MDM doesn't have to be a heavy-handed thing and solutions exist for macOS at least. Even something that just makes sure the OS and critical apps always have the latest security patches - and ideally pushes those changes when it’s not disruptive to the host – can go a long way.

Doesn't have to be, invariably is in my experience. I prefer the approach of taking the phrase Zero Trust literally.

From what I can remember when I set this up last all our MDM did was:

- Ensure full disk encryption

- Time limit on how long people can defer OS upgrades

- Report on software installed and versions

- Enforce somewhat complex password

- Enforce password after screen has become locked

- Allow us to remote wipe the machine if lost/stolen

It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.

At startups, MDM almost invariably means Macs; it's usually some mixture of Jamf and osquery.

unfortunately yes - I was in charge of this decision as a previous employer and I went with Macs+JAMF even though I'm a die hard Linux user. My work around was to run a fullscreen Linux VM but that does defeat the purpose somewhat.

I'm hoping things are better now - I think Canonical have some sort of MDM for Ubuntu but I couldn't figure out how to pay for it.

I'm trialing fleetdm atm. It works on all 3.

I'm also in the market for some kinda MDM setup that will work on BYOD dev Linux hosts without annoying developers... How are you finding fleetdm?