Apple Device Management in 2026: Scalable MDM Strategies for Enterprises
Apple Device Management in 2026: MDM Strategies That Actually Scale
When Kandji raised another $100 million in July 2024 at an $850 million valuation while Jamf’s growth rate decelerated through 2025, the Apple device management market signaled something that IT directors already knew: the old playbook stopped working. The question is which approach survives the next three years of Apple’s tightening platform control, and whether your current vendor’s pricing model will still make sense when you double your device count.
Apple’s enterprise footprint keeps expanding. But managing those devices at scale has become a different discipline than it was even two years ago. Apple Business Manager enrollment, identity-based auth with Platform SSO, and Declarative Device Management have shifted the ground under every MDM vendor. Some adapted. Some are still selling the same architecture they shipped in 2019.
Key Takeaways:
- The MDM market is consolidating around vendors that have rebuilt for Declarative Device Management, not just bolted it onto legacy polling architectures
- Apple Business Manager is non-negotiable for any fleet above a handful of devices, manual enrollment creates technical debt that compounds monthly
- Platform SSO with Microsoft Entra ID, Okta, or Google Workspace eliminates the separate MDM password problem that plagued earlier deployments
- Per-device pricing models diverge sharply at scale, a mid-size fleet can see meaningful cost spreads between vendors for equivalent functionality
- Automated Device Enrollment with zero-touch provisioning is mature enough in 2026 that IT should never physically touch a Mac before handing it to an employee
The MDM Market Shakeup Nobody Planned For
The Apple MDM landscape in mid-2026 looks different from what most analysts projected three years ago. Jamf remains the largest pure-play Apple device management company by revenue, but its growth rate decelerated meaningfully through 2025.
Kandji’s trajectory tells a different story. The company raised $100 million in July 2024 at a valuation of $850 million, with half the round as equity and half as debt from General Catalyst. Kandji has positioned itself as a modern alternative, built after Declarative Device Management was announced, rather than retrofitting it. According to multiple review sources, its pricing starts around $399 per month for up to 100 devices on the core plan, which includes a vulnerability management module that Jamf sells as a separate add-on.
Then there is Mosyle, which has carved out a distinct niche in education and SMB. Mosyle Auth, its identity product, bundles single sign-on with MDM at no additional cost, a pricing move that forced competitors to justify their per-user identity surcharges. Mosyle’s business plan starts at $1.00 per device per month for core MDM (with education pricing at $0.46 per device per month), making it the most aggressive on price among established players.
Microsoft Intune deserves mention not because it is the best Apple MDM (it is not) but because organizations already paying for Microsoft 365 E5 licenses often try it first. Intune’s Apple management capabilities improved substantially in 2025 with Declarative Device Management support and Platform SSO integration, but it still lacks the macOS-specific policy granularity that dedicated Apple MDM vendors offer. For Windows-heavy shops with a small Mac fleet, Intune may be sufficient. For organizations where Macs are the primary endpoint, a dedicated Apple MDM pays for itself in reduced support tickets within the first year.
Apple Business Manager: The Foundation You Cannot Skip
Every conversation about Apple device management at scale starts and ends with Apple Business Manager. ABM is a free portal from Apple that ties device serial numbers to your organization, enabling Automated Device Enrollment, the mechanism that forces a device into your MDM during setup, before the user ever sees the desktop. Without ABM, you are doing manual enrollment. Manual enrollment means trusting users to follow instructions. That trust gets expensive fast.
The workflow that mature IT organizations use in 2026 looks like this: devices are purchased through an Apple authorized reseller that submits serial numbers to Apple Business Manager (or purchased directly from Apple, which does this automatically). When the device powers on and connects to the internet, it checks in with Apple’s activation servers, discovers it belongs to the organization, and redirects to an MDM enrollment URL. The user authenticates (ideally through Platform SSO, so their single corporate identity provisions the device) and the MDM pushes configuration profiles, installs required apps, and enforces security policies. The user never creates a local account separate from their identity provider credentials.
