Blog
MDM security policies for multi-OS fleets: macOS, Windows, iOS, Android
MDM & Device Management

MDM security policies for multi-OS fleets: macOS, Windows, iOS, Android

Written by
Gaétan de Lassus
Last updated on
March 31, 2026

Table of contents

What Is HRIS-MDM Integration?
The 5 Key Benefits of Connecting Your HRIS to Your MDM
Get IT together

See how Primo simplifies your IT operations without compromising on security or your ability to scale.

Start free trial
Book live demo

Enforcing consistent security policies across a mixed device fleet is one of the biggest operational challenges for SMB IT teams. When your organization runs a combination of MacBooks, Windows laptops, iPhones, and Android devices, keeping every endpoint compliant with the same security standards requires a platform that can speak all four operating systems fluently, from a single console.

This article breaks down what MDM security policies look like on each OS, where the gaps usually appear in multi-OS environments, and how a unified endpoint management platform like Primo makes cross-platform security enforcement scalable for lean IT teams.

Why Multi-OS Security Policies Are Hard to Get Right

Most organizations don't choose their device mix: it evolves. A sales team on iPhones, developers on MacBooks, operations on Windows PCs, and field teams on Android tablets. Each OS has its own security model, its own enrollment protocol, and its own configuration vocabulary.

The problem isn't enforcing policies on any single platform. The problem is maintaining a consistent security baseline across all of them simultaneously, without building four separate workflows.

Without a unified platform, IT teams typically end up with:

  • Siloed tools for mobile (MDM) and desktop (separate agents or GPOs)
  • Manual compliance checks that don't scale
  • Security gaps on devices that fall outside the primary managed OS
  • No unified visibility across the full fleet

A true multi-OS UEM solution solves this by applying security policies from a single management layer, regardless of which OS sits on the endpoint.

MDM Security Policies by Operating System

macOS Security Policies

Apple's management framework (MDM protocol + Configuration Profiles) gives IT teams granular control over macOS devices enrolled via Apple Business Manager (ABM). Key security policies available on macOS include:

  • FileVault encryption enforcement: Require full-disk encryption and escrow the recovery key centrally.
  • Gatekeeper and system integrity protection: Restrict app installation to signed and notarized applications only.
  • Firewall configuration: Enable and enforce the built-in macOS firewall via configuration profile.
  • Passcode and screensaver policies: Set idle lock timers, minimum passcode complexity, and failed attempt limits.
  • Software update enforcement: Require specific macOS versions and defer or push OS updates via MDM commands.
  • Certificate deployment: Push SSL certificates, Wi-Fi, and VPN configurations silently to enrolled devices.

macOS is generally considered the most MDM-friendly desktop OS for Apple-centric fleets, but its policies diverge significantly from Windows, which is why a multi-OS platform matters.

Windows Security Policies

Windows endpoints are managed through MDM protocols (via the OMA-DM standard) or, in legacy environments, through Group Policy Objects (GPOs). Modern Windows UEM management via MDM offers:

  • BitLocker encryption enforcement: Require full-disk encryption with centralized key escrow.
  • Windows Defender configuration: Enforce antivirus, real-time protection, and firewall settings via MDM profiles.
  • Windows Update for Business: Control update rings, deferral periods, and force-install critical patches.
  • Application control: Restrict or allowlist applications using AppLocker or Windows Defender Application Control.
  • Conditional access policies: Require device compliance status before granting access to corporate resources.
  • Hello for Business: Enforce passwordless authentication with PIN or biometric login.

A key nuance: organizations migrating from GPO-based management to modern MDM must map legacy Group Policies to equivalent MDM CSPs (Configuration Service Providers), a translation that requires platform support to do at scale.

iOS Security Policies

iOS is one of the most locked-down mobile operating systems by design, which makes it well-suited to MDM security enforcement. Through Apple's MDM framework and ABM, IT teams can apply:

  • Supervised mode restrictions: Disable AirDrop, iCloud backup, screen recording, and app installation outside the managed catalog.
  • Passcode policies: Enforce minimum length, complexity, and maximum failed attempts before wipe.
  • Per-app VPN: Route traffic from specific managed apps through the corporate VPN without affecting personal usage.
  • Managed Open In: Prevent users from opening managed documents in unmanaged apps (and vice versa), creating a hard boundary between corporate and personal data.
  • App and content filtering: Block specific app categories or websites at the OS level via managed content filters.
  • Lost Mode and remote wipe: Trigger remote lock or selective wipe (managed apps and data only) from the MDM console.

