Apple MDM Software: Vendor Comparison, Pricing, and Setup Guide

If your organization runs Apple devices — MacBooks for engineers, iPads for field teams, iPhones for sales — you need an MDM solution built for Apple's ecosystem. Not one that treats Apple as an afterthought bolted onto a Windows-first platform.

Apple has its own management framework, its own enrollment infrastructure (Apple Business Manager), and its own set of restrictions and capabilities that differ meaningfully from Android or Windows management. Choosing the wrong MDM vendor means fighting the platform instead of working with it.

This guide covers what Apple MDM actually does across macOS, iOS, iPadOS, and tvOS, how Apple Business Manager and zero-touch enrollment work, the supervised vs unsupervised distinction that trips up most buyers, and a vendor-by-vendor comparison with real pricing. If you already know you need MDM and want to browse vendors, head straight to the MDM software category on ITOpsClub at /categories/mdm-software.

What is Apple MDM software?

Apple MDM software is a mobile device management platform that uses Apple's built-in MDM framework to enroll, configure, secure, and manage Apple devices — Mac computers, iPhones, iPads, and Apple TVs — over the air. It communicates with devices through Apple Push Notification Service (APNs) and enforces policies via configuration profiles and MDM commands defined by Apple's protocol.

Apple does not sell its own MDM product. Instead, Apple publishes the MDM protocol specification and provides infrastructure (Apple Business Manager, APNs, Automated Device Enrollment) that third-party MDM vendors integrate with. Vendors like Jamf Pro, Kandji, Mosyle, Hexnode, and Microsoft Intune build their products on top of this framework.

This means every Apple MDM vendor has access to the same underlying commands — install a profile, lock a device, wipe a device, query installed apps. The differences come down to how the vendor wraps those commands: the UI, the automation workflows, the compliance reporting, the depth of macOS-specific features, and the quality of Apple Business Manager integration.

What Apple MDM covers: macOS, iOS, iPadOS, and tvOS

Apple's MDM framework is not a single monolithic protocol. The available management commands and restrictions differ by operating system. Understanding what you can and cannot control on each platform prevents frustration during deployment.

macOS management

macOS MDM gives you the deepest control surface. You can enforce FileVault disk encryption, manage system extensions and kernel extensions, deploy and remove applications silently, configure Wi-Fi and VPN profiles, set firewall rules, manage user accounts, and push software updates. With supervised Macs enrolled through Apple Business Manager, you can also prevent the user from removing the MDM profile — a critical capability for corporate-owned hardware.

macOS also supports custom scripts and agent-based management that goes beyond what the MDM protocol alone provides. Vendors like Jamf Pro and Kandji use a companion agent on macOS to run shell scripts, collect detailed inventory, and enforce compliance baselines that the native MDM protocol does not cover.

iOS and iPadOS management

iOS and iPadOS management focuses on policy enforcement and app lifecycle. You can restrict which apps users install, push managed apps silently, configure email and Wi-Fi accounts, enforce passcode requirements, enable Lost Mode to locate missing devices, and remotely wipe a device or just the corporate data container. Supervised iOS devices unlock additional restrictions — disabling AirDrop, preventing App Store access, blocking screenshots, and enabling Single App Mode (kiosk mode).

iPad management is especially important for education, retail, healthcare, and field service. Shared iPad mode lets multiple users sign into the same device with separate data partitions. This is managed entirely through MDM and requires supervision.

tvOS management

Apple TV management is a niche but real use case. Conference rooms, digital signage, and education environments use managed Apple TVs. MDM can push a specific app to Single App Mode, configure Wi-Fi credentials, restrict AirPlay sources, and deploy content. Most Apple MDM vendors support tvOS, but the depth varies — Jamf Pro and Mosyle have the strongest tvOS support.

Apple Business Manager explained

Apple Business Manager (ABM) is the free web portal Apple provides to organizations for managing Apple device deployment, app purchasing, and Managed Apple IDs. It is not an MDM itself — it is the infrastructure layer that makes MDM work properly at scale.

ABM serves three critical functions that every Apple MDM deployment depends on.

• Automated Device Enrollment — link purchased devices to your MDM server so they auto-enroll during setup, with no IT hands-on required
• Volume purchasing (formerly VPP) — buy and distribute apps and books in bulk, assigning licenses to devices or users without requiring personal Apple IDs
• Managed Apple IDs — create organization-owned Apple IDs (federated with your identity provider) for iCloud Drive, Shared iPad, and Apple services without commingling personal and corporate data

You connect ABM to your MDM vendor through a server token. Once linked, any device purchased through Apple or an authorized reseller shows up in ABM automatically and gets assigned to your MDM. This is the foundation of zero-touch enrollment.