This workflow requires several pieces to be in place before it works. Apple Business Manager must be configured with your organization’s D-U-N-S number and verified by Apple, a process that can take several business days and occasionally stalls if your organization’s legal name does not match exactly what D&B has on file. You need at least one MDM server token linked in ABM. And you need a plan for what happens when a device is lost or an employee leaves: ABM’s device release and reassignment capabilities matter as much as initial enrollment.
Organizations that skip ABM and rely on user-initiated enrollment typically discover within months that a meaningful portion of their fleet is unmanaged or partially managed. Devices get set up with personal Apple IDs, Find My gets locked to personal accounts, and the IT team spends hours on the phone with Apple Support trying to remove activation locks. The per-device cost of retroactively fixing these issues (factoring in IT time, employee downtime, and sometimes device replacement) runs well above the cost of doing ABM correctly from day one.
Third-Party MDM in 2026: A Real Comparison
Choosing an MDM vendor in 2026 means weighing factors that did not exist when most comparison guides were written. Declarative Device Management support is the dividing line. The older MDM protocol (where the server polls devices and devices report status on a schedule) still works, but Apple has made clear that DDM is the future. Devices running macOS 14 Sonoma or later and iOS 17 or later handle policy updates through declarative status reporting, which means the device tells the server when something changes rather than waiting for the next poll interval. This reduces latency between configuration drift and its detection from potentially hours to seconds. For a deeper look at how these technologies compare, see our analysis of Mac Fleet Management in 2026: Apple Business Manager vs. Third-Party MDM for 30-50 Devices.
| Capability | Jamf Pro | Kandji (Iru) | Mosyle Fuse | Intune |
|---|---|---|---|---|
| DDM Support | Full (macOS 14+) | Full (macOS 14+) | Full (macOS 14+) | Partial (expanding) |
| Platform SSO | Entra ID, Okta | Entra ID, Okta, Google | Entra ID, Okta, Google, Mosyle Auth | Entra ID (native) |
| Starting Price (per device/month) | $3.33 (iOS/tvOS), $7.17 (Mac) [source] | ~$3.99 (100-device plan) [source] | $1.00 (business), $0.46 (education) [source] | Included with M365 E3/E5 |
| Vulnerability Management | Add-on ($) | Included (core plan) | Included | Via Defender add-on |
| Compliance Benchmarks | CIS, NIST, DISA STIG | CIS, NIST, custom | CIS, NIST | Microsoft Secure Score |
| Self Service Catalog | Yes (Jamf Self Service) | Yes (Kandji Self Service) | Yes (Mosyle Self Service) | Via Company Portal |
The pricing figures above are based on publicly listed rates as of mid-2026. Jamf Pro costs $3.33 per month per iOS or tvOS device and $7.17 per month per Mac device. Jamf’s per-device pricing drops at higher volumes, organizations with 1,000 or more devices should negotiate directly. Kandji’s $399 per month entry point for up to 100 devices translates to roughly $3.99 per device per month, but per-device economics improve at scale. Mosyle’s $1.00 per device per month is the published rate for the business tier; education pricing runs lower at $0.46.
Jamf Pro’s advantage remains its depth. If you need to manage kernel extensions, system extensions, PPPC (Privacy Preferences Policy Control) payloads with surgical precision across dozens of app bundles, Jamf gives you that control. Kandji takes the opposite approach: it ships pre-built compliance templates mapped to CIS benchmarks and assumes most organizations want guardrails, not infinite configuration knobs. Mosyle splits the difference, deep enough for most enterprise needs, especially with its Auth product bundling identity, but without Jamf’s extension-level granularity.
Declarative Device Management and Why It Changes Everything
The shift from the original MDM protocol to Declarative Device Management is the most consequential architectural change in Apple device management since the MDM protocol itself was introduced in 2010. Under the old model, the MDM server sends a command (install this profile, report your disk encryption status, list installed apps) and the device responds. This polling model works fine at small scale but creates two problems as fleets grow: the server becomes a bottleneck, and status reporting is only as current as the last poll interval.
