450 Devices Across Two Platforms. Most of Them Unmanaged. None of Them Wiped.
How a 450-person scaleup brought a mixed Apple and Windows estate under management without disrupting a single workday.
At a Glance
The Problem
The device estate was split across Apple and Windows, with most machines untouched by any management tooling. The estate had grown without MDM, without policy enforcement, and without visibility into what was out in the field. A device could leave the building with credentials intact and nobody would know until something went wrong.
For a company heading into acquisition due diligence, "we don't manage our devices" is not a conversation you want to be having.
How We Did It
Machines were already out with users, so enrollment had to work around people's days. It was phased by team and scheduled outside core hours.
On the Apple side, new hardware went through ABM directly into IRU. Existing machines were enrolled into MDM outside of ABM and will transition to the full lifecycle path as hardware turns over naturally. Nobody got a forced wipe or a disruption mid-project.
On Windows, self-service documentation walked people through the process: hardware hashes captured, devices registered into Autopilot. From that point they're Autopilot-ready, and the full wipe-and-reprovision happens either for compliance reasons or at the next hardware refresh. Users kept working throughout.
Both platforms were tied back to Okta for identity-based policy enforcement, which was deployed as part of a parallel identity and access management engagement.
SentinelOne was sourced below list price and pushed to every managed endpoint on completion.
The Result
The estate went from unmanaged to fully governed without disrupting anyone's workday. IT gained visibility over every device, the ability to enforce policy remotely, and a hardware lifecycle that actually works with the business rather than against it.
HITRUST for a Smaller Client
A separate ~50-person company came to us needing MDM for their device fleet. We enrolled their machines, deployed endpoint protection, and enforced baseline policies across the estate. The controls put in place then provided the evidence base their assessor needed when the company went through HITRUST certification. Enrolment records, endpoint compliance reports, and policy enforcement logs were already there because that is how the devices were managed day-to-day. We provide controls and evidence to support audits and questionnaires. Certification decisions sit with the auditor.
“The fact that we did this without disrupting a single person's workday was the part that surprised everyone. People expected pain and there wasn't any.”— Head of IT (name withheld by request)
By the Numbers
This Might Sound Familiar
If you've got devices out in the field that you can't see, can't enforce policy on, and couldn't wipe tomorrow if you needed to, you already know this is a problem. The question is usually whether fixing it means disrupting the people using them. It doesn't have to.
Learn more about our device management & security servicesIdentity-based policy enforcement was deployed as part of a parallel IAM engagement.
Read that case studyYou'll talk to the engineer who does the work, not a sales team.