Device Management — Solution Proposal

Executive Summary

Situation

Think Renewable's laptop fleet is currently set up and managed by individual users. There is no central record of devices, no enforced standards, and no way for the business to recover a device when a user leaves. A recent offboarding has surfaced this gap directly: an ex-employee's MacBook may be tied to their personal Apple ID, which would leave the company with no guaranteed path to recovery. We do not yet know whether other devices across the fleet carry the same risk. The Computer, Technology & Internet Use Policy sets the rules; this initiative puts the system in place to enforce them.

Recommendation — three tools, one unified solution

Windows

Microsoft Intune

Central enrolment, policy enforcement, and remote wipe for all Windows devices. Already included in the existing Microsoft 365 Business Premium subscription — no new cost.

Included in M365

Mac setup

Apple Business Manager

Prevents Activation Lock on company Macs and enables zero-touch deployment going forward — directly eliminates the recovery risk the recent offboarding exposed.

Free from Apple

Mac MDM

Jamf

Full Mac device management: enrolment, compliance policies, app deployment, and remote lock and wipe. The only new licensing cost in this proposal.

New cost — ~$485/mo

Indicative new cost

~AUD $485 /month

~AUD $5,800 per year

25 users · Jamf for Mac at 25-device minimum · Intune and ABM at no incremental cost · USD→AUD at indicative 1.55. Detailed calculator →

Next steps

Confirm the exact count of company-owned Macs and Windows laptops — determines the Jamf tier.
Approve the Jamf licensing line item (see cost calculator).
Authorise the staged rollout (Appendix H):
- Set up central systems — Apple Business Manager, Intune, and Jamf (IT-only, one-off).
- Build a full device inventory — serial numbers, holders, OS, purchase source.
- Migrate each Mac and Windows device one at a time, with the user, same-day turnaround.
- Lock in new standards for all future purchases and offboarding.

Financial exposure

AUD $46,000

average cost of a single cyber incident for an Australian small business

Source: Australian Cyber Security Centre

Current state

0 devices

centrally enrolled, monitored, or recoverable by the business today

Data exposure

Zoho CRM & Xero

sensitive customer and financial data on unmanaged devices with no controls in place

See Appendix I →

Appendix

Supporting detail

Click any section to expand it. A — What is MDM · B — The three tools · C — Monitoring & tracking · D — SSO · E — Risks today · F — Computer Use Policy · G — Cost calculator · H — Rollout plan · I — Zoho CRM & Xero data risk

Appendix A What is a device management system?

A device management system (known in the industry as MDM, short for Mobile Device Management) is software that gives IT a single place to manage every company-owned computer and phone. It provides a central record of what the company owns, an automated setup system for new devices, and an enforcement layer for the rules in our Computer Use Policy.

With a device management system in place, IT can:

See every device the company owns, who has it, and what's on it.
Set up a new starter's laptop automatically — it arrives, the user turns it on, and it's ready, with all the right software, security settings and access already configured.
Enforce the rules in the policy — passwords, encryption, auto-lock, blocked content — without relying on individual staff to remember them.
Recover a device when someone leaves, when a laptop is lost or stolen, or when it's been compromised — without needing the user's personal passwords or physical access.

Without this system, all of the above has to be done manually on each device by an IT person physically or remotely logging in with the user's cooperation. That is workable for one or two devices. At 25+ devices across two operating systems, it is not.

Appendix B The three tools & feature comparison

Microsoft Intune

For Windows devices

Microsoft's own device management tool. It manages Windows laptops at full depth and is part of the Microsoft 365 Business Premium subscription we already pay for.

Key point: we are already licensed for this. Using it does not add a new cost — it activates something we are already paying for.

SSO: included via Entra ID

Jamf

For Apple devices — the only new cost

The specialist tool for managing Macs, iPhones and iPads. Apple devices need a dedicated tool because Microsoft's tool cannot manage them as deeply as the business needs.

Jamf has two tiers: Jamf Now (simpler, no SSO) and Jamf for Mac (full-featured). Jamf for Mac bundles Jamf Connect — software that replaces the Mac login screen with a cloud identity login, so staff sign into their Mac using their Think Renewable Microsoft account. No separate local Mac password. When a staff member's account is disabled in Microsoft Entra ID, their Mac access is revoked at the same time.

SSO via Jamf Connect: Jamf for Mac only — not included in Jamf Now

Apple Business Manager

Apple's free registry

A free Apple service that registers company-owned Apple devices to Think Renewable at the serial number level. When a registered device is turned on for the first time, it automatically connects to our management system.