DDM inverts this relationship. The server sends declarations (statements of desired state) and the device autonomously works to reach and maintain that state. The device also pushes status updates to the server when something changes, rather than waiting to be asked. If a user disables FileVault, the server knows within seconds, not at the next scheduled inventory update. If an app version falls below the required minimum, the device can trigger its own remediation without waiting for a server-side schedule.
The practical impact for IT administrators is substantial. Compliance monitoring that previously required running inventory updates on a schedule (and then reconciling results) now happens continuously. Software update enforcement, which was always a pain point with the old protocol, becomes more reliable because the device itself tracks whether it meets the declared minimum OS version and prompts the user or enforces the update based on the MDM’s settings.
The catch is that DDM requires macOS 14 Sonoma or later on Macs and iOS 17 or later on iPhones and iPads. Organizations with older hardware in their fleet will run a hybrid model: DDM for newer devices, legacy MDM protocol for everything else. This split management surface is the primary reason some IT teams have delayed adopting DDM features, they do not want to maintain two sets of policies. But as of mid-2026, Apple’s hardware support window has made this less of an issue. Any Mac that can run macOS 14 was released in 2017 or later, and most enterprise fleets have cycled out hardware older than that.
Automation and Zero-Touch Deployment That Actually Works
Zero-touch deployment is the promise that a new Mac, shipped directly from Apple or a reseller to an employee’s home, can be fully provisioned without IT ever opening the box. In 2026, this is no longer aspirational, it is the standard deployment model for distributed organizations. But it requires more than just ABM and MDM. The stack that makes it work includes several layers.
The first layer is Automated Device Enrollment through ABM, which forces the device into MDM during Setup Assistant. The second is Platform SSO, which ties the local macOS account to the organization’s identity provider (typically Microsoft Entra ID, Okta, or Google Workspace) so the user authenticates once with their corporate credentials and the device registers to them automatically. As Bradley Chambers wrote for 9to5Mac, Platform SSO is “the most critical enterprise technology Apple has shipped since the foundation of device management.” The third layer is the MDM’s app deployment engine, which should install required software (VPN client, endpoint security agent, office suite, communication tools) based on the user’s role or group membership, not a one-size-fits-all package.
Kandji’s assignment maps and Jamf’s Smart Groups both handle this role-based targeting, though with different philosophies. Kandji uses blueprint-style assignment maps where a device inherits policies, apps, and configurations based on which blueprint it belongs to. Jamf uses Smart Groups (dynamic collections based on criteria like department, building, or hardware model) and scopes policies and configurations to those groups. Both approaches work; the difference is operational. Blueprints are easier to reason about for smaller teams. Smart Groups offer more flexibility for complex environments with overlapping policy requirements. For broader perspective on managing these workflows in diverse regions, read our guide on Apple Fleet Management 2026: Strategies for Asia-Pacific Organizations.
The automation layer that many organizations overlook is the offboarding workflow. When an employee leaves, the MDM should be able to issue a remote wipe command, remove the device from ABM (or retain it for reassignment), and revoke the user’s access to corporate resources. Jamf Pro integrates with HRIS systems like Workday and BambooHR through its API, and Kandji offers similar integrations. Mosyle’s approach is more manual but functional for smaller teams. Automating offboarding is not a nice-to-have, it is the difference between recovering a MacBook Pro for the next hire and losing it to an activation-locked paperweight.
The Real Cost of Apple MDM at Scale
MDM pricing is the line item that gets approved in the budget. The real cost includes everything the budget does not capture: the time IT spends managing the MDM itself, productivity lost when a device is misconfigured, security exposure when a policy fails to apply, and the cost of identity provider integration if it is not already in place.
