MDM for Startups: Why We Built a Security-First Solution

A laptop gets stolen. An employee leaves. A security questionnaire asks: "Is disk encryption enforced on all devices?"

For many startups, that's where things get uncomfortable. Without MDM in place, enforcing, or even confidently answering, basic security controls becomes difficult. And when they look at what's available, enterprise pricing and feature bloat make it hard to justify.

At Bastion, we kept seeing this gap. So we built our own MDM, one designed for startups, with security as the priority and compliance as the natural byproduct.

We're a security company first. Our mission is to help organizations actually improve their security posture, not just check boxes for compliance audits. When compliance becomes the goal in itself, there's a high risk of ending up with security theatre: policies that look good on paper but don't protect anyone.

What is MDM, exactly?

Mobile Device Management (MDM) is a protocol built into Apple and Microsoft operating systems that allows organizations to remotely manage, secure, and inventory their device fleet, including laptops, desktops, tablets, and phones. Despite the name, it's not just for phones.

Both Apple and Microsoft have built MDM protocols directly into their operating systems. When a device is enrolled in an MDM, the organization gains specific, well-defined capabilities over the device.

MDM Capabilities: What It Can and Can't Do

The core MDM protocol supports:

• ✅ Remotely wipe or lock a device
• ✅ Enforce disk encryption
• ✅ Require a lock screen password
• ✅ Query device information (OS version, serial number, encryption status)
• ✅ Install configuration profiles and certificates
• ✅ Enforce security policies

What the MDM protocol doesn't do by itself:

• ❌ Read your emails
• ❌ Monitor your keystrokes
• ❌ Access your browsing history
• ❌ Take screenshots or record your screen

These capabilities are predefined by the operating system vendor (Apple and Microsoft), not by MDM providers.

For those who'd like more details

We were initially skeptical too. The idea of remote device management sounds invasive at first glance.

But after studying the Apple and Microsoft MDM protocols in depth, we came away impressed by how thoughtfully they were designed.

Here's how it actually works: the MDM server sends commands to the device, but those commands are limited to a strict set defined by Apple or Microsoft.

• On macOS, the MDM protocol supports commands like DeviceLock, EraseDevice, and InstallProfile. For supervised devices (typically corporate-owned devices enrolled through Apple Business Manager), Apple does provide an ExecuteCommand capability.
• On Windows, Microsoft's MDM protocol uses Configuration Service Providers (CSPs) that define what can be configured or queried. Microsoft Intune extends this with the Intune Management Extension, which can deploy PowerShell scripts.

On the device side, users maintain visibility and control:

• On macOS, you can see exactly which profiles are installed by going to System Settings > Privacy & Security > Profiles. Each profile lists the permissions it grants.
• On Windows, you can view MDM enrollment details in Settings > Accounts > Access work or school. There's no hidden access: everything is declared.

Why Startups Need MDM (But Often Skip It)

As we worked with our customers on security assessments, a pattern emerged: many of them had no device management at all. From a security standpoint, this was a significant gap.

Without MDM:

• There's no way to remotely wipe a laptop when it's stolen, and laptops do get stolen.
• There's no way to remotely lock a device.
• There's no reliable way to enforce disk encryption across the fleet.
• And there's no single source of truth for device inventory, which makes compliance audits harder than they need to be.

We kept recommending that our customers adopt an MDM solution. But when we looked at what was available, we weren't fully satisfied.

MDM and Compliance: SOC 2 and ISO 27001

Beyond the direct security benefits, MDM has become a requirement for doing business with enterprise customers.

Enterprise security questionnaires

Enterprise security questionnaires routinely ask about device management: Do you have MDM? Can you remotely wipe devices? How do you enforce encryption? Without MDM, you're stuck answering "no" to these questions, often a deal-breaker for security-conscious customers.

How MDM Maps to Compliance Frameworks

MDM directly supports key controls in both SOC 2 and ISO 27001. Here's how:

Sources: AICPA Trust Services Criteria, ISO 27001:2022 Annex A

Why this matters for Bastion customers

Many of our customers are going through SOC 2 or ISO 27001 certification for the first time. They're already juggling multiple new tools: vulnerability scanners, security awareness training, policy management, and more.