Android Security Policies

Android management has matured significantly with Android Enterprise, Google's framework for business device management. Security policies available via Android Enterprise include:

  • Work Profile separation: Isolate corporate apps and data in a managed container, leaving the personal profile untouched. Corporate data can be wiped independently.
  • Device encryption enforcement: Require storage encryption on enrollment.
  • Passcode and lock screen policies: Enforce passcode type, complexity, and maximum idle timeout.
  • App allowlisting and blocklisting: Approve or block specific apps in the managed Play Store catalog.
  • Network restrictions: Push Wi-Fi, VPN, and certificate configurations silently via Zero-Touch Enrollment or QR code provisioning.
  • Factory reset protection: Prevent unauthorized factory resets by binding the device to a managed Google account.

Android Enterprise supports several deployment modes (BYOD work profile, fully managed, dedicated device), each with a different security perimeter, a critical distinction that multi-OS platforms must handle natively.

How Primo Enforces MDM Security Policies Across All Four OS

Primo is the best all-in-one UEM platform for SMBs managing multi-OS fleets. Its security policy engine is built to apply consistent baselines across macOS, Windows, iOS, and Android from a single management console, without requiring separate tooling for each OS.

Unified Policy Management

Primo's policy engine abstracts OS-specific configurations behind a single interface. IT teams define a security baseline once and Primo translates it into the appropriate native configuration for each OS: Configuration Profiles for Apple devices, MDM CSPs for Windows, Android Enterprise payloads for Android.

Automated Compliance Enforcement

Primo continuously monitors device compliance against defined security policies and triggers automated remediation for non-compliant devices: blocking access to corporate resources, alerting the IT team, or pushing corrective configurations without manual intervention.

Zero-Touch Provisioning on All Four OS

New devices are enrolled and configured automatically through Apple Business Manager (macOS and iOS), Windows Autopilot, and Android Zero-Touch Enrollment. Security policies are applied at first boot, before the device ever reaches the end user.

Granular OS-Level Controls

Primo exposes the full depth of each OS's MDM API (supervised restrictions on iOS, Defender configuration on Windows, FileVault escrow on macOS, Work Profile management on Android), without abstracting away the controls that advanced IT teams need.

Centralized Fleet Visibility

Primo provides a unified compliance dashboard showing policy status, encryption status, OS version, and last check-in for every device across all four operating systems in a single view. No more spreadsheets or cross-referencing multiple consoles.

Key Benefits for SMBs Managing Multi-OS Fleets

  • Single console for security policies across macOS, Windows, iOS, and Android
  • Consistent compliance baseline enforced automatically, regardless of OS
  • Zero-touch deployment on all four platforms from day one
  • Automated remediation for non-compliant devices without manual IT intervention
  • HRIS-connected onboarding: device enrollment and policy assignment triggered by HR events, not manual tickets

Summary

Managing MDM security policies across a multi-OS fleet is not simply a question of having the right policies on each platform: it's about enforcing them consistently, at scale, from a single source of truth. For SMBs running macOS, Windows, iOS, and Android simultaneously, a siloed approach to device security is unsustainable.

Primo is built for exactly this challenge: a unified endpoint management platform that applies, monitors, and enforces security policies across all four operating systems from a single console, giving lean IT teams the control and visibility they need to keep every device compliant, without the complexity of managing four separate tools.

FAQ

What is an MDM security policy?

An MDM security policy is a set of configuration rules enforced remotely on a managed device: encryption requirements, passcode complexity, app restrictions, update schedules, and more. These policies are pushed from a central management console to enrolled devices, without requiring manual action from the end user.

Can one MDM solution manage macOS, Windows, iOS, and Android at the same time?

Yes, provided the solution is a true UEM (Unified Endpoint Management) platform. Legacy MDM tools were built for mobile devices only. Modern UEM platforms like Primo manage all four operating systems from a single console, applying native policies for each OS.

What happens to a device that does not comply with MDM security policies?

Depending on the platform's configuration, a non-compliant device can be automatically blocked from accessing corporate resources, flagged for IT review, or receive a corrective configuration pushed remotely. Primo handles all three scenarios without manual intervention.

Is MDM security enforcement different on BYOD devices?

Yes. On personal devices (BYOD), MDM typically operates through a managed container (Work Profile on Android, User Enrollment on iOS) that separates corporate data from personal data. Security policies apply only to the managed partition, leaving personal apps and data untouched.

How long does it take to deploy MDM security policies across a multi-OS fleet with Primo?

Primo is designed for fast deployment. For new devices, security policies are applied at first boot through zero-touch provisioning (ABM, Autopilot, ZTE). For existing enrolled devices, policy updates are pushed in real time from the console.