Modernizing a corporate Mac fleet with Kandji and Apple Business Manager
Field report: moving from manual Mac management to a fully MDM-driven fleet. Zero-touch onboarding, hardened security, measurable time savings.
Most Paris-based SMBs we onboard still run their Macs the old way: bought from the Apple Store on demand, set up by hand at unboxing, shared admin passwords, OS updates left to each user’s discretion. That model holds up to 15 or 20 endpoints. Past that, it becomes an operational risk and a security risk. Here is how we modernized a 50-Mac fleet for a creative agency client in three weeks, with no service interruption.
The context
Our client is a 50-person Paris creative agency, fully Mac-based. The agency grew fast and the IT estate followed in fits and starts: ad-hoc Mac purchases, personal local accounts, no systematic disk encryption, backups left to each user. New hires meant two days of improvised IT work. Departures meant real data-leak risk.
The brief: industrialize without losing the creative agility that defines the agency. Users had to keep local admin rights (business need), but the security baseline and machine delivery had to become invisible and automatic.
The target architecture
Three building blocks:
- Apple Business Manager (ABM) — the Apple portal that ties every new Mac’s serial number to the organization, enabling automatic enrolment at first boot.
- Kandji as MDM — drives configuration, security policies, deployed apps, FileVault encryption, macOS updates.
- Microsoft Entra ID as identity provider, with SSO SAML to Kandji and federation to business apps (Adobe Creative Cloud, Figma, Notion, Slack).
The core idea: a Mac comes out of its box, connects to the internet, contacts ABM, gets redirected to Kandji, which applies the full profile and opens an Entra ID session for the user. No physical IT intervention required.
The rollout, week by week
Week 1 — audit and prep. Inventory of the 50 existing Macs, sorted by hardware generation and macOS version. Kandji tenant created, ABM linkage configured (Apple takes 24-48h to validate the organization’s identity). SSO between Kandji and Entra ID enabled. Kandji “blueprints” built: one for designers (Adobe, Figma plugins, fonts), one for business teams (Microsoft 365, Notion, accounting access).
Week 2 — pilot. Five volunteer machines enrolled. Blueprints adjusted based on feedback. Zero-touch onboarding tested on a fresh Mac shipped from our reseller, linked to ABM. The endpoint is ready in 18 minutes at first boot.
Week 3 — cut-over. Progressive enrolment of the remaining 45 endpoints in groups of 10, with a 30-minute window per machine while the user remains reachable. Local accounts migrated to Entra ID, FileVault enabled in the background, non-compliant apps replaced.
What changes for the user
From the user’s standpoint, almost nothing. They sign in with their corporate identity (the same one they use for Microsoft 365), recover their environment, retain admin rights on apps they install themselves. From IT’s standpoint, everything changes: real-time visibility on 100% of the fleet, 100% encryption compliance, macOS updates applied within 14 days of Apple’s release, new-hire onboarding from two days down to 30 minutes.
Things to know before starting
A few recurring gotchas:
- ABM device enrolment is only retroactive for Macs purchased through an authorized Apple reseller (not consumer Apple Store). For the existing fleet, manual enrolment or Apple Configurator is often required. Not blocking, but it consumes time.
- SSO must be ready before enrolment. Otherwise users create local accounts and the later migration is longer.
- Apps not distributed via VPP must be packaged as
.pkgor via Kandji’s auto-pilot. Adobe and Microsoft are natively supported.
The result, six months later
On the 50-Mac perimeter we measure: 100% active encryption, zero hardware-related security incidents over six months, average machine-prep time down from 16 hours to 30 minutes, average user-incident resolution time down 40% (IT sees what is wrong before the user calls).
If you operate a corporate Mac fleet and recognize your situation in the “before” picture, an initial IT audit at Macinwork takes 1 to 3 half-days on site and produces a costed action plan. The form at the bottom of the home is built for that.
Field-report context: Paris-based creative agency, ~50 Macs (anonymized)
Read next
More on modern SMB IT management.
Why replace your corporate VPN with Zero Trust Network Access (ZTNA)
The classic corporate VPN is a 25-year-old design that no longer fits. ZTNA (Cloudflare Access, Tailscale, Zscaler) offers a finer, safer, better-UX model.
Read the post
Opening a retail store: the IT checklist in two weeks
Network, segmented Wi-Fi, Shopify POS, payment, video surveillance, backups: what to plan so a new store is operational on day one.
Read the post
Migrating from Google Workspace to Microsoft 365 without breaking productivity
Field-tested migration plan for a 50-user SMB: prep, wave-based cut-over, post-migration. Realistic timeline, common traps, tooling.
Read the post