Key point: this is what specifically prevents the situation we are dealing with now. A device registered this way cannot be locked to a personal Apple ID.

SSO: not an identity tool; works alongside Entra ID

Why a combination of products is required

A common question is whether a single product could replace all three — specifically, whether Jamf alone could manage both Macs and Windows devices. The short answer is no, not at this scale and cost. Here is why the combination is optimal:

Jamf Pro (Jamf's enterprise tier, separate from Jamf Now and Jamf for Mac) does include Windows device management, but it is priced significantly above the tiers recommended here and would mean paying for Windows management we already have included in M365. Intune is the right tool for Windows because it is already licensed, has native integration with Microsoft's identity and security stack, and manages Windows at full depth. Jamf exists because Apple does not expose the same management APIs to Microsoft's tools — deep Mac management requires a Mac-native specialist.

Apple Business Manager is not optional. It is the enrollment backbone for all Apple devices — without it, Jamf cannot perform zero-touch setup and devices can still be locked to personal Apple IDs. It is free and must be in place before Jamf can do its job.

Capability	Intune	Jamf Now	Jamf for Mac	Apple Business Manager
Windows device management	Full	—	—	—
Mac device management	Basic	Full	Full	—
iPhone / iPad management	Basic	Full	Full	—
Remote lock & wipe	✓	✓	✓	—
Hardware & software inventory	✓	✓	✓	—
Compliance policies (encryption, OS, passwords)	✓	✓	✓	—
App deployment & removal	✓	Limited	✓	—
Device location tracking	✓	✓	✓	—
Web content filtering	✓	Limited	✓	—
SSO / Mac login via cloud identity	—	✗	✓ Jamf Connect	—
Windows login via cloud identity (SSO)	✓ Entra ID	—	—	—
Prevents personal Apple ID device lock	✗	✗	✗	✓ Only ABM does this
Zero-touch automated device setup	✓ Autopilot	✓	✓	Required backbone
Cost	Included in M365	USD $4/device/mo	USD $13.65/device/mo Business Plan; incl. Connect + Protect	Free

Competitive alternatives — how Jamf compares

Five platforms are frequently evaluated alongside Jamf for Apple device management. Pricing reflects published list rates as of mid-2025 — contact vendors for volume quotes. All prices in USD per device per month.

	Jamf Business Plan Recommended	Kandji	Mosyle Business	Addigy	NinjaOne	Hexnode UEM
Platform focus	Apple only Mac + iOS + iPadOS	Apple only Mac + iOS + iPadOS	Apple only Mac + iOS + iPadOS	Apple-first Mac-focused MDM	Cross-platform Win + Mac + Linux	Cross-platform Win + Mac + iOS + Android
Mac management depth	Full Market leader, 20+ years	Full Modern UI, strong automation	Full Solid, budget-focused	Full Good real-time monitoring	Partial RMM-focused, not Mac-native	Partial UEM generalist, less Mac depth
Windows management	✗ Not at this tier Not needed — Intune included in M365	✗	✗	✗	✓ Duplicates Intune for Think Renewable	✓ Duplicates Intune for Think Renewable
iOS / iPad management	✓ Full	✓ Full	✓ Full	Limited	✓	✓
SSO / Mac login via Entra ID	✓ Jamf Connect Best-in-class; Mac login uses M365 credentials. Offboarding in Entra revokes Mac access instantly.	✓ Built-in SAML/OIDC, good M365 support	✓ Built-in IdP connector included	Via add-on Third-party integration required	✗ Not a Mac SSO tool	Basic SAML Limited Entra ID depth
M365 Conditional Access	✓ Deep Native compliance signals to Entra; non-compliant Macs blocked from M365 apps	✓ Good Supported, well-documented	Partial	Basic	Basic	Basic
Zero-touch setup (ADE/ABM)	✓	✓	✓	✓	Partial	✓
Remote lock & wipe	✓	✓	✓	✓	✓	✓
Compliance library	✓ Extensive 300+ CIS benchmarks built-in	✓ Strong Blueprints automation	✓ Good	✓ Good	Partial Alert-focused, not MDM compliance	✓ Good
Endpoint security (built-in)	✓ Jamf Protect Included in Business Plan at no extra cost	Separate add-on	Separate add-on	✓ At $14 tier	✓ Included	Separate add-on
Published price USD / device / month	$13.65 MDM + SSO + endpoint security bundled	from $3.20 macOS MDM only; SSO & security extra	from $1.00 Premium tier; free up to 30 devices	from $6.25 Full MDM; $200/mo minimum	~$3.75 Estimate; quote required	from $2.20 MDM Essentials tier
AUD equiv. at 1.55 per device / month	~$21.16	from ~$4.96	from ~$1.55	from ~$9.69	~$5.81	from ~$3.41
Minimum commitment	25 devices	No minimum	No minimum	$200/month ~32 devices at MDM rate	Quote required	No minimum
Best suited for	M365-integrated Apple fleets needing enterprise security & SSO	Apple-first teams wanting modern UI & simple automation	Budget-conscious Apple orgs; education	MSP-managed environments; real-time monitoring focus	MSPs managing large mixed Win/Mac fleets	Mixed-device orgs needing one cross-platform tool

