By Rich Durfee — RichnTech

I’ll keep this simple because that’s kind of the whole point of RichnTech.

I’ve spent the last decade working in IT. I started at the help desk, worked my way through macOS engineering, managed enterprise device fleets across multiple MDM platforms, and eventually led endpoint and mobility strategy for financial institutions. Along the way I picked up a Ph.D. in IT and Innovation Management, a Master’s in Business, and spent some time in the Marine Corps before any of that.

But none of that is why I built this site.

The Problem I Kept Seeing

At every company I worked at, big and small, I saw the same thing. The enterprise IT teams had tools, budgets, and frameworks. They had Jamf and Intune and compliance dashboards and policies for everything. They were fine.

But the small business down the street? The one with 30 employees using personal phones to check work email? They had nothing. No MDM. No BYOD policy. No idea what would happen if someone’s phone got stolen with the entire client list on it.

And parents? They were handing iPads to their kids, setting up Screen Time once, and hoping for the best. Half of them didn’t know their kid had already figured out how to bypass it.

The information to fix all of this existed. It was just locked behind enterprise jargon, vendor sales pitches, and whitepapers nobody outside a SOC team would ever read.

I wanted to change that.

What I Actually Do

During the day, I work in Third-Party Cyber Risk Management at a major bank. My job is evaluating whether the companies we do business with have their security together, and a big part of that is looking at how they manage their devices, their endpoints, their access controls, and their policies. I see what good looks like. I see what bad looks like. And I see a lot of bad.

That daily exposure to how organizations actually handle (or completely ignore) device security is what drives the content on RichnTech. Every guide, every review, every template is informed by what I see failing in the real world, not what looks good in a marketing deck.

Before the risk management role, I spent years hands-on with the platforms I write about. I’ve deployed Jamf, Kandji, Mosyle, NinjaOne, and Intune in production environments, not demo accounts. I’ve written the enrollment workflows, built the compliance policies, configured the conditional access rules, and dealt with the 11 PM phone call when something broke. When I review an MDM platform on this site, it’s from experience, not a spec sheet.

Why I Built the DMMM

During my doctoral research, I kept coming back to one question: why is there no standard way for an organization to measure how mature their device management is?

There are maturity models for software development, for cybersecurity programs, for data governance. But nothing for the devices that actually access all that data. So I built one.

The Device Management Maturity Model is a five-level framework, from Level 1 (ad hoc, no visibility, no policies) to Level 5 (fully automated, zero-touch, continuous compliance). I validated it through published academic research, but the real value is practical. It gives any organization, from a 10-person startup to a 500-person company, a way to honestly assess where they are and a clear roadmap for where to go next.

That framework powers everything on RichnTech. The self-assessment tool, the compliance mapping guide, the MDM recommendations. It all traces back to the DMMM.

How I Can Help Your Business

Here’s what I’ve learned after a decade of doing this: most device management problems aren’t technical problems. They’re awareness problems. The tools exist. Most of them are affordable. Some of them are free and already included in subscriptions you’re paying for. The issue is that nobody told you they were there or showed you how to set them up.

That’s what RichnTech does.

If you’re a small business owner, I’ll show you which MDM platform fits your budget and your fleet, give you a BYOD policy template you can actually use, and walk you through a 90-day plan to get your devices under control. You don’t need a six-figure security budget. You need the right 10-minute configurations and a written policy.

If you’re an IT professional, I’ll give you honest platform comparisons, compliance mapping to the frameworks your auditors care about (NIST, ISO 27001, SOC 2, HIPAA, CIS Controls), and the DMMM as a benchmarking tool you can use internally or with leadership.

If you’re a parent, I’ll walk you through every device in your house, step by step, with the actual menu paths and settings. Not a blog post that says “enable parental controls.” The actual buttons to press, in order, on every platform.

The Personal Stuff

I dedicated my dissertation to my mom, who passed away before she could see me finish it. She was the reason I started. Finishing was the hardest thing I’ve ever done without her here, and her belief in me is still the thing that pushes me forward when things get difficult.

