Apple Business Manager and MDM: what changes in 2026

Managing an Apple fleet in 2026 has nothing to do with “push a config profile and hope.” The Apple management stack — Apple Business Manager (ABM) on the provisioning side, MDM on the enforcement side — has matured deeply over the past two years. For a Paris SME running largely on Mac, iPhone and iPad, understanding what changed shapes the quality of deployment, security and employee experience. Here’s what we put in place at our clients.

Apple Business Manager: the provisioning foundation

ABM is Apple’s free portal where a company declares its devices, software purchases and accounts. Three structural functions:

• Automated Device Enrollment (ADE): any Mac, iPhone or iPad bought through an authorised Apple reseller or Apple directly enrols automatically into your MDM on first boot. Zero user steps, guaranteed supervision, impossible to bypass.
• Apps & Books: volume licence purchase and distribution, reassignable from one device to another.
• Managed Apple Accounts (formerly Managed Apple IDs, renamed in 2024): company-controlled Apple identities, now federatable with Microsoft Entra ID and Google Workspace.

The critical point: a Mac bought at a consumer retailer does not enter ADE. To get automatic enrolment, the purchase must go through an eligible channel. It’s one of the first things an IT services provider checks during a fleet audit.

The shift to declarative management (DDM)

The deepest change is invisible to the user: Apple has made Declarative Device Management the standard, progressively replacing the old MDM command model. Instead of the MDM server sending orders and constantly polling the device (“are you compliant?”), the device carries declarations and proactively reports its state when it changes. The benefits: faster compliance, less network latency, reliably driven OS updates (you target a version and a deadline, the device handles it). In 2026, every serious MDM vendor (Jamf, Kandji, Mosyle, Microsoft Intune) supports DDM — and we favour configurations that exploit it fully.

Platform SSO: identity at the heart of the Mac

Platform SSO ties macOS login to your identity provider (Entra ID, Okta, Google). The user signs in to their Mac with corporate credentials, password sync is handled, and access to cloud apps inherits that session. Matured in 2024-2025, it’s now a default we deploy: it removes double entry, strengthens security (passwords aligned with company policy, passkey support) and simplifies onboarding.

Apple Intelligence: to govern, not endure

With Apple Intelligence arriving on recent Macs and iPhones, an SME must explicitly decide what it allows. MDM exposes dedicated controls: enabling or blocking text and image generation, third-party integration, notification summaries. For a firm handling sensitive data (legal, health, finance), defining this policy is not optional. A current IT services provider helps you arbitrate between productivity and confidentiality rather than turning everything on or off.

OS updates: the end of “later”

Apple’s annual releases (macOS, iOS) now ship with a far finer MDM-driven deployment model: you can defer a major update for several weeks to validate app compatibility, then enforce a target version with a deadline. No more fleet three versions behind, and no more rogue update breaking a business app. It’s a balance we calibrate per client.

Security and offboarding

Two too-often neglected functions:

• MDM-driven FileVault: full-disk encryption, with recovery-key escrow on the company side. Essential for a mobile fleet.
• Remote wipe and return to service: a lost or stolen device is locked and wiped remotely; a device leaving an employee is cleanly reset and reassigned in minutes via ADE.

What we recommend in 2026

For an SME Apple fleet, the target configuration we deploy: ABM linked to MDM with ADE on all devices and channelled purchasing; MDM exploiting declarative management (Kandji or Jamf depending on context; Intune if the environment is very Microsoft-centric); Platform SSO federated to the identity provider; FileVault, a framed update policy, macOS EDR, and an explicit Apple Intelligence policy.

Done right, this stack is invisible day to day and unbeatable on the day of an incident. If your Mac fleet grew faster than its management, that’s exactly the kind of upgrade we run — let’s talk through the contact form.