Off-the-shelf MDM platforms bill per device forever, box you into their data model, and leave a messy tail of integration debt every time your stack shifts. A custom iOS MDM flips that: you own the enrollment flow, the command queue, the audit trail, and the roadmap — and you stop paying a license tax on every new iPhone.
This playbook is for founders, CTOs and IT leaders evaluating whether to build. We cover the Apple MDM protocol, Declarative Device Management, architecture, stack choices, compliance, realistic cost, timelines, and the pitfalls that sink most in-house attempts — with the numbers and decision rules we use on real projects.
Key takeaways
• Custom iOS MDM wins above ~500 devices or when deep identity, SIEM, or vertical compliance integrations justify the lift. Below that, off-the-shelf is almost always cheaper in year one.
• The Apple MDM protocol is now two protocols. Legacy command-response MDM plus Declarative Device Management (DDM). Any custom stack shipped in 2026 must speak both.
• Certificates are the #1 silent failure. APNs certs expire yearly, SCEP/ACME enrollment is fragile, and 60% of post-launch outages we debug trace back to cert handling.
• A realistic build is 3–6 weeks to prototype, 3–5 months to production. With Agent Engineering we routinely ship working enrollment + command queue + admin console in that window.
• NanoMDM is a viable base. An open-source Go implementation of the MDM protocol you can extend — the hard part is the admin console, PKI, and compliance evidence around it, not the protocol itself.
Why Fora Soft wrote this playbook
Fora Soft has shipped iOS software continuously since 2005 — video, telemedicine, education, surveillance, IPTV, and enterprise device control. When clients outgrow Jamf or Kandji, or when their use case (HIPAA telemedicine, supervised police equipment, regulated trading workstations) doesn’t fit a SaaS template, they come to us for a custom MDM that fits the business, not the other way around.
We’ve learned from projects where the device layer is the product: V.A.L.T., a video surveillance SaaS trusted by 700+ police departments, child advocacy centers, and hospitals; CirrusMED, a HIPAA-compliant telemedicine platform for US private practice; and BrainCert, a $3M-revenue LMS serving 100K+ customers. In each we had to harden certificate handling, auto-rotate keys, and ship admin tooling IT teams actually trust.
This guide distills what actually matters when you stop being a tenant on someone else’s MDM and start owning the layer yourself.
Is a custom iOS MDM actually cheaper for your fleet?
Send us your device count, compliance needs and rough integration list — we’ll come back with a build-vs-buy model in under a week.
The one-page answer: build vs buy custom iOS MDM
If you have fewer than a few hundred devices and no unusual compliance or integration needs, buy. Jamf, Kandji, Mosyle, Hexnode and Intune all solve the 80% generic case at $1.50–$7 per device per month. Custom iOS MDM is a strategic asset, not a cost-saving project, and it rarely pays back in year one.
Custom wins when one or more of the following is true:
- Fleet scale is 1,000+ devices and per-device licensing is now a line item your CFO watches.
- Vertical compliance (HIPAA, HITRUST, SOC 2 Type II, FedRAMP, regulated finance) means you need full evidence ownership, not a SaaS vendor’s shared attestation.
- Deep integrations with your identity provider (Okta, Azure AD, OneLogin), SIEM (Splunk, Sentinel), ticketing, and internal HR systems matter more than out-of-the-box UX.
- The device IS the product — surveillance terminals, in-store kiosks, field hardware, broadcast iPads — and its configuration is a customer-visible feature.
- Data residency rules (EU, UAE, KSA public sector) block you from any multi-tenant MDM cloud.
The rest of this playbook is what happens after you’ve decided to build.
Reach for a custom iOS MDM when: your fleet is large enough that per-device fees exceed the loaded cost of a small platform team, or your regulator will not accept a shared-tenant vendor’s attestation as your evidence of control.
What a custom iOS MDM actually does
At its core, an iOS MDM is a web service that speaks Apple’s MDM protocol and drives a fleet of iPhones and iPads from a central admin console. Four capability buckets cover almost every real requirement.
1. Enrollment and identity. Devices are assigned to your organisation in Apple Business Manager (ABM), automatically pulled into your MDM during Setup Assistant, and bound to a user identity. No manual pairing, no stickers, no lost devices.
