Kandji Raises $100M to Advance Apple in the Enterprise | Learn More

Skip to content

General Details


Employee Onboarding


Configurations and Hardening

CIS Level 1 CIS Level 2

Patch Management


Initial Savings


To bring devices into desired state for security, software patching, and management.

Annual Management Savings


To maintain desired state for security, software patching, and management.

Annual Support and Troubleshooting Savings


Cycles spent waiting for support and problem solving.9

Total Year 1 Savings


Learn more about the methodology and the inputs that power the calculations.

Share the results

Get a link to this page with all your inputs in place, or download PDF.

Copy Sharable Link Download PDF

Time and Effort Assumptions

SectionItemInitial Time (hrs/year)Annual Management Time (hrs/year)
Configuration & HardeningHours to Build CIS Level 14828
Hours to Build CIS Level 26035
Patch ManagementHours to Build App Updates12020* x each app
Hours to Build Mac OS Updates245** x each update
Support & TroubleshootingHours for Support Tickets18***

* Assumes flat rate of 20 hours for each App, independently from the number of Apps updates x year

** Includes time to follow up with non-compliant employees. Assumes 12 OS updates / year

*** Assumes flat rate of 18hrs for support tickets per year, These may vary, based on number of systems, number of employees and number of apps


To streamline cost calculations when there are a multitude of variables and differences unique to each situation, we use certain conservative assumptions as a baseline before factoring in inputs. Those assumptions are based on industry averages, data from Apple platform engineers, and interviews with customers of other MDM products. Our calculations also assume that your company is either building or is maintaining a mature security program, manages all devices, and patches all software, while striving to provide a good employee experience on Apple devices.

Total costs do not take into account the potential costs of failing to maintain a strong security posture, which is beyond the scope of this calculator.

The questions and inputs provided in this calculator assume that your organization is using an MDM solution that does not provide the many automations, prebuilt workflows, and employee experience components that are built into Kandji.

How and why various inputs in the calculator affect the total cost:

  1. The number of Mac computers (or a percentage of the total) is used with other outputs from the calculator. This is an input to costs or activities that scale based on the number of computers.

  2. The annual salary is converted into a cost per hour. This is multiplied by other outputs from the calculator to feed into the total cost.

  3. This percentage is multiplied by the number of new computers projected to be deployed in the coming 12 months. Each new computer that the IT team has to physically interact with takes additional time and shipping expense. This step allocates a $20 shipping cost and additional 20 minutes of labor for the handling and logistics.

  4. This step multiplies the cost of a platform engineer’s time by the time it takes to configure a new computer. The product is multiplied by the number of new computers that will need to be deployed.

  5. There are over 90 security controls for Mac that match to corresponding CIS Level 1 and CIS Level 2 benchmarks. 40 to 50 of these cannot be enforced via Apple’s MDM profiles. This step takes into account the initial time it would take to find the appropriate controls for Mac to meet CIS Level 1 or CIS Level 2, and to test and deploy the scripts or profiles needed. For ongoing cost, this calculator assumes you enforce 70 percent of the selected benchmark’s controls, and that it would take several hours of a platform engineer’s time every month to check on these and take action where needed.

  6. Most Mac apps that employees use at work are updated at least once per month and should be no more than 2 to 4 weeks out of date. A mature app-patching system must have package hosting, QA, end-user messaging on Mac computers, and update enforcement within the given deadlines. This calculator assumes a platform engineer is using a mix of third-party tooling and scripting to enable these updates. The initial build time for this is several weeks with an additional 30 minutes added for each app to be deployed. An ongoing time commitment of 1 hour for QA and implementation is calculated for monthly app updates that need to be rolled out.

  7. The calculator assumes that each app you have may need one critical update per year. Critical updates require additional implementation time to make the update available and enforce it across the fleet in an accelerated time frame. The calculator uses a range of 2 to 3 hours of additional implementation time when there are critical updates.

  8. The calculator assumes 12 macOS updates per year and that 1 hour is needed to deploy updates and 15 minutes for communication with any users who do not upgrade within given deadlines. This calculator assumes a platform engineer is using third-party tooling to QA and then deploy each OS update. MDM commands on their own can enforce updates most of the time, but rolling out a forced OS upgrade solely via MDM commands risks a negative employee experience and inconsistent results. A mature OS update program will not only automate the updates and upgrades, but also handle end-user messaging—providing intelligent prompts that let users delay updates while eventually enforcing it. It must be flexible enough to work with a user while keeping them compliant.

  9. Device management involves working with systems that are interconnected: Apple’s MDM protocol, operating systems, devices, configuration profiles, scripts, third-party apps, identity providers, integrations, and more. Those many moving parts can make troubleshooting tricky, and make it challenging to discover the best way to accomplish an organizational goal.

    Common practice for MDM vendors is to connect customers to tiered support teams with SLAs, which can let hours of time slip by before those customers get a response. Anything beyond the most basic questions must typically be escalated to higher tiers. All of this adds to operational overhead. Kandji support engineers, on the other hand, are all expert-level Mac admins and platform engineers.

    Cost savings for this category are calculated based on a baseline of 18 support interactions per year that scale with the number of computers, and 50 minutes saved with each. Time savings come from Kandji’s average 2-minute response times 24 hours a day, 5 days a week, and by getting help and advice directly from experienced Apple platform engineers—such as Kandji’s support engineers.