From what I can remember when I set this up last all our MDM did was:
- Ensure full disk encryption
- Time limit on how long people can defer OS upgrades
- Report on software installed and versions
- Enforce somewhat complex password
- Enforce password after screen has become locked
- Allow us to remote wipe the machine if lost/stolen
It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.
- Ensure full disk encryption
- Time limit on how long people can defer OS upgrades
- Report on software installed and versions
- Enforce somewhat complex password
- Enforce password after screen has become locked
- Allow us to remote wipe the machine if lost/stolen
It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.