2. Configuration delivery. Wi-Fi, VPN, email, certificates, web clips, home-screen layout, managed app settings — all pushed declaratively and re-applied when a device drifts off policy.
3. App and content management. Silent install of VPP / Apps and Books purchases, per-app VPN, managed documents, in-house enterprise apps, and updates without user consent.
4. Security actions. Remote lock, remote wipe, passcode policy, Activation Lock management, Lost Mode, device inventory — plus signed commands you can queue and audit.
Build vs buy: when custom pays off
The simple math: model five years of total cost, not one. License fees for commercial MDM compound linearly with your fleet. A custom build is front-loaded (engineering) and then flattens (maintenance). Break-even usually sits between 500 and 1,500 devices, depending on the complexity of your integrations.
Here is an illustrative model we use with clients. Numbers are deliberately conservative and reflect what Agent Engineering — our AI-assisted delivery approach — lets us ship faster and leaner than the industry average.
| Fleet size | Commercial MDM (5 yrs) | Custom build (5 yrs) | Break-even | Verdict |
|---|---|---|---|---|
| 100 devices | ~$30k | $300k+ | Never | Buy |
| 500 devices | ~$150k | $300–450k | Year 4–5 | Depends on integrations |
| 1,500 devices | ~$450k | $350–500k | Year 2–3 | Build |
| 5,000 devices | ~$1.5M | ~$600k | Year 1–2 | Build |
| Regulated vertical | Evidence-sharing risk | Full evidence ownership | N/A | Build |
If you want this model grounded in your own numbers, start with our software estimation guide — same logic, applied to your fleet and integration list.
The iOS MDM protocol in 90 seconds
Apple’s MDM is a signed HTTPS conversation between a device and your server, nudged along by Apple Push Notification Service (APNs). The flow is deliberately boring once you have it right.
1. Enrollment. The device installs a signed .mobileconfig enrollment profile pointing at your MDM. For Automated Device Enrollment (ADE), ABM silently assigns the profile during Setup Assistant.
2. Identity certificate. During enrollment the device obtains a client certificate via SCEP or ACME. Every future request is mutually authenticated with this cert.
3. Push wake-up. To tell a device “there is work for you”, your server sends a silent notification via APNs using your yearly-renewed MDM push certificate. APNs carries zero payload — only a ring tone.
4. Check-in and commands. The device connects to /mdm/checkin and /mdm/command, posts a plist-encoded status, and receives the next pending command from your queue (InstallProfile, InstallApplication, DeviceLock, EraseDevice, DeviceInformation, etc.).
// Minimal /mdm/command handler in Swift Vapor
app.put("mdm", "command") { req async throws -> Response in
let body = try req.content.decode(PlistBody.self)
let udid = body.UDID
// 1. Validate client cert (middleware)
// 2. Mark previous command ACK’d
try await CommandQueue.ack(udid: udid, uuid: body.CommandUUID)
// 3. Pop next command for this device
if let next = try await CommandQueue.next(udid: udid) {
return try await next.plistResponse()
}
return Response(status: .ok) // empty queue
}
Supervision modes and enrollment paths
What your MDM can actually do on a device depends entirely on how it was enrolled. Three paths matter.
Automated Device Enrollment (ADE / DEP)
Company-owned devices purchased through Apple or an authorised reseller are pre-assigned to your ABM tenant. During Setup Assistant the device silently enrolls into your MDM, supervised, with MDM removable only via full wipe. This is the path for corporate iPhones, frontline iPads and kiosk hardware.
Account-Driven User Enrollment (BYOD)
Introduced in iOS 15, this path lets a user sign into a Managed Apple Account from Settings. Work apps and data sit in a cryptographically separated Managed Apple Account profile; personal apps, photos and iCloud never touch your MDM. This is the modern, privacy-first BYOD path that HR and legal will actually approve.
Apple Configurator (manual supervision)
For devices you already own but were never in ABM — an older fleet, a one-off kiosk — Apple Configurator 2.5+ on a Mac can wipe and supervise them. Slower, tactile, and fine for hundreds but not thousands of units.