My wife Nicole has been my constant through every degree, every career change, and every late night building this brand. She keeps me grounded and honest, two things I need more than I’d like to admit.

Outside of work, I’m into fitness. Home workouts and Peloton rides mostly. I think there’s a connection between how you take care of your body and how you take care of your technology: both require consistency, discipline, and a system that doesn’t rely on motivation alone.

That’s me. That’s RichnTech. Device security, simplified, by someone who’s been in the trenches and built the framework to prove it.

Before you spend a dollar on a third-party MDM platform, check what you already have. Three of the most widely used business platforms include device management features that most customers never activate. You might be sitting on a free MDM right now.

Apple Business Manager — Completely free. Every business that owns Apple devices should be signed up for Apple Business Manager (ABM). It’s free, no strings attached. ABM gives you: Automated Device Enrollment (ADE) — devices auto-enroll in your MDM when powered on. Volume purchasing for apps — buy apps in bulk and distribute without Apple IDs. Managed Apple IDs — work accounts separate from personal Apple IDs. Device inventory by serial number. ABM isn’t an MDM itself — it’s the foundation that makes every Apple MDM work better. Sign up at business.apple.com.

Google Endpoint Management — Included with Google Workspace. If your company uses Google Workspace (Business Starter at $7/user/month and above), you already have Google Endpoint Management. Go to your Google Admin console → Devices → Mobile & endpoints. You can: enforce screen lock requirements, require device encryption, remotely wipe devices, block compromised or rooted devices, approve or block specific apps, and set up Android Work Profiles for BYOD separation. For Android-heavy teams using Google Workspace, this eliminates the need for a separate MDM entirely. Most businesses using Workspace don’t even know this feature exists.

Microsoft Intune — Included with Microsoft 365 Business Premium. Microsoft 365 Business Premium ($22/user/month) includes full Intune MDM capabilities. If you’re already paying for M365 Business Premium for Exchange, SharePoint, and Teams, you have Intune. You can: enroll and manage Windows, macOS, iOS, and Android devices. Enforce compliance policies (encryption, passcode, OS version). Set up conditional access — blocking non-compliant devices from accessing company email and apps. Deploy applications. Remote lock and wipe. Intune is arguably the most powerful MDM on this list, and it’s buried inside a subscription most businesses buy for email and Office apps.

What the free tools can’t do: These built-in tools cover the fundamentals — enrollment, basic policy enforcement, remote wipe, and device inventory. What they lack compared to dedicated MDMs like Jamf, Kandji, or Hexnode includes: advanced automation and scripting, detailed compliance reporting and dashboards, patch management for third-party applications, endpoint detection and response (EDR), kiosk mode and advanced app management, and granular conditional access rules. For most small businesses under 50 devices, the free tools are more than enough to get from DMMM Level 1 to Level 3.

The action plan: Step 1 — Check what business subscriptions you already have (Google Workspace? Microsoft 365?). Step 2 — Log into the admin console and find the device management section. Step 3 — Enable basic policies: require screen lock, require encryption, enable remote wipe. Step 4 — Enroll your devices. Step 5 — You just went from DMMM Level 1 to Level 2 or 3 without spending a cent on new software. When you outgrow these tools — when you need automated compliance, third-party patching, or advanced BYOD containerization — that’s when a dedicated MDM makes sense. But start with what you have.

Not every business is an all-Apple shop. If you have a mixed fleet — iPhones, Android phones, Windows laptops, maybe a few Macs — you need a cross-platform MDM. Jamf and Kandji won’t help you. Here are three cross-platform options compared on the dimensions that actually matter for small to mid-size businesses.

Hexnode — Hexnode (by Mitsogo) is one of the most complete cross-platform MDMs available. It supports iOS, Android, Windows, macOS, ChromeOS, Linux, Fire OS, and Apple TV. Pricing starts at $1/device/month (Express tier) and goes up to $5.80/device/month (Ultimate) with annual billing and a 14-day free trial. Hexnode’s strength is breadth: kiosk mode, geofencing, remote troubleshooting, app management, content filtering, and compliance policies — all from one dashboard. It’s particularly strong for Android with support for Samsung Knox, Android Enterprise, and COPE/BYOD deployment models.