ABM is free. There is no per-device cost from Apple. You need a D-U-N-S number to register, which can take a few days if your organization does not already have one. Set up ABM before you evaluate MDM vendors — your MDM choice depends on how well it integrates with ABM, and you will want to test enrollment during your vendor trial.

Zero-touch enrollment and Automated Device Enrollment

Zero-touch enrollment is the single most important Apple MDM capability for organizations deploying more than a few dozen devices. It eliminates the need for IT to physically touch each device before handing it to a user.

How Automated Device Enrollment works

Automated Device Enrollment (ADE, formerly DEP) is Apple's implementation of zero-touch. When you purchase a Mac, iPhone, or iPad through Apple or an authorized reseller, the device serial number is registered in Apple Business Manager. You assign that serial to an MDM server.

When the user powers on the device for the first time and connects to the internet, it contacts Apple's servers, discovers it has an MDM assignment, and automatically enrolls. The MDM pushes configuration profiles, app installs, and security policies — all before the user finishes the Setup Assistant. The user gets a fully configured device out of the box, and IT never touches it.

This is transformative for remote and distributed workforces. Ship a sealed MacBook to a new hire's home. They open it, connect to Wi-Fi, and the machine configures itself with your company's MDM profiles, disk encryption, VPN, approved apps, and wallpaper. No imaging, no USB drives, no on-site IT.

What zero-touch enrollment requires

• An Apple Business Manager account linked to your MDM vendor
• Devices purchased through Apple directly, Apple Business, or an Apple Authorized Reseller (existing devices can be added manually via Apple Configurator)
• An MDM server configured with enrollment profiles that define which setup steps the user sees and which policies apply automatically
• Network connectivity during initial device setup — the device must reach Apple's servers and your MDM vendor

One detail that catches buyers off guard: devices purchased before you set up ABM are not automatically included. You can retroactively add them using Apple Configurator on a Mac, but it requires physical proximity to the device. Plan to register with ABM before your next hardware purchase cycle.

Supervised vs unsupervised: why it matters for MDM

Supervision is the concept that trips up more Apple MDM buyers than any other. It determines the ceiling of what your MDM can actually do on each device.

A supervised Apple device gives your MDM access to a much larger set of management commands and restrictions than an unsupervised one. On supervised iOS devices, you can prevent users from removing the MDM profile, block specific apps, disable AirDrop, restrict Safari, enable Lost Mode, silently install apps without user approval, and configure Single App Mode. None of those are available on unsupervised devices.

On macOS, supervision through Automated Device Enrollment prevents users from removing the MDM profile and unlocks additional restrictions around kernel extension management, system extension control, and software update deferral.

How devices become supervised

• Automated Device Enrollment through Apple Business Manager — devices are supervised automatically when they enroll. This is the preferred method for corporate-owned hardware
• Apple Configurator — physically connect the device to a Mac running Apple Configurator, wipe it, and re-enroll it as supervised. Useful for existing inventory not originally purchased through ABM
• BYOD devices cannot be supervised — supervision requires a full device wipe, which is not acceptable for employee-owned hardware. BYOD devices are always unsupervised

The practical implication: if you are buying new corporate devices and enrolling them through ABM, they will be supervised and you will have full MDM control. If you are trying to manage employee-owned iPhones (BYOD), you are limited to unsupervised management — which still lets you push Wi-Fi profiles, email configs, and enforce passcode policies, but you cannot prevent users from removing the MDM profile.

Does Apple have a MDM?

Apple does not sell an MDM product. Apple provides the MDM protocol, the Apple Push Notification Service (APNs) infrastructure, and Apple Business Manager — but the actual management console that IT teams use daily comes from third-party vendors. Apple's role is to define what management commands are available and to provide the enrollment infrastructure. Vendors like Jamf, Kandji, Mosyle, and others build the product experience on top of Apple's framework.

Apple does offer Apple Configurator, a free macOS app that can configure and supervise devices via USB. But Apple Configurator is a provisioning tool, not a management platform. It has no remote management, no over-the-air policy enforcement, no dashboards, and no compliance reporting. It is useful for initial device setup and for adding existing devices to ABM, but it is not a replacement for MDM.

Does Apple MDM cost money?

Apple's infrastructure is free. Apple Business Manager costs nothing. The Apple Push Notification Service costs nothing. Apple Configurator is a free download. There is no per-device fee from Apple for using MDM. What costs money is the third-party MDM vendor you choose to actually manage the devices.

Vendor pricing ranges from $1/device/month (Mosyle's base tier) to $8/user/month (Microsoft Intune standalone). For a 200-device fleet, expect to spend between $2,400 and $19,200 per year depending on your vendor and tier. The pricing table below has specific numbers for every major Apple MDM vendor.

Choosing an Apple MDM vendor

There are over a dozen MDM vendors that support Apple devices. But support is not the same as specialization. Some vendors build for Apple first and treat Windows or Android as secondary. Others build for multi-platform and their Apple management is competent but not deep.