Reach for ADE when: every device is company-owned and procured through Apple or an authorised reseller. Reach for Account-Driven User Enrollment when any part of the fleet is personal hardware. Reach for Apple Configurator only for legacy inventory that can’t be re-bought through ABM.
Declarative Device Management (the 2026 default)
Classic MDM is imperative: your server sends commands, the device reports back. Declarative Device Management (DDM), added in iOS 15 and expanded every year since, inverts that. Your server publishes declarations — configurations, activations, status subscriptions — and devices autonomously apply and re-apply them. Less polling, faster convergence, fewer failed commands.
For a custom MDM shipped in 2026, DDM is no longer optional. The ecosystem’s direction is clear:
- New restriction and configuration surface area ships in DDM first.
- Software-update management on supervised iPhones, iPads and Macs already relies on DDM declarations.
- Every serious commercial MDM now supports DDM; buyers compare you to that bar.
- Devices converge on target state without waking through APNs, dropping load on your queue.
Start every new payload in DDM, fall back to legacy MDM commands only when Apple hasn’t shipped a declaration yet. Apple’s Device Management documentation is the canonical reference.
Reference architecture for a custom iOS MDM
A production iOS MDM is not one service; it is half a dozen services with sharp boundaries. Here is the shape that keeps audits calm and on-call rotations short.
| Component | Responsibility | Typical choice | Audit pain if missing |
|---|---|---|---|
| MDM core | Enrollment, check-in, command queue, DDM state | Swift Vapor, Go (NanoMDM), Node/Fastify | Critical |
| APNs dispatcher | Sends silent push wake-ups, handles retries | Workers + Redis, APNs provider (HTTP/2) | High |
| PKI & certificate service | SCEP/ACME issuance, rotation, CRL | step-ca, Vault PKI, EJBCA | Critical |
| Admin console | Fleet view, profiles, policies, search, RBAC | React/Next.js + design system | Medium |
| Audit log & SIEM forwarder | Every command, ACK, policy change, cert event | Append-only store + Splunk/Sentinel HEC | Critical |
| Identity integration | SAML/OIDC, SCIM provisioning, group mapping | Okta, Azure AD, Google Workspace | High |
| Data store | Device state, command history, policies | PostgreSQL (primary), Redis (queue) | Critical |
The core technology stack
You do not have to implement the MDM protocol from scratch. Two open-source projects give you a credible, battle-tested base.
NanoMDM. A Go implementation of the Apple MDM protocol. Stateless-ish, pluggable storage, HTTP-first. Pair it with nanodep for DEP integration and NanoMDM on GitHub. This is the modern baseline — most custom builds we consult on ship from here.
MicroMDM. An older, macOS-friendly Go server. Still useful as a reference for enrollment and push flows, though active feature work has shifted to NanoMDM.
If you prefer Swift. Vapor is a first-class choice — same language as your device side, strong concurrency story after Swift 6, and easy macOS dev. For large fleets the Go implementations still win on memory footprint per connection.
The rest of the stack we keep boring on purpose:
- PostgreSQL for device state, command history, policies — JSONB columns for command payloads keep queries simple.
- Redis for the APNs dispatcher and retry queue.
- step-ca or HashiCorp Vault PKI for SCEP/ACME issuance — both are production-ready and support short-lived certs.
- Next.js + TypeScript for the admin console; OpenAPI generated clients so the frontend can’t drift from the server.
- OpenTelemetry everywhere. The day you lose push to a region, tracing pays for itself.
Need a second opinion on NanoMDM vs Vapor?
We’ve shipped custom iOS management tooling in both stacks. A 30-minute architecture review usually saves weeks of rewrites.
Commercial MDM platforms compared
Before you commit to a custom build, you should be able to explain — in one sentence — why each of the tools below is the wrong fit. That sentence is your business case.
| Platform | Approx. price / device / mo | Platforms | Best for | Why you’d skip it |
|---|---|---|---|---|
| Jamf Pro | ~$4–$5 | Apple only | Apple-first enterprises, education | Price climbs steeply at scale; Apple-only |
| Kandji | ~$4–$7 | Apple only | Design-led Apple shops, automation-heavy | Limited custom workflow surface |
| Mosyle | ~$1.50+ | Apple only | SMBs, K-12, tight budgets | Shallower enterprise controls |
| Microsoft Intune | Included in M365 E3/E5 | Multi-OS | Microsoft-centric shops | Apple UX lags Jamf/Kandji |
| Hexnode | ~$1–$4 | Multi-OS | Mixed fleets, kiosks | UX variability, reporting depth |
| Scalefusion | ~$2–$5 | Multi-OS | Field / rugged hardware | Less Apple-native polish |
Prices are directional, often list-only, and usually negotiable at fleet scale. Treat them as anchors, not bids.