Mosyle — Mosyle is Apple-focused but has expanded to support Windows and Android in recent years. Its free tier (Fuse) supports up to 30 Apple devices — making it one of the few MDMs with a genuinely free option for small teams. The paid Business tier adds advanced features like automated patching, identity management, and enhanced security. Mosyle’s standout feature is its integrated approach: device management, identity, endpoint security, and app management all in one platform. For Apple-heavy environments that also have a few Windows machines, Mosyle hits a sweet spot.

ManageEngine Mobile Device Manager Plus — Part of the Zoho/ManageEngine ecosystem, MDM Plus supports iOS, Android, Windows, macOS, and ChromeOS. Pricing starts around $1.28/device/month for the cloud version. ManageEngine’s advantage is integration with the broader ManageEngine IT suite — if you already use ServiceDesk Plus, Desktop Central, or other ManageEngine products, MDM Plus plugs in natively. It offers containerization for BYOD, app management, remote troubleshooting, and compliance reporting. The interface is functional but not as polished as Hexnode or Mosyle.

Ease of setup: Hexnode and Mosyle both offer guided setup wizards and same-day deployment for small fleets. ManageEngine has more configuration options upfront, which means more setup time but more flexibility. For a business owner without dedicated IT, Hexnode’s onboarding is the smoothest. For a team with some technical expertise, ManageEngine offers more granularity.

BYOD handling: All three support work profile separation on Android and managed containers on iOS. Hexnode’s containerization is the most mature for mixed-OS environments. Mosyle’s BYOD handling is excellent for Apple but less proven on Android. ManageEngine offers solid container-based management across all platforms with clear separation of personal and corporate data.

Pricing transparency: Hexnode publishes clear tiered pricing on their website. Mosyle has a free tier but paid pricing requires a sales conversation. ManageEngine publishes pricing but the feature matrix across tiers requires careful comparison. For budget predictability, Hexnode wins.

RichnTech verdict: For mixed-fleet businesses under 200 devices, Hexnode is the strongest all-around choice — broadest platform support, clearest pricing, and the most complete feature set at the mid-tier. Mosyle is ideal if you’re 80%+ Apple with a few Windows machines. ManageEngine fits best if you’re already in the ManageEngine/Zoho ecosystem and want everything under one vendor.

Jamf is the most recognized name in Apple device management. It’s been around since 2002 — longer than the iPhone itself. But Jamf offers three different products (Now, Pro, and Business), and most small business owners don’t know which one they actually need. Here’s the honest breakdown of Jamf Now specifically, aimed at teams under 50 Apple devices.

What Jamf Now actually is: Jamf Now is the simplified, self-service tier of Jamf’s product line. It’s designed for small businesses without dedicated IT staff. You create an account, enroll devices by sending an enrollment link or using Apple Business Manager for zero-touch, and then configure policies through a clean web dashboard. It costs $4 per device per month with no minimum commitment.

What you can do with it: Enforce passcode requirements (length, complexity, auto-lock timeout). Require device encryption (FileVault for Mac, native for iOS). Push Wi-Fi configurations so devices auto-connect to your network. Distribute apps — either App Store apps via VPP or custom enterprise apps. Restrict device features (camera, Bluetooth, AirDrop, iCloud backup). Remote lock and remote wipe lost or stolen devices. Create ‘Blueprints’ — reusable device configurations you can apply to groups of devices.

What it can’t do: Jamf Now lacks the advanced features of Jamf Pro: no custom scripting, no extension attributes, no smart groups based on device criteria, no LDAP or Azure AD integration, and limited API access. There’s no conditional access — you can’t block a non-compliant device from accessing company email without pairing it with another identity provider. Patch management for third-party apps isn’t included. And there’s no endpoint security or threat detection.

