Why Bastion Built Its Own MDM
Why Build an MDM?
Working with hundreds of startups on compliance, we kept seeing the same gap: most companies had no device management at all. When they looked for solutions, enterprise MDM vendors presented three problems:
- Roadmap misalignment — Mature MDM vendors prioritize enterprise clients. We needed deep integration with our compliance and security posture platform, and no third-party roadmap could guarantee that.
- Data sovereignty — Most MDM solutions lack self-hosting options. It felt wrong to ask customers to trust us with their security data while delegating device data to a vendor we don't control.
- Feature bloat and pricing — Enterprise MDM solutions bundle expensive capabilities startups never use, making them economically unjustifiable for a 50-person team.
So we built our own — from scratch. Not a fork of an open-source project. Not a white-label resale. A purpose-built MDM designed for the companies we work with every day.
Built on Native OS Protocols
Bastion's MDM uses the management protocols built directly into each operating system:
| Platform | Protocol | Capabilities |
|---|---|---|
| macOS | Apple MDM (APNs + SCEP) | Device lock, remote wipe, profile installation, encryption enforcement, inventory queries |
| Windows | OMA-DM / CSPs | Configuration management, policy enforcement, inventory, encryption status |
| Linux | Bastion agent (DEB/RPM) | Software inventory, vulnerability scanning |
This means no proprietary agents running with elevated privileges beyond what the OS vendor intended. On macOS, the enrollment profile is visible in System Settings > General > Device Management. On Windows, it appears in Settings > Accounts > Access work or school. Everything is declared — there is no hidden access.
Security-First by Design
The most important architectural decision we made was deliberately excluding remote script execution.
Some MDM platforms (including Apple's supervised mode and Microsoft Intune) let administrators push and execute arbitrary scripts on managed devices. This is powerful — but it turns your MDM server into a high-value target. A compromised MDM becomes a deployment vector for enterprise-wide malware.
For a large organization with a dedicated security team monitoring their MDM infrastructure around the clock, that trade-off may be acceptable. For a 50-person startup, it's a catastrophic risk.
We chose to trade capability for attack surface reduction.
What Bastion MDM Can Do
- Remote device lock and wipe
- Enforce disk encryption (FileVault on macOS, BitLocker on Windows)
- Require lock screen passwords
- Query device information (OS version, serial numbers, encryption status, installed software)
- Install configuration profiles and certificates
- Apply and monitor security policies
- Continuous vulnerability scanning
What Bastion MDM Deliberately Cannot Do
- Access emails
- Monitor keystrokes
- Retrieve browsing history
- Record screens
- Execute arbitrary scripts remotely
Compliance Integration
Because the MDM is part of the same platform that manages your compliance frameworks, device policies directly generate evidence for audits:
| Framework Control | What the MDM Provides |
|---|---|
| SOC 2 CC6.7–CC6.8 | Device-level access controls, unauthorized software prevention |
| ISO 27001 A.8.1 | Endpoint encryption enforcement and security policy evidence |
| ISO 27001 A.5.9 & A.7.9 | Automated asset inventory and off-premises device management |
There is no manual evidence collection. When an auditor asks "how do you enforce disk encryption?", the answer is a live dashboard — not a screenshot from six months ago.
Privacy and Transparency
Employees can see exactly what the MDM manages on their device:
- macOS: System Settings > General > Device Management — lists installed profiles and their permissions
- Windows: Settings > Accounts > Access work or school — shows the MDM connection and applied policies
- Bastion user portal: The Laptop tab shows compliance status, applied policies, and a Privacy section detailing what data is collected
We built the MDM so that IT admins can answer their employees' privacy questions with confidence. The data we collect is limited to hardware inventory, installed software, security posture (encryption, firewall, OS version), and compliance status. We do not collect personal files, location, photos, or browsing data.