Cost model: what a custom build really costs
A realistic year-one budget for a production-grade custom iOS MDM, delivered with Agent Engineering by a small senior team, lands in four buckets. Your numbers will sit inside these ranges if scope is disciplined.
| Bucket | Scope | Typical Y1 range | Y2+ range |
|---|---|---|---|
| Engineering build | Core MDM, DDM, admin, enrollment | $200k–$350k | $90k–$140k |
| PKI & certificate ops | SCEP/ACME, HSM, rotation automation | $15k–$40k | $10k–$25k |
| Infrastructure | Cloud compute, DB, logs, APNs relay | $15k–$40k | $20k–$50k |
| Compliance evidence | SOC 2 Type II, HIPAA, pen test | $30k–$80k | $25k–$60k |
A mid-market build with one compliance regime typically lands near $260–$400k in year one and $140–$200k in steady state. If we are quoting for your specific fleet and integrations, we try to come in below these numbers thanks to Agent Engineering; when in doubt we under-promise and keep contingency in the plan.
Timeline: from prototype to production
A well-scoped custom iOS MDM moves through four phases. We publish schedules as tables, not gantt images, so they stay legible on mobile.
| Phase | Weeks | Outputs | Risk if skipped |
|---|---|---|---|
| 1. Discovery & protocol spike | 1–2 | ABM tenant, push cert, a device that enrolls against a toy server | Scope creep, vendor surprises |
| 2. Prototype | 3–6 | Enrollment, command queue, 3–5 profiles, minimal admin UI | Hidden protocol gaps discovered late |
| 3. Production build | 6–12 | DDM, RBAC, audit, SCEP, IdP, SIEM, reporting | Security gaps, operational debt |
| 4. Pilot & rollout | 4–8 | 50–200-device pilot, runbooks, on-call rotations | Day-one outages, loss of trust |
End to end: 14–28 weeks is honest. Anything faster either reuses a previous build or accepts shortcuts that will hurt during your first audit.
Mini case: what we learned shipping fleet-scale iOS tooling
Situation. On V.A.L.T., a video surveillance platform now used by 700+ police departments, child advocacy centers and medical institutions, iPads act as controlled interview recorders. The device has to stay locked to one experience, survive OS updates, never leak evidence and be instantly revocable if lost. Off-the-shelf MDM handled the basics but couldn’t guarantee the chain-of-custody workflow investigators needed.
Plan. Over a twelve-week engagement we extended the product with a thin MDM-shaped control layer: supervised ADE enrollment, DDM-driven Single App Mode, SCEP-issued short-lived certificates, signed audit events piped into the client’s existing SIEM, and remote evidence wipe with tamper-evident logging. The rest of the MDM surface we deliberately left to Apple’s native tools.
Outcome. Enrollment time dropped from ~22 minutes per device (manual) to under 3 minutes via ABM. Certificate-related support tickets fell to essentially zero after automated rotation. The same pattern informed our CirrusMED and MyOnCallDoc HIPAA telemedicine builds, where the same certificate and audit machinery had to survive an external assessor’s review.
Want a similar assessment? Send us your current MDM pain points and device count — we’ll map a 12-week plan. Book a 30-minute scoping call.
Security and compliance (HIPAA, SOC 2, GDPR)
An MDM holds the keys to every device in your business. Treat it as a Tier-0 system.
1. Certificate discipline. MDM push cert rotates yearly with a hard Apple deadline. SCEP/ACME client certs should be short-lived (hours to days) and auto-renewed. Store CA keys in an HSM or a KMS-wrapped key; no private keys on the app server disk.