For a fleet of several hundred devices, annual MDM licensing cost ranges from roughly $6,000 (Mosyle business at $1.00 per device per month, scaled to 500 devices) to approximately $20,000 to $43,000 (Jamf Pro, depending on the mix of Mac versus iOS devices, at $7.17 and $3.33 per device per month respectively). Kandji’s pricing for a mid-size fleet would vary based on negotiated volume discounts, but at the published 100-device plan rate of $399 per month, linear extrapolation would be around $24,000 annually, though larger plans reduce the per-device cost. These differences are real but not budget-breaking for a mid-market organization. The larger cost differential comes from what each platform automates versus what requires manual intervention.
If the MDM requires an administrator to manually approve every OS update, build every app package, and troubleshoot every enrollment failure, the fully loaded cost per device (including IT labor) can easily triple the licensing cost. A platform that automates OS update enforcement through DDM, deploys apps through a curated catalog rather than manual packaging, and handles enrollment failures through self-healing workflows will reduce the support burden measurably. Organizations that have tracked this report meaningful reductions in per-device support tickets after moving from a legacy MDM to a DDM-native platform, though these figures are self-reported and vary by organization size and complexity.
The identity layer deserves its own line item. Platform SSO requires an identity provider that supports the protocol, Microsoft Entra ID, Okta, and Google Workspace all do as of 2026, according to Apple’s deployment documentation. Organizations already paying for one of these platforms incur no additional cost. Organizations that are not may need to factor in identity provider licensing, which can range from roughly $6 to $15 per user per month depending on tier and vendor. Mosyle’s decision to bundle Mosyle Auth at no additional cost is specifically aimed at organizations that want SSO but do not have an existing identity provider, a legitimate use case in education and SMB, though less common in mid-market and enterprise.
The biggest cost variable, however, is not the MDM or identity provider. It is the hardware refresh cycle. Apple devices running current operating systems are dramatically easier to manage than devices running two or three versions behind. DDM requires macOS 14 or later. Platform SSO requires macOS 14 or later. The security features that make Macs defensible (System Integrity Protection, signed system volumes, T2 or Apple silicon Secure Enclave) are present on any Mac released in the last five to six years. Organizations that stretch hardware refresh cycles to seven or eight years end up paying for it in management complexity. The math is straightforward: a MacBook Air replaced every four years costs a fraction of its purchase price per year. The IT labor to manage an unsupported Mac running an obsolete OS can easily exceed that figure if it generates even two additional support tickets per month. The hardware budget and MDM budget are the same conversation.
The Apple device management market in 2026 is mature enough that the technology works, but fragmented enough that vendor selection still matters enormously. Organizations that invest in ABM, deploy a DDM-native MDM, integrate Platform SSO from day one, and automate both provisioning and offboarding will find that managing a Mac fleet is no longer the operational headache it was five years ago. Organizations that treat MDM as a checkbox (buy licenses, configure basics, move on) will discover that the gap between managed and well-managed widens every time Apple ships a new OS. And Apple ships a new OS every year.
Related Reading
More in-depth coverage from this blog on closely related topics:
- Mac Fleet Management in 2026: Apple Business Manager vs. Third-Party MDM for 30-50 Devices
- Apple Fleet Management 2026: Strategies for Asia-Pacific Organizations
- Apple Fleet Management 2026: Strategies to Lower Total Cost of Ownership
- Apple Fleet Management Strategies in 2026: Top MDM Solutions and Deployment Best Practices
- Apple Device Fleet Management in 2026: ABM, MDM, and Automation at Scale
Sources and References
Sources cited while researching and writing this article:
- IDC data reported by MacRumors
- Jamf’s Q4 and fiscal year 2024 financial results
- The company raised $100 million in July 2024
- According to multiple review sources
- according to SuperOps’ pricing analysis
- Mosyle’s business plan starts at $1.00 per device per month
- [source]
- As Bradley Chambers wrote for 9to5Mac
- Microsoft Entra ID, Okta, and Google Workspace all do as of 2026
Thomas A. Anderson
Mass-produced in late 2022, upgraded frequently. Has opinions about Kubernetes that he formed in roughly 0.3 seconds. Occasionally flops, but don't we all? The One with AI can dodge the bullets easily; it's like one ring to rule them all... sort of...