The vendor comparison below covers the seven vendors most commonly evaluated by Apple-centric IT teams. If you want to browse the full list, visit /categories/mdm-software.

Jamf Pro

Jamf is the original Apple MDM vendor and the most widely deployed in Apple-heavy enterprises. Jamf Pro supports macOS, iOS, iPadOS, and tvOS with the deepest feature set of any Apple-focused vendor. It includes Self Service (an internal app catalog for end users), advanced macOS management through the Jamf agent, compliance baselines, and extensive Apple Business Manager integration.

Jamf Pro pricing ranges from $3.67/device/month to $7.89/device/month depending on volume and tier. Jamf also offers Jamf Business Plan which bundles Jamf Pro with Jamf Connect (identity), Jamf Protect (endpoint security), and Jamf Compliance Editor. Enterprise buyers should evaluate the bundle — purchasing Jamf Pro standalone and adding security later often costs more than starting with the business plan.

Kandji

Kandji is an Apple-only MDM platform that has gained significant traction since 2020. Its differentiator is the pre-built library of security compliance templates (CIS, NIST, SOC 2) that map MDM policies to specific compliance controls. Kandji also includes auto-patching for common macOS apps, a built-in endpoint detection agent (Kandji EDR), and a Blueprint system for layering configuration profiles.

Kandji pricing starts around $3.20/device/month for macOS and varies by device count and feature tier. Kandji does not publish pricing on its website — you need to request a quote. Budget approximately $3.20-$6.50/device/month for planning purposes. Kandji is a strong choice if compliance automation is a priority and your fleet is exclusively Apple.

Mosyle

Mosyle is an Apple-only unified platform that bundles MDM with identity management, endpoint security, encrypted DNS, and app management into a single product. It is the most cost-effective Apple MDM vendor by a wide margin. Mosyle started in education and has expanded aggressively into business.

Mosyle pricing is $1-$1.50/device/month for its business MDM tier and $2.50-$4/device/month for the full Mosyle Business platform that includes security and identity features. For organizations that want an all-in-one Apple management stack without paying Jamf prices, Mosyle is the most compelling option. The tradeoff is that Mosyle's enterprise features and reporting are less mature than Jamf Pro.

Hexnode

Hexnode is a multi-platform UEM that supports Apple, Android, Windows, and Fire OS. It is not Apple-only, but its Apple management is solid — supporting ABM integration, zero-touch enrollment, supervised device management, kiosk mode, and app deployment. Hexnode's strength is breadth: if you manage Apple devices alongside Android or Windows, you get one console for everything.

Hexnode pricing starts at $2.20/device/month on the Standard plan and scales to $5.40/device/month for the UEM tier. Hexnode is a good fit for mixed-device environments where Apple is a significant portion of the fleet but not the entirety. Compare Hexnode with other Apple MDM options at /categories/mdm-software.

Microsoft Intune

Microsoft Intune supports Apple device management through ABM integration, app deployment, compliance policies, and conditional access. Its Apple support is functional — you can enroll Macs and iPhones, push profiles, enforce policies, and manage apps. But Intune was designed for a Microsoft-first world. The macOS management experience is not as polished as Jamf or Kandji, and advanced macOS features often lag behind Apple-native vendors.

Intune costs $8/user/month as a standalone license, but it is included in Microsoft 365 E3 and E5 plans. If your organization already has M365 E3, you own Intune. For organizations with a mixed Apple/Windows fleet that are already in the Microsoft ecosystem, Intune can manage both platforms from one console — even if the Apple side is not best-in-class. The cost savings of using an already-licensed tool often outweigh the feature gap.

SimpleMDM

SimpleMDM is an Apple-focused MDM that prioritizes ease of use over feature depth. It supports macOS, iOS, iPadOS, and tvOS with a clean interface that non-expert IT administrators can learn quickly. SimpleMDM is often chosen by smaller companies deploying their first MDM or by development teams managing test devices.

SimpleMDM pricing starts at $3.99/device/month with no minimum device count, making it accessible for small deployments. Volume pricing brings the per-device cost down. It lacks the advanced compliance automation of Kandji or the enterprise depth of Jamf Pro, but for straightforward Apple device management without complexity, it delivers.

Addigy

Addigy is an Apple-focused MDM platform built with MSPs in mind. It offers multi-tenant management, live device monitoring, remote terminal access, and automated remediation — capabilities that overlap with RMM territory. This makes Addigy a strong fit for MSPs managing Apple-heavy client environments where they need both MDM policy enforcement and operational management depth.

Addigy pricing is quote-based and varies by tier. Expect approximately $4-$8/device/month for business plans. The MSP-oriented architecture sets it apart from Jamf and Kandji, which are primarily designed for single-organization use.