Having MDM built directly into Bastion means:

• One less vendor to manage: No separate MDM contract, no additional onboarding, no extra integrations to maintain.
• Seamless evidence collection: When your auditor asks for device encryption status or asset inventory, it's already in Bastion. No exporting from one tool and importing to another.
• Unified security posture: Your device security data lives alongside your other security controls, giving you a complete picture in one place.

Getting ready for SOC 2 or ISO 27001? See how Bastion helps →

MDM for Startups and Scaleups: Why We Built Instead of Bought

We seriously considered existing products. Some are excellent, and for many organizations, they're the right choice.

But for Bastion, we saw a few issues:

• Roadmap alignment: the MDM market is mature, and the major players have their own priorities. We had specific ideas about how MDM should integrate with security posture management, our core product, and we couldn't rely on another vendor's roadmap to get us there.
• Data ownership: some solutions offer self-hosting, but most don't. For a security company, there's something uncomfortable about asking customers to trust us with their security data, while we delegate our own device data to a third party. Building our own solution means we own the data end-to-end.
• Depth of understanding: by building MDM ourselves, we gained deep expertise in how these protocols actually work. That knowledge feeds back into our security assessments and our product. We're not just integrating with a black box: we understand the system from the ground up.
• Pricing and bundling: the MDM market is designed for larger enterprises. Pricing reflects that, and features come bundled together in ways that can't be unbundled. For startups and scaleups that just need core MDM functionality (device inventory, encryption enforcement, remote wipe), paying enterprise prices for features you'll never use is hard to justify.

After studying the Apple and Microsoft MDM protocols in detail, we had a clear picture of what needed to be built. So we built it.

Security by design: A minimal attack surface

Some MDM solutions support remote script execution. Apple's MDM protocol includes this for supervised devices, and Microsoft Intune offers it through the Intune Management Extension.

So why doesn't Bastion include it? Because for most small and mid-sized companies, it creates more risk than it solves.

Script execution turns your MDM into a high-value target. If the MDM server is compromised, credentials are phished, or an insider goes rogue, attackers gain the ability to execute arbitrary code on every enrolled device instantly.

Large enterprises with dedicated IT security teams and 24/7 monitoring can manage this risk. But for a 50-person startup? The attack surface is simply too large for the benefit.

At Bastion, we made a deliberate architectural decision: we will never build script execution into our MDM. By not having this feature, we eliminate an entire category of attack surface. If Bastion is compromised, attackers can lock or wipe devices (disruptive but recoverable), but they cannot use our MDM as a deployment mechanism for malware.

With great power comes great responsibility, and sometimes the most responsible choice is to not take that power in the first place.

Beyond MDM: Endpoint Security for Modern Teams

We now support both Apple and Microsoft MDM protocols, and we've already helped customers in real-world scenarios: remotely wiping stolen devices, enforcing disk encryption across their device fleet, and hardening security settings like Gatekeeper on macOS.

But for us, MDM is just the foundation. We've already expanded beyond endpoint security to web browsing security. MDM gives us a native way to configure how devices connect to the internet, which we use to block malicious websites, phishing pages, and known attacker infrastructure before a connection is ever made. No browser extension required, no separate software to install.

We're now building additional security features on top of MDM, going beyond traditional device management to catch risks that often slip through the cracks. Here's what we're working on next:

• Credential hygiene: We want to help you ensure your devices aren't storing unencrypted credentials in places they shouldn't be. Supply chain attacks like the one that hit nx in 2025 (read more about it here) specifically targeted developer machines, exfiltrating secrets from local configuration files. With our MDM, we can flag these risks before an attacker exploits them.
• MCP configuration auditing: As AI tooling becomes more common in development workflows, MCP (Model Context Protocol) configurations are popping up on more machines, often containing API tokens and credentials. We're building checks to ensure these configurations don't accidentally leak sensitive data.

And this is just the beginning. Our vision is to use MDM as the foundation for comprehensive endpoint protection. Today it's device inventory, encryption, and web browsing security. Tomorrow it's credential hygiene and configuration auditing. Eventually, it's a complete security layer that protects your employees and their devices wherever they work.

For us, this isn't a side project. It's a natural extension of our mission. Device security is foundational, and having it integrated directly into Bastion means our customers get a more complete picture of their security posture, with fewer tools to manage and fewer vendors to juggle.

What's next

We're continuing to expand MDM capabilities and deepen the integration with the rest of the Bastion platform.

If you're not yet using Bastion, we'd love to show you what we've built. Book a demo and see how MDM fits into your security and compliance workflow.