Apple Device Management in 2026: MDM Pricing, ADE Setup, and the Hidden Costs That Catch IT Teams

Apple shipped over 30 million Macs to businesses and schools in 2025. Most of those devices will never see an IT technician’s hands. They arrive in a box, the employee opens it, connects to Wi-Fi, and within minutes has a fully configured machine with email, VPN, security policies, and the exact software stack their role requires. That experience is the result of a device management strategy stitched together from three layers: Apple Business Manager, a third-party MDM platform, and an identity provider. Get the layers right and you barely notice them. Get one wrong and your help desk tickets triple.

This article walks through what each layer costs, where the trade-offs live, and which decisions produce the most support tickets versus the fewest. Every price and capability mentioned comes from vendor documentation or public pricing pages as of mid-2026.

Key Takeaways:

• Apple Business Manager is free and non-negotiable, if you are not using it, you are doing manual setup for no reason
• MDM pricing runs $2 to $15 per device per month depending on features; the cheapest option is often the most expensive after factoring in support time
• Automated Device Enrollment cuts provisioning from hours to minutes but requires specific Apple reseller relationships
• The biggest hidden cost is not license fees, it is the identity and compliance stack you bolt onto the MDM after deployment

What MDM Actually Costs in 2026

Mobile device management pricing has compressed over the past three years. What was once a premium feature reserved for enterprises with dedicated IT staff now starts at roughly $2 per device per month. But the sticker price hides more than it reveals.

Third-Party MDM: Where the Real Comparison Happens

Jamf Pro, the largest Apple-specific MDM vendor by market share, charges $3.33 per device per month for its core plan when billed annually for Mac. iOS and iPadOS devices run $2.50 per device per month on the same plan. Jamf’s business plan, which adds single sign-on, identity integration, and content filtering, jumps to $6.58 per device per month. The enterprise tier, at $9.75 per device per month, includes Okta integration, SIEM connectors, and premium support. These are list prices as of mid-2026 and volume discounts apply above 500 seats.

Kandji, the fastest-growing competitor in the space, takes a different approach. Instead of per-device pricing, it charges per-seat: $399 per month for up to 100 seats on its standard plan. That works out to roughly $4 per device per month at full use, but the math changes at different scales. A team of 50 people pays $8 per device per month. A team of 200 pays $2 per device per month, though plan tiers shift at that volume. Kandji’s pitch is that per-seat pricing eliminates surprise of device-count overages, which matters for companies with contractors or seasonal hiring.

Mosyle and Addigy round out the major Apple-specific players. Mosyle’s business plan starts at $3.00 per device per month and includes identity management, endpoint security, and app management in a single SKU. Addigy targets MSPs and charges per-device rates that vary by partner tier, typically landing between $2 and $5 per device per month depending on volume.

The cross-platform options like Microsoft Intune and VMware Workspace ONE come with different economics. Intune is bundled into Microsoft 365 E3 and E5 licenses, which means many organizations already own it without realizing it. If you are paying for M365 E3 at $36 per user per month, Intune is included. But Intune’s macOS management capabilities have historically lagged behind Apple-specific tools, particularly around software patching and configuration profiles. VMware Workspace ONE, now under Broadcom, starts around $3.78 per device per month for the standard tier, with the enterprise tier reaching $7.50 per device per month.

Apple Business Manager: The Free Foundation Most Teams Underuse

Apple Business Manager (ABM) costs nothing. Zero dollars. It is Apple’s portal for device enrollment, app distribution, and Managed Apple ID creation. Despite being free and available to any organization with a DUNS number, a surprising number of small and mid-size IT teams either skip it or set it up incorrectly.

ABM does three things that no MDM can do on its own. First, it links devices to your organization at the serial number level before they ever leave Apple’s supply chain. When a device appears in ABM, it is permanently associated with your organization until you release it. This is what makes zero-touch deployment possible: the device phones home to Apple during setup, Apple checks the serial number against ABM, and if there is a match, Apple redirects the device to your MDM server for configuration.

Second, ABM handles volume purchasing. You buy app licenses through ABM and assign them to devices or users through your MDM. The licenses are device-based for macOS and user-based for iOS, which matters for compliance. If an employee leaves and you revoke their Managed Apple ID, app licenses follow the device, not the person.

Third, ABM provides Managed Apple IDs. These are work-specific Apple accounts that cannot make App Store purchases, cannot use iMessage with personal contacts, and are fully controlled by the organization. They solve the problem of employees mixing personal and work Apple IDs, which is the number one source of data leakage on Apple fleets according to Apple’s own enterprise support data.