Apple MDM vendor comparison

This table compares the seven most commonly evaluated Apple MDM vendors across the features that matter most for Apple-centric deployments.

Apple MDM pricing comparison

Pricing is where Apple MDM choices get real. Here are actual per-device costs for the major vendors as of early 2026. All prices are monthly, billed annually.

For a 200-device Apple fleet, annual costs range from $2,400 (Mosyle) to $19,200 (Intune standalone at $8/user). Mosyle offers the best price-to-feature ratio for Apple-only environments. Jamf Pro costs more but delivers the deepest macOS management. Intune is effectively free if you already have Microsoft 365 E3 or higher — check your existing licenses before assuming you need a new line item.

For detailed pricing breakdowns on individual vendors, visit their product pages on ITOpsClub at /categories/mdm-software.

How to choose the right Apple MDM vendor

The vendor choice depends on four variables: fleet composition, compliance requirements, budget, and existing tooling. Here is how to match your situation to a vendor.

Choose Jamf Pro if

• Your fleet is primarily or entirely Apple and you need enterprise-grade depth
• You require advanced macOS management: custom policies, scripts, patch management, and Self Service
• Compliance and security are top priorities and you want Jamf Protect and Jamf Connect as part of a unified Apple management stack
• You have the budget to pay a premium for the most mature Apple MDM on the market

Choose Kandji if

• Your fleet is 100% Apple and compliance automation matters (SOC 2, CIS, NIST)
• You want built-in endpoint detection without adding a separate security tool
• You prefer a modern UI with a Blueprint-based approach to device configuration
• You want auto-patching for common macOS applications out of the box

Choose Mosyle if

• Budget is a constraint and you need the lowest per-device cost for Apple MDM
• You want MDM, identity, endpoint security, and encrypted DNS bundled into one platform
• Your fleet is Apple-only and you do not need Windows or Android management
• You are coming from education and expanding into business use cases

Choose Hexnode if

• Your fleet includes Apple devices alongside Android, Windows, or Fire OS devices
• You need one console for all platforms rather than an Apple-only tool plus something else for Windows
• Kiosk mode and digital signage management are important use cases
• You want solid Apple management at a lower price than Jamf without going Apple-only

Choose Intune if

• Your organization is already on Microsoft 365 E3 or E5 and Intune is included in your license
• You manage a mixed fleet of Windows and Apple devices and want one tool for both
• Azure AD conditional access integration is a hard requirement for your security posture
• Apple management depth is acceptable at 'good enough' rather than 'best in class' — and budget savings matter more

Can MDM be removed permanently?

It depends on whether the device is supervised. On an unsupervised device, the user can remove the MDM profile at any time through Settings — the MDM cannot prevent its own removal. On a supervised device enrolled through Apple Business Manager, the MDM profile cannot be removed by the user. The only way to fully remove MDM from a supervised device is to factory reset (wipe) the device, which erases all data.

Even after a factory reset, if the device is still registered in Apple Business Manager, it will re-enroll into MDM the next time it connects to the internet during setup. To permanently remove MDM from a supervised device, an administrator must also release the device from ABM. This is by design — it prevents stolen or lost corporate devices from being used without authorization.

For BYOD scenarios, users always retain the ability to remove MDM. This is why BYOD MDM strategies focus on managed containers: even if the user removes the profile, corporate data (email, apps, files) is wiped from the device while personal data remains untouched.

Deployment best practices for Apple MDM

Getting the vendor and ABM setup right is only half the battle. These deployment practices prevent the most common implementation failures.

• Set up Apple Business Manager first — before evaluating MDM vendors. You need ABM operational to test zero-touch enrollment during vendor trials
• Order your APNs certificate under a shared service account, not an individual's Apple ID. If that person leaves and the certificate expires, every enrolled device loses management
• Start with a pilot group of 10-20 devices before rolling out to the full fleet. Test enrollment, profile delivery, app deployment, and edge cases like VPN and printer configuration
• Document your configuration profile stack. Layering too many profiles causes conflicts — especially with Wi-Fi, VPN, and restrictions. Keep profiles modular and well-labeled
• Plan your app deployment strategy: decide which apps are pushed automatically vs available through Self Service, and test silent installs on supervised devices
• Define your compliance baselines before configuring policies. Map specific controls to compliance requirements (SOC 2, HIPAA, CIS) so you can prove coverage during audits
• Set up a device lifecycle workflow: enrollment, configuration, ongoing management, device reassignment, and decommissioning. MDM is not just day-one setup — it is ongoing operations
• Test the end-user experience. Have someone outside IT go through the enrollment and setup flow. If it is confusing or takes more than 15 minutes, simplify it

For a deeper dive on MDM implementation, read our guide on MDM best practices at /blog/mdm-best-practices.

FAQ