"We already make everyone use a passcode" is the answer most small business owners give when asked how they manage devices, and for personal phones checking company email, that's often genuinely enough, as we covered in our BYOD policy post. But somewhere between the first company-issued laptop and the tenth, or the first device holding patient records or CAD drawings, a passcode requirement stops covering the actual risk. That's the point where a business needs mobile device management, not because the phone got more dangerous, but because the business now owns it outright and owns everything that happens to it.
What MDM actually does that conditional access doesn't
Conditional access, the approach behind a lightweight BYOD policy, checks a device before letting it in: does it have a passcode, is MFA satisfied, is the OS reasonably current. It's a gatekeeper. MDM is different because it manages the device itself, continuously, whether or not the employee is logging into anything at that moment.
- Enforced encryption and configuration that's set once and can't be turned off by the person holding the device, instead of a setting IT hopes is on.
- Zero-touch enrollment so a new laptop or phone configures itself, apps and all, the moment it's turned on, instead of a technician walking through setup by hand.
- App allowlisting and kiosk mode, useful for a front-desk tablet, a delivery driver's phone, or a warehouse scanner that should only ever run one or two apps.
- A full remote wipe, not a selective one, appropriate because the business owns the whole device and everything on it, not just a slice of company data living alongside someone's personal photos.
- Compliance reporting that can prove, on demand, which devices are encrypted, patched, and enrolled — something an auditor for HIPAA, CMMC, or a cyber insurance renewal will eventually ask for.
The signs you've outgrown BYOD-lite
Most five- to fifteen-person businesses genuinely don't need this yet. A handful of signs mean it's time to look at it seriously rather than add another exception to a BYOD policy that was never built for this.
- The business, not the employee, bought the device. A company-owned laptop or phone is a business asset, and the business is on the hook for what happens to the data on it, not just the account behind it.
- A compliance framework requires it. HIPAA, CMMC, and most cyber insurance applications now ask for proof of device encryption and the ability to remotely wipe a lost device, not just a policy that says you do it.
- Devices are shared, not personal. A shop-floor tablet, a hotel front-desk iPad, or a POS terminal needs to be locked to its job, not left open to whatever app anyone installs on it.
- Field or driver devices carry more than email. Dispatch software, delivery routes, or scanning apps on a phone that leaves the building daily is a different risk than a phone checking Outlook at a desk.
- You're managing more than five or six company-owned devices by hand. Past that point, configuring each one manually stops scaling and starts creating drift, where devices quietly fall out of compliance because nobody's tracking them individually anymore.
Rolling out MDM without over-buying
The good news is that for most small businesses, MDM isn't a new purchase, it's a feature already sitting inside a plan they're paying for.
- Microsoft Intune is included with Microsoft 365 Business Premium at no extra license cost, and it manages Windows, iOS, and Android devices from one console.
- Google Workspace includes basic Android and iOS device management on every plan, with advanced management (app allowlisting, stronger compliance policies) on Business Plus and up.
- Apple Business Manager is free and pairs with Intune or Google's tools to automatically enroll and supervise company-owned iPhones, iPads, and Macs the moment they're unboxed.
- Start with company-owned devices only. Enroll every laptop and phone the business bought before touching personal devices, which stay under the lighter BYOD policy.
- Build one baseline policy first — encryption on, screen lock required, OS updates enforced — before adding kiosk mode or app restrictions for specific roles.
None of this requires ripping out the BYOD approach that's already working for personal devices. It's a second, narrower policy for the devices the business actually owns, and it's usually cheaper to turn on than most owners expect, since the license is often already paid for.
Where this fits
- The BYOD policy post, for the lighter approach that covers personal devices.
- The identity hardening post, for the account-level controls MDM builds on top of.
- The employee offboarding checklist, for wiping a company-owned device the same day someone leaves.
- The HIPAA-compliant IT post, for where device management fits into a compliance requirement.
- The cybersecurity page, for where device management sits in a full defense.
FAQs about MDM for small business
What's the actual difference between BYOD and MDM?
BYOD, as we cover it in our BYOD policy post, is a light-touch approach built on conditional access: it requires a passcode and MFA before a personal device can reach company email or files, and it can selectively wipe company data off that device. MDM goes further because the business, not the employee, owns the device. It can enforce full-disk encryption, push configuration profiles and apps automatically, lock a device into a single app (kiosk mode), block the camera or app store, and wipe the entire device, not just the company data on it. The line between the two is ownership: conditional access is right for a phone the employee owns, MDM is right for a phone or laptop the business bought.
We already require passcodes and MFA. Do we still need full MDM?
Not necessarily. If every device that touches company data is personally owned, and your risk is limited to a lost phone or a departing employee, conditional access and selective wipe usually cover it, and that's what most five- to fifteen-person businesses should run. MDM earns its cost when the business itself owns the devices, when a compliance framework (HIPAA, CMMC, PCI) requires proof of device configuration and encryption, when field or shared devices need to be locked to specific apps, or when losing a device means losing something more sensitive than an email inbox, like patient records, CAD files, or a POS terminal.
What does MDM cost for a small business?
For most small businesses, it's already included in a plan you're paying for or can be added cheaply. Microsoft Intune ships with Microsoft 365 Business Premium at no extra cost, Google Workspace includes basic Android and iOS management on every plan and advanced management on Business Plus and up, and Apple Business Manager is free for enrolling and supervising company-owned iPhones, iPads, and Macs. The real cost isn't the license, it's the setup time: building enrollment profiles, app policies, and compliance rules correctly the first time so devices configure themselves instead of needing a technician to walk each one through setup by hand.
Not sure whether you've outgrown BYOD?
30 minutes with a DoD-cleared engineer. We'll look at what's company-owned versus personal, whether your compliance obligations already require MDM, and build a rollout that uses the license you're probably already paying for.
Book your free security assessment