unlock.
□ ☐ Firewall: enabled, with stealth mode on.
□ ☐ Gatekeeper: set to 'App Store and identified developers' — no unidentified apps.
□ ☐ System Integrity Protection (SIP): enabled. MDM should alert if disabled.
□ ☐ Automatic updates: OS and app updates managed through MDM policy. Security updates applied automatically.
SOFTWARE DEPLOYMENT — APPLY TO ALL DEVICES
□ ☐ Required business applications deployed silently via MDM at enrollment.
□ ☐ EDR/security agent deployed at enrollment before device is given to user.
□ ☐ MDM management profile is supervised and cannot be removed by the user.
□ ☐ Company-approved browser extensions deployed where applicable.
NETWORK AND CONNECTIVITY — APPLY AS APPROPRIATE
□ ☐ Corporate Wi-Fi credentials deployed via MDM — no manual password entry required.
□ ☐ VPN configuration deployed for remote access if used.
□ ☐ Certificate deployed for corporate network authentication if required.
MDM Compliance Policies
Compliance policies define what a 'compliant' device looks like and can block non-compliant devices from accessing corporate resources when integrated with Google Workspace or Microsoft 365 Conditional Access.
Compliance Rule | Threshold | Action on Non-Compliance |
OS version | No more than 1 major version behind current release | Flag in console; notify IT; block after 14 days if not updated |
FileVault status | Must be enabled | Block corporate resource access immediately |
Screen lock | Required | Flag and notify IT |
EDR agent | Must be installed and active | Block corporate resource access immediately |
Last MDM check-in | Within 7 days | Flag; investigate if >14 days |
Free disk space | Minimum 20% free | Warning at 10%; flag at 5% |
Section 3: Apple Device Security Hardening Checklist
Run this checklist for every Mac added to the fleet and annually for the full fleet.
IDENTITY AND AUTHENTICATION
□ ☐ Local admin account is NOT the primary user account. User accounts have standard (non-admin) privileges for daily work.
□ ☐ Local admin password is unique, complex, and stored in IT password manager — not shared with the user.
□ ☐ Managed Apple ID is assigned to the device — not personal Apple ID.
□ ☐ iCloud Drive sync to personal iCloud is disabled for managed devices if business data is involved.
ENCRYPTION AND DATA PROTECTION
□ ☐ FileVault is enabled and verified in System Settings → Privacy & Security → FileVault.
□ ☐ FileVault recovery key is escrowed in MDM — can be retrieved by IT without the user's help.
□ ☐ Time Machine backup (if used) is to an encrypted backup target.
□ ☐ 'Lock screen on sleep' is enabled in System Settings → Lock Screen.
NETWORK SECURITY
□ ☐ Firewall is ON in System Settings → Network → Firewall.
□ ☐ Firewall stealth mode is enabled.
□ ☐ Location Services are reviewed — limit to applications that require them.
□ ☐ Bluetooth is disabled when not needed (or managed via MDM policy).
□ ☐ VPN connects automatically when not on trusted corporate network (if applicable).
APPLICATION SECURITY
□ ☐ Gatekeeper is enforced — cannot run unsigned or unidentified applications.
□ ☐ EDR is installed and showing as active in IT management console.
□ ☐ Browser extensions are reviewed and limited to IT-approved list.
□ ☐ Software Update shows no pending security updates.
□ ☐ Xcode and developer tools are not installed unless required for the role.
REMOTE MANAGEMENT
□ ☐ MDM enrollment is verified in System Settings → Privacy & Security → Profiles.
□ ☐ Remote Management (Apple Remote Desktop) is enabled for IT support if used.
□ ☐ Screen Sharing is disabled unless specifically required.
□ ☐ SSH remote login is disabled unless specifically required.
Section 4: When an Employee Leaves
Mac offboarding is more complex than Windows offboarding. These steps apply when any employee with a managed Mac departs.
9. Revoke Managed Apple ID in Apple Business Manager immediately on departure date.
10. Initiate remote wipe from MDM console if the device will be repurposed or if there is any doubt about its return.
11. Disable the user's account in your identity provider (Google Workspace or Microsoft 365).
12. Revoke all OAuth tokens for the departed user — sessions may persist after account disable.
13. Retrieve the physical device and verify it's been wiped before reissuing.
14. Re-enroll device in MDM as factory-reset before assigning to new user.
15. Audit iCloud data: ensure no business data was synced to personal iCloud. If it was, legal guidance may be needed.
16. Rotate any local admin passwords on the device after factory reset.
AEGITz is Apple-certified and manages Mac fleets for Phoenix businesses using Apple Business Manager, Jamf, and Microsoft Intune. If your Mac fleet needs proper ABM enrollment or MDM configuration, contact us at aegitz.com.
