Mobile Device Management with MDM: A Starter for SMEs
Summary: MDM (Intune, Jamf, Kandji) enforces password requirements, remote wipe, app control, and compliance rules on devices. The fastest SME start: the Intune + Conditional Access + MFA trio can go live within 1-2 weeks.
Mobile devices are at the center of work life; many applications from email to CRM are used on the phone. But running personal or company phones without management creates security and compliance risk. MDM (Mobile Device Management) solutions manage these devices with a central policy. This guide explains MDM deployment at SME scale.
Why Does MDM Matter?
Control of devices after loss, theft, or staff departure is a major security gap. Without MDM in SMEs, you see:
- Work email on a lost phone cannot be wiped
- Customer data remains on a departing employee's phone
- Devices are out of date, running with known vulnerabilities
- PIN/lock requirement cannot be audited
- Personal phone mixes with work data
- Which app is on which device is unclear
- Company app installed manually one by one
MDM solves these with central management.
Core MDM Functions
1. Enrollment
The employee enrolls their device in the company MDM. Corporate-owned and BYOD flows are configured differently.
2. Security Policies
Policies like PIN requirement, encryption, screen-lock duration, and root/jailbreak block are applied centrally.
3. App Management
Company apps are installed and updated automatically. Certain apps are blocked. App-based access control is enabled.
4. Container / Work Profile
Personal data and company data are kept separate. The company wipe command does not touch personal data.
5. Remote Wipe
A lost or stolen device is wiped remotely. In BYOD, only the work container; on a corporate device, the entire device.
6. Compliance Check
If a device does not meet policy, access is restricted automatically. For example, a phone with pending updates cannot reach email.
7. Conditional Access Integration
Works integrated with the identity service (Azure AD, Okta). Device health affects the access policy.
MDM Options Suitable for SMEs
| Solution | Target |
|---|---|
| Microsoft Intune | Windows, iOS, Android — M365 ecosystem |
| Jamf | Mac and iOS focused |
| Kandji | Apple device management, modern UX |
| Google Workspace MDM | Built-in for Workspace users |
| Scalefusion / Hexnode | SME-friendly, multi-platform |
For M365-using SMEs, Intune usually comes with the Business Premium bundle without an additional license.
Deployment Steps
- Device inventory: Corporate or personal, iOS/Android/Windows — how many?
- Policy design: Security policies + app list
- Pilot enrollment: Trial on 3-5 devices
- User documentation: How to enroll, what changes
- Full rollout: Phased across all devices
- Conditional Access: Integration with identity service
- Continuous monitoring: Compliance status, update rate
Sample Policy Set
| Policy | Value |
|---|---|
| PIN | Minimum 6 digits |
| Lock duration | 5 minutes |
| Encryption | Required |
| Root/Jailbreak | Blocked |
| Minimum OS | iOS 15, Android 11 |
| Work app | Automatic install |
| VPN | Automatic configuration |
| Lost case | Remote wipe active |
Common Mistakes
- Deploying MDM and going to production without testing policies
- Taking the right to wipe the whole device in BYOD (legal issue)
- Not closing access for devices with old OS versions
- Leaving app-version management manual
- Skipping conditional-access integration
- Weak user training
- Forgetting the device-wipe step during offboarding
Real-World Examples
Example 1: Lost Phone at an Accounting Firm
At an accounting firm, an employee's phone was stolen. A remote wipe was triggered from the MDM console; the phone was reset the moment the device attempted to sign in. Data access was blocked.
Example 2: App Rollout at a Manufacturing Site
At a manufacturing site, a new ERP mobile app was about to be installed manually on every device. With Intune, distribution was done with one click; 60 devices in 1 hour.
Example 3: Compliance at a Consulting Office
A consulting office restricted email access on devices below iOS 15 via Conditional Access. Users were encouraged to update; within a week, all devices were current.
How Does Yamanlar Bilişim Support This Process?
Yamanlar Bilişim selects and deploys the MDM solution based on needs and the existing ecosystem. It designs policy so the BYOD and corporate-device approaches work compatibly.
Main areas where Yamanlar Bilişim can support:
- Device inventory and MDM needs analysis
- Intune, Jamf, or alternative selection
- Designing security and app policies
- Pilot and phased rollout
- BYOD container configuration
- User enrollment process and documentation
- Conditional Access integration
- Regular compliance reports
FAQ
Frequently Asked Questions
Does MDM see personal data?
In the BYOD container model, no; only the work area is managed. On a corporate device, all of it can be managed.
Is mobile-device security possible without MDM?
At a basic level yes (MFA, strong passwords), but without central oversight, consistency cannot be ensured.
Which platforms does it support?
Most modern MDMs support iOS, Android, Windows, and macOS. Scope should be confirmed before selection.
Can the user remove MDM?
On a corporate device, no; in BYOD, if removed, work access ends. The policy must communicate this in writing.
Does MDM add cost?
M365 Business Premium + license or a separate MDM license is required. A few dollars per endpoint per month is typical.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Endpoint Management solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
IT Asset Lifecycle Management: 5 Stages from Procurement to Disposal
A practical guide to IT asset lifecycle management for SMEs — procurement, deployment, operations, refresh, and KVKK-compliant secure disposal.
Device Management with Microsoft Intune: An SME Getting-Started Guide
What Microsoft Intune is, how to roll it out at SME scale — device enrolment, compliance policies, app distribution, and practical scenarios.
BitLocker Fleet Management: Disk Encryption for SMEs
BitLocker disk encryption — SME fleet management, key-escrow strategy, AD/Azure AD integration, and an operational checklist.