The perimeter moved into people's backpacks

There was a time when "the network" was a building, and security meant guarding the door. That world is gone. Your team works from apartments, coffee shops, and airport lounges, on laptops that hold source code, customer data, and the session tokens to every SaaS tool you run. The firewall didn't fail — it became irrelevant. The real perimeter is now the fleet of endpoints scattered across the country, and each one is a door to everything behind it.

For a lean team this is good news, oddly, because endpoint hardening is one of the few controls you can actually finish. You can't single-handedly fix the entire attack surface, but you can get every laptop encrypted, patched, and monitored — and that one push closes the breach path that shows up most in real incidents: a lost, stolen, or quietly compromised machine.

The baseline that covers the common cases

You don't need a defense-contractor build to be in good shape. You need a short, enforced baseline applied to every device — including the contractor's and the founder's:

  • Full-disk encryption, on and verified. FileVault on macOS, BitLocker on Windows. A stolen laptop with an encrypted disk is a lost asset; without it, it's a reportable data breach. This is the same logic as encryption at rest, applied to the device most likely to physically leave your control.
  • Automatic OS and browser updates. The endpoint is where unpatched software actually gets exploited, so the device fleet inherits the same urgency as your patch cadence — turn auto-update on and confirm it's reporting.
  • A screen lock with a short timeout. Unglamorous, and it defeats the most common physical compromise: the unattended unlocked laptop.
  • EDR or at minimum reputable, managed endpoint protection. Detection on the device feeds the same log and detection pipeline the rest of your program relies on; a laptop that can't tell you it's infected is a blind spot.
  • A remote-wipe and lock capability. When — not if — a device goes missing, you want a button, not a prayer.

The discipline is not the length of the list. It's that the list is applied to every device and you can show it.

MDM is what turns intentions into enforcement

A baseline written in a wiki is a wish. The thing that makes it real is mobile device management — a way to push the policy to every machine and, critically, to read back whether each one is actually compliant. Without MDM you're trusting that fourteen people each remembered to turn on encryption; with it, you have a dashboard that says which thirteen did and which one didn't.

That read-back is the whole point. An endpoint baseline isn't a control until you can answer "is FileVault on, right now, on every device?" with a fact instead of a hope. Enrollment also solves the messiest case — the asset inventory gap where a machine exists but security never knew about it. A device that isn't enrolled is, by definition, unmanaged, and unmanaged is a synonym for unmonitored and unpatched.

A non-compliant device is a finding, not a footnote

When MDM reports a laptop with encryption off or an EDR agent missing, that's not an item for a someday list — it's a finding with an owner and a clock, ranked by what the device can reach. A developer laptop with admin access to production and no disk encryption is a five-alarm fire; a kiosk that browses the public marketing site can wait behind it. This is the same exposure-first triage that governs the rest of the program, pointed at the fleet.

  • Route fleet drift into the same workflow as every other risk — owner, severity, deadline — rather than a separate spreadsheet nobody reads.
  • Tie severity to what the endpoint holds and touches, using your data classification: a machine that handles restricted data earns the strictest baseline and the shortest grace period.
  • Watch for drift, not just initial state. Encryption gets disabled to troubleshoot something and never re-enabled; an agent crashes and nobody notices. Coverage is a continuously verified number, not a one-time checkbox.

It feeds the audit, too

Every framework asks some version of "how do you secure the devices that access company data?" SOC 2's common criteria, ISO 27001's asset and operations controls, HIPAA's workstation-security safeguards — all of them want evidence that endpoints are encrypted, patched, and monitored. A clean MDM compliance report is exactly the artifact an assessor asks for, and it drops straight into continuous evidence collection so you're proving the control on an ongoing basis instead of scrambling the week before an audit.

One honest caveat: a platform can track which devices meet your endpoint baseline, surface the ones that don't, and keep that evidence current for an auditor — it organizes and proves the work. It does not by itself secure your laptops, make you compliant, or grant or guarantee any certification; the enrollment, the encryption, and the remediation are operational steps your team owns, and which framework obligations apply to you is a question for counsel.

The perimeter is now a backpack on a train. You can't guard the building anymore, but you can make every laptop in the fleet encrypted, patched, monitored, and wipeable — and prove it. For a lean team, that's the rare control that's both high-leverage and genuinely finishable.