The setup process takes about 30 minutes if you have your DUNS number ready. Apple verifies your organization, you link your MDM server by uploading a public key, and you configure your default enrollment settings. The most common mistake is skipping the reseller integration step: if you buy Macs from a reseller that is not enrolled in Apple’s authorized reseller program, those devices will not appear in ABM automatically. You will need to add them manually using Apple Configurator on an iPhone, which works but eliminates the zero-touch benefit.

Third-Party MDM: Where the Real Comparison Happens

Once ABM is set up, the next decision is which MDM platform to connect it to. The choice is not just about price, it is about which problems you want to solve and which you are willing to live with.

Jamf Pro remains the reference implementation for Apple device management. It supports every MDM command Apple exposes through its management framework, including some that competitors skip because they are difficult to implement correctly. Its patch management covers over 200 third-party apps. Its smart groups feature lets you create dynamic device collections based on any attribute: “all Macs running macOS 15 with less than 20GB free disk space and FileVault not enabled.” That kind of targeting matters when you need to push a critical update to a specific subset of your fleet.

The trade-off with Jamf is complexity. The interface is powerful but not intuitive. New administrators typically need two to four weeks to become productive. Jamf’s own training courses run four days and cost $2,500 per person. For organizations with dedicated Apple administrators, this is a reasonable investment. For a generalist IT team managing Windows, macOS, and Linux, the learning curve is real friction.

Kandji competes directly on ease of use. Its interface is built around “blueprints” (templates that define complete device configuration) rather than individual profiles and policies. A blueprint includes everything: security settings, installed apps, configuration profiles, and compliance checks. Assign a blueprint to a device group and Kandji enforces it continuously, reverting any changes that drift from the template. This model reduces the number of decisions an administrator needs to make, which reduces misconfiguration. Kandji claims customers deploy their first device within one day of signing up, which is plausible for small teams but optimistic for enterprises with complex compliance requirements.

Mosyle positions itself as an all-in-one option. Its business plan bundles MDM, endpoint security, identity management, app management, and patch management into a single product at $3 per device per month. The endpoint security piece includes a full antivirus engine and DNS-based content filtering, which would cost an additional $2 to $5 per device per month if purchased separately from vendors like CrowdStrike or Cisco Umbrella. The trade-off is that Mosyle’s security features are not as deep as dedicated security tools, and organizations with advanced threat detection requirements will still need a separate endpoint detection and response (EDR) product.

Microsoft Intune deserves mention because it is already in many organizations’ licensing bundles. For Windows-heavy shops that happen to have a few Macs, Intune is the obvious choice: it is already paid for and it integrates with the Microsoft identity and compliance stack. For Mac-heavy shops, Intune is less compelling. Its macOS management capabilities have improved substantially since 2023, but it still lags on software patching automation and does not support all configuration profiles that Apple-specific tools do.

Automated Device Enrollment: Zero-Touch That Actually Works

Automated Device Enrollment (ADE) is the feature that makes the whole stack worthwhile. It is Apple’s term for the process where a device, fresh out of the box, automatically enrolls in your MDM during Setup Assistant without any human intervention beyond connecting to Wi-Fi.

ADE requires three things: the device must appear in your ABM account, your MDM server must be linked to ABM, and you must have configured an enrollment profile that maps devices to the correct configuration. The enrollment profile specifies whether the user can skip certain Setup Assistant steps (Location Services, Siri, Apple ID sign-in), whether the device requires the user to authenticate with your identity provider, and what MDM configuration the device receives after enrollment.

The most impactful decision in ADE configuration is authentication. You can set enrollment to require user authentication (the employee must sign in with their work credentials before the device finishes setup) or to skip it entirely. Requiring authentication means the device is linked to a specific user from the moment it is configured, which enables user-specific policies and app assignments. Skipping authentication means the device is ready faster but is only device-assigned, not user-assigned, which limits what you can do with user-targeted policies.

For shared devices (loaner laptops, lab machines, point-of-sale iPads) skip authentication and use device-assigned configuration. For personally assigned devices, require authentication. The extra 90 seconds of sign-in time during setup saves hours of policy troubleshooting later.

The reseller piece is where ADE setups most often break. Apple maintains a network of authorized resellers who can add devices to your ABM account at the point of sale. If you buy from an authorized reseller and provide your ABM organization ID, devices appear in ABM automatically within 24 hours of purchase. If you buy from an unauthorized reseller, from a retail store, or second-hand, you must add devices manually using Apple Configurator on an iPhone. Apple Configurator requires physical proximity to the device and an iPhone running iOS 17 or later. For a fleet of 10 devices, this is annoying. For 500, it is a logistics problem that consumes days of technician time.

When MDM Isn’t Enough: The Identity and Endpoint Stack

MDM handles device configuration. It does not handle user authentication, zero-trust access, or threat detection. Those require additional tools, and the integration between MDM and those tools is where most IT teams spend the majority of their troubleshooting time.

