[eswat]

MDM doesn't have to be a heavy-handed thing and solutions exist for macOS at least. Even something that just makes sure the OS and critical apps always have the latest security patches - and ideally pushes those changes when it’s not disruptive to the host – can go a long way.

[dissent]

Doesn't have to be, invariably is in my experience. I prefer the approach of taking the phrase Zero Trust literally.

[r4vik]

From what I can remember when I set this up last all our MDM did was:

- Ensure full disk encryption

- Time limit on how long people can defer OS upgrades

- Report on software installed and versions

- Enforce somewhat complex password

- Enforce password after screen has become locked

- Allow us to remote wipe the machine if lost/stolen

It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.