Endpoint Hardening: 10 MDM Policies Every Business Should Enable
Every laptop, phone, and tablet connected to your business network is a potential entry point for an attacker. Mobile Device Management (MDM) platforms give you centralized control over these endpoints, allowing you to enforce security policies consistently across every device in your organization. The challenge is knowing which policies to prioritize. Here are ten essential MDM policies that provide the highest security impact for the least operational friction. These are quick wins that dramatically improve your security posture.
1. Full Disk Encryption
Enforcing full disk encryption through FileVault on macOS and BitLocker on Windows ensures that if a device is lost or stolen, the data on it is unreadable without the proper credentials. Without encryption, anyone who physically possesses a lost laptop can access every file on it, including sensitive client data, credentials, and proprietary information. MDM allows you to enforce encryption automatically and escrow recovery keys centrally so you never lose access to your own devices.
2. Password Complexity Requirements
Weak passwords remain one of the most exploited vulnerabilities in any organization. Your MDM policy should enforce minimum password length (at least 12 characters), require a mix of character types, and prevent the use of common or previously compromised passwords. On mobile devices, enforce a minimum six-digit PIN or biometric authentication. These requirements apply at the device level, providing a baseline regardless of what individual applications require.
3. Auto-Lock Timeout
An unlocked, unattended device is an open invitation. Setting an auto-lock timeout of five minutes or less ensures that devices lock themselves when not actively in use. This is especially important in shared workspaces, coffee shops, and any environment where an employee might step away from their device. It is a simple policy that prevents a wide range of opportunistic access scenarios.
4. Remote Wipe Capability
When a device is lost or stolen, you need the ability to remotely erase all business data from it. MDM platforms provide both full wipe capabilities, which return the device to factory settings, and selective wipe capabilities, which remove only corporate data and applications while leaving personal content intact. This is particularly important for BYOD environments where employees use personal devices for work. Having remote wipe ready to deploy means you can respond to a lost device in minutes rather than hours.
5. Automatic OS Updates
Unpatched operating systems are a primary attack vector. Vulnerabilities are publicly disclosed on a regular cadence, and attackers begin exploiting them within days. Your MDM should enforce automatic OS updates with a short deferral window, ensuring that critical security patches are applied promptly across your entire fleet. You can configure policies that allow a brief testing period for stability while still enforcing a hard deadline for installation.
6. App Allowlisting and Blocklisting
Controlling which applications can be installed on managed devices reduces your attack surface significantly. Blocklisting prevents the installation of known-risky applications such as unauthorized remote access tools, torrent clients, or unvetted AI applications. Allowlisting takes a stricter approach by permitting only approved applications. The right approach depends on your organization's needs, but at minimum, maintaining a blocklist of prohibited software is essential.
7. USB Device Restrictions
USB devices are a classic vector for both malware delivery and data exfiltration. An employee plugging in an unknown USB drive can introduce malware that bypasses your network security entirely. Conversely, a malicious insider can copy sensitive data to a thumb drive in seconds. MDM policies can restrict USB storage devices entirely, allow only approved devices, or enforce read-only access. For most businesses, blocking unauthorized USB storage while allowing keyboards, mice, and other peripherals is the right balance.
8. Firewall Enforcement
Every endpoint should have its local firewall enabled and properly configured. MDM allows you to enforce firewall activation across all managed devices and push specific firewall rules that align with your security requirements. This is particularly important for laptops that connect to networks outside your office, such as home networks, hotel Wi-Fi, and public hotspots. The device-level firewall provides a critical layer of protection when the device is outside your network perimeter.
9. VPN Auto-Connect for Remote Workers
Remote and hybrid workers frequently access business resources over networks you do not control. Configuring MDM to automatically establish a VPN connection when the device detects it is outside the corporate network ensures that all traffic is encrypted and routed through your security stack. This protects against eavesdropping on public networks, enforces your web filtering and security policies regardless of location, and provides consistent security posture whether an employee is in the office or working from a coffee shop.
10. Device Health Attestation
Device health attestation verifies that a device meets your minimum security requirements before granting access to corporate resources. This can include checks for encryption status, OS version, antivirus presence, jailbreak or root detection, and whether the device has been recently scanned. If a device fails attestation, it can be automatically quarantined or restricted to limited network access until it is brought back into compliance. This policy ensures that your other nine policies are actually being enforced and functioning correctly.
Key Takeaways
- Full disk encryption, password complexity, and auto-lock are foundational MDM policies that prevent the most common device-level security failures.
- Remote wipe, USB restrictions, and device health attestation close critical gaps in data protection for lost, stolen, or compromised devices.
- Most modern MDM platforms can deploy all ten policies within days — making this one of the highest-impact security investments available.
Getting Started
Implementing these ten policies does not require a massive project or significant downtime. Most modern MDM platforms can deploy all of these configurations within a matter of days. The key is starting with a clear plan, communicating changes to your team, and rolling out policies in a staged manner. At Wallace and White, we help businesses select, deploy, and manage MDM solutions that protect every endpoint without disrupting productivity. If your devices are not centrally managed today, this is one of the highest-impact security investments you can make.