The minimum viable stack for a regulated or security-conscious organization looks like this: ABM for device enrollment and app licensing, MDM for configuration and compliance enforcement, an identity provider (IdP) for user authentication, and EDR for threat detection. The MDM and IdP must talk to each other so that device compliance status feeds into access decisions. If a device falls out of compliance (FileVault is disabled, the OS is outdated, a required security profile is missing) the IdP should block access to corporate resources until the MDM remediates the issue.

Jamf Connect and Kandji Passport are the two main tools that bridge MDM and IdP on macOS. Both replace the macOS login window with one that authenticates against your IdP (Okta, Entra ID, Google Workspace) and synchronizes the local account password with the IdP password. This eliminates the problem of employees having separate passwords for their Mac and their cloud apps, which is the most common source of account lockout tickets. Jamf Connect costs $2.75 per device per month as an add-on to Jamf Pro. Kandji Passport is included in Kandji’s standard plan.

On the EDR side, integration is less standardized. Most EDR vendors (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) offer macOS agents, but quality varies. CrowdStrike’s macOS agent has historically been more resource-intensive than its Windows counterpart, though the 2025 Falcon sensor update reduced CPU usage by roughly 30% according to CrowdStrike’s release notes. SentinelOne’s macOS agent is lighter but has occasionally missed macOS-specific malware that targets LaunchAgents and LaunchDaemons, which are the primary persistence mechanisms on macOS.

The practical consequence is that many organizations run two security tools on macOS: the MDM’s built-in compliance engine for configuration enforcement and a dedicated EDR for threat detection. This doubles the agent footprint and increases the surface area for conflicts. The most common conflict is two agents competing for full disk access, which on macOS requires explicit user approval through System Settings. When two security tools both demand full disk access, the user sees two permission prompts during setup, and one of them inevitably gets denied.

Hidden Costs That Blow Up Your Budget

The license fees are the easy part. The costs that surprise teams are training, migration, and compliance tools that MDM vendors do not include in their base plans.

Training is the biggest line item nobody budgets for. Jamf’s $2,500 per-person training course is the most visible example, but even tools marketed as intuitive require onboarding. A 2024 survey by the Mac Admins Foundation found that organizations spend an average of 40 hours of administrator time during the first month of MDM deployment, regardless of which platform they choose. At a fully loaded cost of $75 per hour for an IT administrator, that is $3,000 in labor before the first device is fully configured.

Migration costs are even higher. Moving from one MDM to another (Jamf to Kandji, Workspace ONE to Mosyle) requires unenrolling every device from the old platform and re-enrolling it in the new one. On macOS, this usually means the user must approve the MDM profile installation, which is a manual step. For a fleet of 200 Macs, migration typically takes four to six weeks and requires direct communication with every employee. Some vendors offer migration tools that streamline the process, but none eliminate the manual approval step entirely because Apple’s security model requires it.

Then there is the compliance stack. If your organization needs SOC 2, ISO 27001, or HIPAA compliance, your MDM alone will not satisfy auditors. You will need a compliance automation platform like Drata or Vanta, which costs $10,000 to $25,000 per year depending on headcount and frameworks. You will need EDR, which costs $5 to $15 per device per month. You may need a mobile threat defense tool like Lookout or Zimperium if your fleet includes iOS devices that access sensitive data. Each of these tools must be integrated with your MDM, and each integration is a potential failure point.

The total cost of managing an Apple device in a regulated environment typically runs $15 to $30 per device per month when you include MDM, EDR, IdP, and compliance automation. That is three to five times the MDM license fee alone. Teams that budget only for the MDM sticker price discover this gap during their first audit, which is the worst possible time.

The most cost-effective strategy is to minimize the number of tools in your stack. Every additional agent on a Mac is another process consuming memory, another permission prompt for users to dismiss, and another integration to debug when something breaks. For organizations looking to reduce total cost of ownership, Apple Fleet Management 2026: Strategies to Lower Total Cost of Ownership provides a deeper look at consolidation tactics. Mosyle’s all-in-one approach, Kandji’s blueprint model, and Jamf’s deep integration with Apple’s management framework are all attempts to reduce tool count. Pick the approach that eliminates the most separate products from your stack, even if the per-device price is higher. The license savings on tools you do not buy will more than cover the difference.

Related Reading

More in-depth coverage from this blog on closely related topics:

• Apple Device Fleet Management in 2026: ABM, MDM, and Automation at Scale
• Apple Device Management in 2026: Scalable MDM Strategies for Enterprises
• Apple Fleet Management 2026: Strategies for Asia-Pacific Organizations
• Apple Fleet Management 2026: Strategies to Lower Total Cost of Ownership
• Apple Fleet Management 2026: Self-Hosted MDM with MicroMDM and NanoMDM