Why Jamf is recommended for Think Renewable

Intune already covers Windows at no extra cost. NinjaOne and Hexnode's primary selling point is cross-platform management — a value that is already built into Think Renewable's M365 subscription. Selecting either platform would mean paying twice for Windows management.
Jamf Connect is the best Mac + Entra ID integration available. When a staff member is offboarded in Entra ID, Jamf Connect revokes their Mac login at the same time — no manual step, no gap. This directly addresses the risk the recent offboarding exposed. No other platform at this price point does this as tightly.
The Business Plan bundles everything at one price. At USD $13.65/device/month, the Jamf Business Plan includes MDM (Jamf Pro) + SSO (Jamf Connect) + endpoint security (Jamf Protect). Building an equivalent Kandji stack with SSO and security add-ons would cost more in total.
Kandji is the closest credible alternative. Modern UI, strong automation via Blueprints, no 25-device minimum, and good M365 support. If setup simplicity is the priority, Kandji is worth a direct quote. The tradeoffs: its Entra ID Conditional Access integration is less mature than Jamf's, and SSO is not bundled at the base price.
Mosyle is the lowest-cost option but is primarily positioned for education environments. Enterprise SSO and M365 depth are limited at the base $1.00 tier.
The 25-device minimum is Jamf's only meaningful drawback. If Think Renewable has fewer than 25 Macs, the minimum means paying for unused licences. Use the cost calculator in Appendix G to compare all platforms for your actual device count.

Appendix C Monitoring, tracking and visibility

A question that comes up consistently when introducing device management is: what exactly can IT see? The answer depends on whether the device is company-owned or personal (BYOD), and which tier of tooling is in place. The short version: IT can see everything about the device hardware and software state; IT cannot read personal content, keystrokes, or activity in personal apps or browsers.

What IT can see on enrolled company devices

Device inventory — every enrolled device appears in a dashboard with serial number, model, OS version, storage capacity, battery health, and last-seen time.
Compliance status — real-time view of whether each device meets policy: disk encryption on or off, screen lock enabled, OS version up to date, unapproved applications present.
Software inventory — full list of applications installed on each device.
Location — approximate location via network/IP for Macs and Windows laptops. For enrolled iPhones and iPads, precise GPS location can be enabled. This is particularly useful for a lost or stolen device — you can see its last known location before locking or wiping it.
Remote actions — lock a device, display a message on the lock screen (e.g. a contact number if found), wipe it, restart it, or push a software update — all without physical access or the user's cooperation.
Web content filtering — block categories of websites (adult content, gambling, social media) at the device level, enforcing the Computer Use Policy automatically.

What IT cannot see — privacy boundaries

Individual keystrokes or typed content.
Personal emails, messages, or browsing history in personal browsers or profiles.
Camera or microphone content at any time.
On personal (BYOD) devices enrolled with a work profile: the MDM manages the work container only. Personal apps, personal data, and personal browsing are completely invisible to IT and cannot be wiped remotely.

These boundaries are enforced by Apple and Microsoft at the platform level — they are not a policy decision or a trust statement. The MDM tool technically cannot access personal content even if someone wanted it to.

Appendix D Single Sign-On (SSO)

Single Sign-On means one work account logs a user into every approved work application, rather than a separate password for each. It reduces password fatigue, improves security (one strong account instead of many weak ones), and makes onboarding and offboarding significantly easier — one account enabled or disabled affects every system at once.

Think Renewable already has an SSO platform in place: Microsoft Entra ID, included in the Microsoft 365 Business Premium subscription. Most modern business applications integrate with Entra ID directly, through a "Sign in with Microsoft" option on their login screens.

