The Foundation: Apple Business Manager

Apple Business Manager (ABM) is Apple's free web portal for organizations. If your Mac fleet isn't enrolled in Apple Business Manager, the first conversation with your IT provider should be about why not.

ABM is the foundation for everything else in enterprise Mac management:

•       Device enrollment: Macs enrolled in ABM can be automatically enrolled in your MDM when they're turned on for the first time. Zero-touch provisioning means a new Mac ships directly to the employee, they turn it on, and it's configured with your policies automatically. No IT hands-on time required.

•       Supervision: ABM-enrolled and supervised devices allow deeper MDM management — more policy controls, the ability to silently install apps, and restrictions that can't be bypassed by the user.

•       Managed Apple IDs: Apple IDs tied to your organization's domain, provisioned by IT, that separate corporate activity from personal and survive employee departure.

•       App and book licensing: Volume-purchased apps managed centrally, assigned to devices or users, reclaimed when someone leaves.

Deploying a Mac fleet without ABM enrollment is technically functional but operationally painful. Every management task takes more steps, supervision features are unavailable, and zero-touch provisioning is impossible.

MDM: The Management Layer

Mobile Device Management (MDM) is the system that enforces policies, deploys applications, manages compliance, and provides remote management capability across your Mac fleet. The leading MDM platforms for Mac in the Phoenix business market:

The right MDM depends on your fleet size, your Windows environment, and your IT provider's expertise. An IT provider recommending Jamf for a 5-Mac fleet or Intune for a Mac-only environment may be optimizing for their own familiarity rather than your actual needs.

What MDM Should Be Doing for Your Mac Fleet

Enrollment and provisioning

•       Every Mac is enrolled in MDM before or at first use — not as an afterthought.

•       Zero-touch provisioning is configured via ABM — new devices auto-enroll without IT intervention.

•       MDM enrollment is supervised — users cannot unenroll without IT authorization.

Security policy enforcement

•       FileVault 2 (full-disk encryption) is enforced via MDM policy and enabled on every device. Encryption keys are escrowed to MDM — not just to the user's Apple ID.

•       Screen lock is enforced: maximum 15 minutes before lock, password required to unlock.

•       Firewall is enabled on all devices.

•       System Integrity Protection (SIP) is enabled — MDM policy should alert if it's disabled.

•       Gatekeeper is set to allow apps from App Store and identified developers only.

•       Automatic OS and app updates are managed — not left to individual user discretion.

Application management

•       Required business applications are deployed silently via MDM — no employee action needed.

•       Prohibited applications can be blocked via MDM policy.

•       Apps purchased through ABM volume licensing are assigned and managed centrally.

•       macOS Software Update managed through MDM — OS currency tracked and enforced.

Compliance and reporting

•       MDM provides real-time inventory: every enrolled device, OS version, last check-in, compliance status.

•       Non-compliant devices (missing encryption, outdated OS, prohibited software) are flagged automatically.

•       For Microsoft 365 / Google Workspace environments: MDM compliance status is connected to conditional access — non-compliant devices are blocked from accessing corporate resources.

Remote management

•       Remote wipe capability is configured and tested — if a Mac is lost or stolen, IT can wipe it remotely.

•       Remote lock is available for immediate device lockout.

•       Remote screen access for helpdesk support is configured with appropriate employee notice.

EDR on Mac: Non-Negotiable

macOS malware exists, is increasing, and is specifically designed to evade the detection techniques that caught older Mac threats. Information stealers targeting Mac users — harvesting credentials, browser data, and cryptocurrency wallets — are a documented and growing threat category.

Every Mac in your fleet needs EDR. The leading options with strong macOS support:

•       Microsoft Defender for Endpoint (included in Microsoft 365 Business Premium): Good native macOS support; integrates with Intune compliance.

•       CrowdStrike Falcon: Industry-leading EDR with excellent macOS agent; used in enterprise and large SMB environments.

•       SentinelOne: Strong macOS support; good for Jamf-managed environments.

•       Malwarebytes for Teams: SMB-accessible option with reasonable macOS coverage; not full EDR depth.

'Macs don't get viruses' is not a security posture. It's a 2010 myth that has not aged well. Your cyber insurance carrier does not accept it as a compensating control. Your EDR requirement applies to every endpoint — including Macs.

The Test Questions for Your IT Provider

If your current IT provider manages your Mac fleet, ask these:

1.     Are our Macs enrolled in Apple Business Manager? Can you show me the ABM portal?

2.     What MDM platform do you use for our Macs? What policies are enforced?

3.     Is FileVault enabled on every Mac? Where are the recovery keys escrowed?

4.     What EDR is running on our Macs? Is it actively monitored?

5.     If one of our MacBooks was stolen right now, how would you remote-wipe it and how long would it take?

The answers to these questions will tell you quickly whether your Mac fleet is actually managed or just owned.

AEGITz is Apple-certified and manages Mac fleets using Apple Business Manager, Jamf, and Intune for Phoenix businesses. If your Macs aren't properly enrolled and managed, let's fix that. aegitz.com