2. Zero-trust network posture. Every admin action behind SSO + phishing-resistant MFA (WebAuthn). Every device command signed by an identity tied to a human. No shared admin accounts, ever.
3. HIPAA and SOC 2 evidence. Append-only audit log, encryption at rest with KMS keys, documented incident response, Business Associate Agreement for any sub-processor handling device data. Budget 3–6 months for SOC 2 Type II evidence accumulation after the system is stable.
4. GDPR and data residency. Device inventory is personal data. Offer regional deployments (EU, UAE) where required, document your lawful basis, and expose admin data-access endpoints for DSR (Data Subject Request) workflows.
5. App and content controls. Pair MDM with app-level hardening. Our iOS app optimization playbook and accessibility playbook describe the device-side controls that pair with MDM policies.
The five pitfalls that kill custom MDM projects
1. Expired APNs push certificate. Apple’s MDM push cert is valid for one year. Miss the renewal and every device goes silent — no lock, no wipe, no new configuration. The fix is never a crisis drill: set a calendar 60 days out, automate CSR generation from your admin console, and alert on ExpiresAt < now() + 30d.
2. DEP profile mis-assignment. In Apple Business Manager you can assign the wrong profile to a batch of devices, and they will silently enroll unsupervised. The recovery is a full wipe. Treat profile assignments as code; promote them through staging; peer-review before production.
3. Silent command-queue races. Device checks in, a command is popped, processing fails, but the device never sees an error. Keep an explicit command state machine: queued → sent → acked → failed. Retry with idempotency tokens. Every transition is an audit log line.
4. Regional APNs latency and egress blocking. Enterprise proxies that don’t allow TCP 443 / 2197 to Apple’s APNs ranges cause intermittent failures that look exactly like bugs in your code. Validate outbound connectivity in your device health check before blaming the server.
5. Shipping without DDM. If your custom MDM only speaks legacy commands, you’ll be unable to manage software updates, declarative configurations, and new restriction surfaces. You will be forced to rewrite within a year. Don’t defer DDM to a phase 2 that never arrives.
A decision framework in five questions
Q1. What is our three-year fleet projection? Under 500, stay on commercial. 500–1,500, model carefully. Over 1,500 or with rapid growth, custom pays.
Q2. Which integrations do we own end-to-end? If your identity (Okta/Azure AD), SIEM (Splunk/Sentinel), ticketing (ServiceNow/Jira), and HR system all need deep, bidirectional data flows, custom is easier to make clean than stitching four vendor APIs.
Q3. What does our regulator want to see? If your auditor asks for full control-ownership evidence (HIPAA, SOC 2 Type II with direct controls, FedRAMP), custom shortens every future audit. If shared attestation is fine, buy.
Q4. How unusual is our device UX? Kiosks, clinical carts, broadcast iPads, body-cam-adjacent hardware — these need workflows that commercial MDMs serve adequately at best. Custom is how the device becomes product-grade.
Q5. Do we have, or can we hire, one senior platform engineer who owns this long term? Custom MDM without a named owner decays fast. If the answer is no, stay on commercial until it is yes.
KPIs: what to measure after launch
1. Quality KPIs. Enrollment success rate (target > 99%), command ACK latency (p50 < 30s, p99 < 5 min), DDM convergence time (target < 10 min), percentage of devices on latest supervised policy (> 98%).
2. Business KPIs. IT onboarding time per new hire (target < 15 min from HR trigger to productive device), tickets per device per quarter (target < 0.2), license-replacement savings vs commercial baseline, device loss/theft mean-time-to-revoke (target < 10 min).
3. Reliability KPIs. MDM service uptime (target 99.9%+), APNs push success rate (target > 99.5%), cert-rotation success rate (target 100%), mean time between incidents touching the device layer.
When NOT to build a custom iOS MDM
There are four clean signals that tell you to stay on a commercial MDM and spend your engineering budget elsewhere.
- Your fleet is, and will stay, under a few hundred devices.
- Your compliance posture is covered by any one of Jamf, Kandji, Mosyle, Intune or Hexnode’s shared attestations.
- You don’t have a long-lived engineering team that will own the platform for 3+ years.
- Your integrations are stable, common, and already supported out-of-the-box by your preferred commercial vendor.