The enrollment experience: Enrolling devices is straightforward. For new devices purchased through Apple Business Manager, you can set up Automated Device Enrollment (ADE) so devices auto-enroll when they’re first powered on — zero-touch. For existing devices, you send an enrollment URL that employees open in Safari. The process takes about 2 minutes per device. Once enrolled, the Blueprint policies apply automatically.

Compared to Kandji: Kandji starts at $1.60/device/month for iOS and offers 200+ prebuilt automations that Jamf Now doesn’t have. Kandji also includes built-in compliance templates for CIS, NIST, and SOC 2 — Jamf Now has nothing equivalent. For pure ease-of-use and automation, Kandji wins at a lower price. Jamf Now’s advantage is brand recognition and the upgrade path to Jamf Pro if you outgrow it.

Compared to Apple Business Essentials: ABE starts at $2.99/device/month and bundles iCloud storage and AppleCare+ support. For a pure Apple small business that just needs basic device management plus support and storage, ABE might be the better value. Jamf Now offers deeper policy control and a more mature admin experience, but without the bundled extras.

RichnTech verdict: Jamf Now is a solid starting point for small businesses with under 50 Apple devices who want real device management without the complexity of Jamf Pro. But at $4/device/month with limited automation, it’s not the cheapest option — and you’ll likely outgrow it if your needs become more sophisticated. Consider Kandji if automation matters, ABE if simplicity and Apple support matter, or Jamf Pro if you have IT staff who can leverage its full power.

The Device Management Maturity Model (DMMM) isn’t an island — it’s designed to complement and reinforce the established cybersecurity frameworks that enterprises already use. Here’s how each DMMM level maps to specific controls in NIST SP 800-53, NIST SP 800-124 (Guidelines for Managing the Security of Mobile Devices), and ISO/IEC 27001:2022.

DMMM Level 1 (Ad Hoc) → No framework alignment. At Level 1, none of the relevant NIST or ISO controls are satisfied. NIST SP 800-53 control CM-8 (Information System Component Inventory) requires organizations to maintain an inventory of system components. ISO 27001 control A.8.1 (Inventory of Assets) requires the same. Level 1 has neither. This is the gap that auditors will flag first.

DMMM Level 2 (Reactive) → Partial CM-8, partial A.8.1. At Level 2, a device inventory exists but may be incomplete or manually maintained. This partially satisfies NIST CM-8 and ISO A.8.1 but fails on the automation and accuracy requirements. NIST SP 800-124 recommends centralized mobile device management — Level 2 organizations typically don’t have this. Auditors will note the control as ‘partially implemented’ with remediation required.

DMMM Level 3 (Defined) → Satisfies multiple baseline controls. Level 3 organizations have an MDM deployed, written policies, and partially enforced security configurations. This maps to: NIST AC-19 (Access Control for Mobile Devices), NIST CM-6 (Configuration Settings), NIST CM-7 (Least Functionality), ISO A.6.2.1 (Mobile Device Policy), ISO A.8.1 (Asset Inventory), and portions of NIST SP 800-124’s mobile threat mitigation guidance. The gap at Level 3 is enforcement consistency — policies exist but aren’t universally applied.

DMMM Level 4 (Managed) → Full compliance posture. Level 4 satisfies the enforcement and monitoring requirements that Level 3 misses. Continuous compliance monitoring maps to NIST CA-7 (Continuous Monitoring) and ISO A.12.4 (Logging and Monitoring). Automated policy enforcement satisfies NIST CM-6 at a higher assurance level. Selective wipe and data separation for BYOD devices address NIST MP-6 (Media Sanitization) and ISO A.8.3 (Media Handling). This is typically the minimum level required for SOC 2 Type II certification.

DMMM Level 5 (Optimized) → Advanced and continuous. Level 5 adds zero-touch deployment, automated threat response, and integration with security orchestration platforms. This maps to NIST SI-4 (Information System Monitoring), NIST IR-4 (Incident Handling) with automated response, and ISO A.16.1 (Management of Information Security Incidents). Level 5 organizations can demonstrate to auditors not just that controls exist, but that they operate continuously and adapt to new threats automatically.