On Windows devices, Entra ID SSO is native — users sign into their laptop with their Microsoft work account, and that account carries them into Teams, SharePoint, Outlook, and any Entra-connected SaaS application automatically. No additional software required.

On Macs, SSO requires an extra piece of software because macOS does not natively authenticate against cloud identity providers. Jamf Connect (bundled with Jamf for Mac) fills this gap: it replaces the Mac login screen with a cloud identity login, so staff use their Think Renewable Microsoft account to unlock their Mac. When a staff member's Entra ID account is disabled — on their last day, for example — their Mac access is revoked automatically. This closes the offboarding gap that the current situation has highlighted.

A dedicated standalone SSO platform (OneLogin, Okta, JumpCloud) is optional and typically only needed if the application portfolio includes tools that don't connect to Entra ID, or the organisation wants finer-grained conditional access policies. For reference, OneLogin's published pricing is USD $2 per user per month for SSO-only (25-user minimum) and USD $4 per user per month for the Advanced tier with MFA.

Appendix E The risks today

What we cannot currently do

If a company laptop is lost or stolen, we cannot lock it, wipe it, or confirm what was on it.
If a staff member leaves with a device tied to their personal Apple ID or Microsoft account, we can be locked out of our own hardware. A recent offboarding has surfaced this risk: an ex-employee's MacBook may be in exactly this state. We do not yet have visibility into whether other devices on the fleet carry the same exposure.
Our Computer Use Policy asks staff to "lock devices when unattended", "use strong passwords", and "immediately report any suspected data breach" — but we currently have no way to verify any of this is happening across the fleet.
We have no visibility into what software is installed on company devices, whether operating systems are patched, or whether disks are encrypted.
Every new starter's laptop is set up manually, from scratch. This takes IT time, produces inconsistent results, and does not scale as we grow.

Appendix F How this connects to the Computer Use Policy

The policy commits Think Renewable to certain behaviours and expectations. A device management system is how we actually enforce and evidence those commitments:

§5 — Unacceptable Use	Technical controls to block unauthorised software installs and restrict access to non-work systems on company devices.
§5.1 — Prohibited Content	Content filtering at the device level, so the policy's restrictions on inappropriate content are enforced, not just stated.
§7 — Data Security	Passwords, disk encryption and auto-lock enforced automatically, so the policy's security requirements do not depend on individual staff discipline.
§8 — Personal Devices (BYOD)	Protect company data on personal devices without touching personal data — the policy's "company data must be protected" requirement becomes technically achievable.
§9 — Monitoring and Access	The policy already reserves the right for Think Renewable to monitor company systems; a device management system is the technical capability that makes this possible.
§10 — Breaches	Remote lock and wipe, so "restricted system access" can be enforced instantly, including for staff who have already left.

Without this system, the policy is a document of good intentions. With it, the policy becomes something we can stand behind if an incident, audit or legal dispute ever requires us to demonstrate how we protect company data.

Appendix G Cost calculator

The default values below reflect the expected scale at Think Renewable. Adjust the inputs to explore alternative scenarios. New spend is what this initiative adds on top of the Microsoft 365 subscription already in place.

Device management cost calculator

All figures in AUD. USD-priced items converted at indicative 1 USD = 1.55 AUD — confirm actual rate at quote stage.

Total users (staff + contractors)

Each person who needs access to Microsoft 365 and company applications

Windows devices

Mac devices

Mac MDM platform

External SSO add-on

Already in subscription (not new spend)

M365 Business Premium
(includes Intune + Entra ID SSO)$0/mo

Apple Business ManagerFree

New spend from this initiative

Jamf for Mac$0/mo

New monthly cost$0

New annual cost$0

For perspective — costs this system helps prevent

~AUD $2,500

Replacing a single business-grade laptop that cannot be recovered

Indicative mid-range business MacBook price

AUD $46,000

Average financial loss per cybercrime incident, Australian small business

Australian Cyber Security Centre

AUD $4.26M

Average cost of a full data breach in Australia

IBM Cost of a Data Breach Report 2024

A device management system does not eliminate these risks, but it materially reduces their likelihood — through enforced encryption, remote wipe, standardised patching, and controlled offboarding — and reduces the response cost when an incident does occur. One avoided incident of any size would cover years of the program.