Custom MDM is a strategic investment, not a cost-saving hack. If you don’t need strategic control, buy and move on.
Stuck between Jamf and a custom build?
We’ll review your fleet size, compliance regime and integration list and tell you honestly which path saves you more pain over five years.
FAQ
How is a custom iOS MDM different from a standard off-the-shelf MDM?
A custom iOS MDM speaks the same Apple protocol as Jamf, Kandji or Intune, but you own the data model, the admin UX, the integration layer, and the audit trail. That ownership matters when fleet scale makes per-device fees painful, when your regulator wants direct evidence, or when the device is part of a product you sell to customers.
Do I need Apple Business Manager to build an iOS MDM?
Yes for every serious use case. ABM is where you register your MDM server, create Managed Apple Accounts, and assign devices to automated enrollment. BYOD via Account-Driven User Enrollment still requires ABM to mint Managed Apple Accounts.
Which stack do you recommend for a greenfield custom iOS MDM in 2026?
NanoMDM (Go) as the protocol core, PostgreSQL for state, Redis for the push queue, step-ca or Vault for PKI, Next.js + TypeScript for the admin console, and Okta/Azure AD for identity. If your team is Swift-native, Vapor is a credible alternative for the core.
How long does a production-ready custom iOS MDM take to build?
Expect 3–6 weeks to a first working prototype and 3–5 months to a production-grade system with DDM, RBAC, SIEM, SCEP automation and an admin console fit for external users. With Agent Engineering we usually land at the faster end of that range.
What are the biggest technical challenges in iOS MDM development?
Certificate management (APNs annual rotation, SCEP/ACME client cert issuance), Declarative Device Management adoption, reliable APNs dispatch at scale, and an auditable command queue. None are conceptually hard; each has sharp edges that catch first-time builders.
Can the same server manage both iOS and Android?
Practically, no. Apple’s MDM protocol and Google’s Android Management API share roughly zero wire format. You build two protocol adapters behind a common admin and policy model, which is feasible but roughly doubles the build effort on the protocol side.
How secure is a well-built iOS MDM in practice?
Very. The iOS device is sandboxed and supervised, every payload is signed, transport is mutual TLS, and APNs carries no sensitive content. The risk surface is almost entirely on your server: key storage, admin identity, and audit integrity. Get those right and the overall system is hard to attack remotely.
What happens if APNs or SCEP certificates expire?
APNs expiry: commands to all devices silently fail until you renew. SCEP client cert expiry: individual devices lose mutual TLS and go dark until they refresh. Both must be monitored and auto-renewed; certificate expiration is the single most common outage cause in custom MDM systems.
Can I publish the admin app on the App Store?
Almost always the admin app is a web console, not a mobile app. If you ship a companion iOS app for field IT or managers, you can publish it on the App Store or distribute in-house through Apple Business Manager, depending on whether it’s customer-facing.
What to read next
Service
Custom MDM Development Services
Own your device fleet, eliminate per-device fees, fit your exact compliance regime.
iOS
iOS 16–26 business-impact features
Which OS-level features actually move enterprise metrics — and how to plan around them.
Swift
Swift 6 explained
Strict concurrency, Swift Testing, typed throws — what matters if you’re building server-side Swift.
Estimation
Software estimation buyer’s playbook
How to get an accurate, defensible quote for a complex build — including MDM.
Performance
Optimize iOS apps for speed and stability
Swift 6, MetricKit, SwiftUI tactics that keep managed devices snappy in the field.
Ready to own your iOS device layer?
Build a custom iOS MDM when your fleet is large, your compliance needs are deep, or the device is part of the product. Buy commercial otherwise. In either case, make Declarative Device Management the default, run certificate rotation like a Tier-0 service, and measure enrollment, command latency and cert success with the same rigour you apply to any other piece of production infrastructure.
Fora Soft has spent the last decade building iOS platforms where device control is a feature, not a chore. If you’re weighing a custom iOS MDM, we can save you weeks of dead-end research and get you to a confident build-or-buy decision in one call.
Ready to scope your custom iOS MDM?
Tell us your fleet size, compliance regime and integration list. We’ll come back with a realistic build-vs-buy plan and a timeline you can sell internally.
.avif)
Comments