Practical application: If you’re preparing for a SOC 2 audit, aim for DMMM Level 4. If you’re subject to HIPAA or handling classified data, Level 4 is the minimum with Level 5 as the target. If you’re a small business with no regulatory requirements, Level 3 puts you ahead of 90% of your peers. The DMMM gives you a roadmap that aligns with the frameworks your auditors and regulators already reference.

This mapping is part of the peer-reviewed research behind the DMMM framework, published at Springer-level standards. The framework is designed to be academically rigorous while remaining practically actionable — because the best maturity model in the world is useless if it sits in a journal and never changes how organizations actually manage their devices.

DMMM Level 1 — Ad Hoc — means no device inventory, no policy enforcement, no visibility, and no ability to respond when something goes wrong. It feels free because there’s no MDM subscription and no IT overhead. But Level 1 has a cost. It’s just hidden until something breaks.

Cost #1: The undetected breach. Without device monitoring, you can’t detect when a device is compromised. The average time to identify a breach is 204 days according to IBM’s Cost of a Data Breach Report. At Level 1, that number is likely higher because you have no detection capability at all. Every day a breach goes undetected, the cost of remediation increases. The difference between a $50,000 incident and a $4.5 million incident is often just detection time.

Cost #2: The regulatory fine. If your business handles personal data (and almost every business does), you’re subject to data protection regulations — HIPAA for healthcare, GLBA for financial services, FERPA for education, CCPA/CPRA for California consumers, GDPR for EU data. At Level 1, you cannot demonstrate compliance because you have no records of device management, no proof of policy enforcement, and no audit trail. Regulatory fines for data breaches where the organization failed to implement reasonable security measures range from $100,000 to $1.5 million per incident.

Cost #3: The employee departure. We covered this in detail in our BYOD article, but the math is simple: every employee who leaves your company with company data on their unmanaged personal device is a data leak. At Level 1, you have no way to know what data they have, no way to remove it, and limited legal standing to demand its return if you never had a policy requiring its management.

Cost #4: The lost device. A laptop is left in an Uber. A phone is stolen at a conference. At Level 1, you can’t remote wipe it. You can’t even confirm what data was on it. If it contained client records, you now have a reportable breach — notification obligations, credit monitoring costs, potential litigation. A $30/month MDM subscription would have given you remote wipe capability. The breach notification and remediation will cost $150,000 minimum.

Cost #5: The insurance problem. Cyber insurance underwriters are increasingly asking about endpoint management as part of their application process. Organizations at DMMM Level 1 may face higher premiums, coverage exclusions, or outright denial. If you do have cyber insurance and you file a claim, but the investigation reveals you had no endpoint management in place, the insurer may deny the claim based on failure to maintain reasonable security controls.

The total cost of being at Level 1 isn’t a fixed number — it’s a probability distribution. You might go years without an incident. But when one happens, the cost is 10x to 100x what you would have spent on prevention. An MDM platform costs $1 to $5 per device per month. A BYOD policy costs nothing but time. The DMMM exists to make this math obvious before the incident — not after.

The Device Management Maturity Model (DMMM) is a framework I created to give organizations — and individuals — a clear way to assess where they stand when it comes to managing their devices. Most people have no idea how exposed they are. The DMMM fixes that by defining five levels of maturity, each with specific benchmarks and observable characteristics.

Level 1 — Ad Hoc. No formal device management exists. Devices connect to company resources without enrollment, tracking, or policy enforcement. IT has no inventory of what devices exist, what operating systems they run, or what data they access. Passwords are ‘suggested’ but not enforced. Updates happen when individual users remember. If a device is lost, there’s no remote wipe capability. This is where most small businesses start — and many stay here without realizing the risk.