Appendix H Correcting the current situation — rollout plan

Every company-owned device currently set up under an individual's personal account needs to be re-provisioned under Think Renewable's central management. This is done one device at a time, with each user's cooperation, without disrupting daily work. Two decisions are needed before the work can begin:

Confirm the exact count of company-owned Macs and Windows devices — this determines which Jamf tier applies.
Approve the Jamf licensing line item — Intune and Apple Business Manager do not require additional spend; Jamf is the only new cost.

Set up the central systems (one-off, IT-only)
- Create the Apple Business Manager account (free; requires an ABN and a D-U-N-S number, which is also free).
- Activate Microsoft Intune in the existing Microsoft 365 tenancy.
- Purchase and configure the chosen Jamf tier.
- Link all three together so Mac and Windows compliance reports into one place.
Build a device inventory (one-off)
- Record serial number, current holder, operating system, and purchase source for every company-owned device.
- Gather the original Apple purchase invoice for every Mac — a safety net for any future Activation Lock situation.
Migrate each existing Mac (per device, with the user)
- User backs up any personal files off the device. Company data stays on the device.
- User signs out of their personal Apple ID and disables Find My Mac. This step is critical — missing it will cause the device to become Activation Locked after the wipe.
- IT wipes the device.
- IT registers the device in Apple Business Manager using Apple Configurator. This takes around five minutes and requires a brief USB-C connection to a host Mac.
- On next startup, the device automatically enrols into the Mac MDM.
- User signs in with their Think Renewable Microsoft account; applications and settings are pushed automatically. The device is back in the user's hands the same day.
Migrate each existing Windows laptop (per device, with the user)
- User signs into the device using their Think Renewable Microsoft account.
- The device joins Entra ID and Intune enrolment happens automatically in the background.
- Baseline settings (password policy, encryption, auto-lock, approved applications) are applied.
Lock in the new standards going forward
- All new device purchases go through Apple Business Manager or Windows Autopilot. No more individual setup.
- Offboarding is tied to Employment Hero: when a staff member is marked as leaving, their device is automatically locked and queued for reset, closing the loop that the recent MacBook incident opened.
- Onboarding is the mirror image: a new starter in Employment Hero triggers account creation and a pre-configured device shipped to them, ready on day one.

Appendix I Data breach risk — Zoho CRM, Xero and company data

Think Renewable's most sensitive operational data lives in Zoho CRM (customer records, quotes, sales pipeline, contact details) and Xero (financial records, payroll, invoicing). Both are cloud platforms accessed primarily through company laptops. A compromised or unmanaged device is a direct pathway into both.

How an unmanaged device creates a breach pathway

Stolen credentials via malware. Without enforced disk encryption and patching, a lost or stolen laptop running outdated software can be exploited to extract saved browser credentials — giving an attacker direct login access to Zoho and Xero from a valid company account.
Unwiped offboarded devices. A former staff member who retains access to a company laptop also retains access to any saved logins, browser sessions, or locally-cached data from Zoho CRM and Xero. Without remote wipe capability, there is no way to terminate that access after they leave.
Shared or weak passwords. Without SSO enforcement, staff set their own Zoho and Xero passwords. These are frequently reused across personal services. A breach of any personal account can expose the work credentials.
No audit trail of access. Without device management, there is no way to confirm whether a device that accessed Zoho CRM was company-owned, secured, or authorised — making any incident investigation significantly harder.

How device management closes these gaps

Disk encryption enforced. All enrolled devices have FileVault (Mac) or BitLocker (Windows) mandated. Data on a lost laptop is unreadable without the decryption key.
OS patching enforced. Known vulnerabilities that malware exploits are closed within the organisation's update policy window. Unpatched devices are flagged immediately.
SSO via Entra ID. Zoho CRM and Xero both support SAML-based SSO. With Entra ID connected, staff access both platforms through their one company account. Revoking that account — on an employee's last day — cuts Zoho and Xero access simultaneously, with no manual steps.
Remote wipe on offboarding. When a device is wiped, any locally cached credentials, browser sessions, or downloaded exports from Zoho and Xero are destroyed. The data does not leave with the employee.
Conditional access policies. With Intune and Entra ID in place, it is possible to require that Zoho and Xero logins can only come from enrolled, compliant company devices — blocking access from personal machines or unknown locations entirely.

The AUD $4.26M average cost of a data breach in Australia (IBM, 2024) is driven primarily by customer notification obligations, regulatory investigation, and reputational damage — all of which are directly triggered by the exposure of the kind of data held in Zoho CRM and Xero. This initiative is the foundational layer of preventing that exposure.