Level 2 — Reactive. The organization is aware that device management is a problem but addresses it manually and inconsistently. There may be a spreadsheet tracking devices. Password requirements exist as policy but aren’t technically enforced. Updates are pushed via email reminders. When something goes wrong (a lost device, a breach), IT reacts — but there’s no proactive monitoring or prevention. The gap between Level 1 and Level 2 is awareness. The gap between Level 2 and Level 3 is tooling.

Level 3 — Defined. An MDM platform is deployed and devices are enrolled. Written policies exist for device security, BYOD, and acceptable use. Screen lock requirements, encryption, and OS update policies are defined and partially enforced through the MDM. However, enforcement is inconsistent — some devices may be enrolled but not compliant, and there’s limited automated response to policy violations. This is where most organizations plateau, thinking they’re ‘done’ with device management.

Level 4 — Managed. Policies are enforced automatically and continuously. The MDM platform monitors compliance in real time and takes automated action when devices fall out of compliance — quarantining access, sending alerts, or forcing remediation. IT has complete visibility into device inventory, OS versions, patch status, and application inventory. BYOD devices have work profiles with cryptographic data separation. Offboarding includes same-day device access revocation. This level requires mature IT processes and a well-configured MDM.

Level 5 — Optimized. Device management is fully automated and integrated into the broader security ecosystem. Zero-touch deployment means new devices configure themselves upon activation without IT intervention. Continuous compliance monitoring feeds into SIEM or security dashboards. Threat detection on endpoints triggers automated response workflows. Patch management is automated with staged rollouts. The DMMM Level 5 organization treats device management not as a standalone function but as an integrated component of their security posture.

Most organizations are at Level 1 or 2 and think they’re at Level 3. The DMMM self-assessment is designed to cut through that assumption with specific, observable criteria. Take the assessment and find out where you actually stand.

Welcome to Device Setup Sunday — a recurring series where we take one device per week and walk through the complete parental control setup from start to finish. No assumptions, no shortcuts, just the full configuration with screenshots-level detail.

Why a weekly series? Because families don’t just have iPads. They have Android tablets, Nintendo Switches, Chromebooks, gaming consoles, smart TVs, and an ever-growing collection of connected devices. Each one has its own parental control system with its own settings buried in different menus. This series covers them all, one at a time.

Week 1: iPad / iPhone (Apple Screen Time) — The complete Screen Time configuration including the three critical mistakes most parents make. Content restrictions, Downtime scheduling, App Limits by category, Ask to Buy, Siri restrictions, and preventing app deletion. This is the foundation post — see our full guide: Screen Time Settings Most Parents Set Wrong.

Week 2: Android Tablet (Google Family Link) — Google Family Link setup from scratch: creating a child Google account, linking it to your family group, setting daily screen time limits, app approval requirements, content filtering in Google Play, SafeSearch enforcement, YouTube restricted mode, and location tracking. Key difference from Apple: Family Link works across devices, so settings follow the account, not the hardware.

Week 3: Chromebook (Google Admin + Family Link) — Chrome OS has its own layer of parental controls on top of Family Link. Guest mode restrictions, managed browser settings, extension blocking, incognito mode disabling, and supervised user profiles. If your child uses a Chromebook for school, you also need to understand the difference between the school-managed profile and the personal profile.

Week 4: Nintendo Switch — The Nintendo Switch Parental Controls app (separate mobile app) lets you set play time limits with alarms or forced suspension, restrict game ratings (ESRB), disable communication with other players, restrict social media posting, and require a PIN for restricted features. Most parents don’t know this app exists.

Week 5: PlayStation / Xbox — Both Sony and Microsoft have comprehensive family settings: spending limits on the store, communication restrictions (voice chat, messaging), privacy settings for online profiles, content age ratings, and play time management. PlayStation uses Family Manager; Xbox uses Microsoft Family Safety — the same platform that powers Windows parental controls.

Week 6: Smart TV & Streaming Devices — Netflix, Disney+, YouTube, and Roku all have separate parental control settings. Netflix profiles with maturity ratings, Disney+ content restrictions by age, YouTube restricted mode (which resets if you clear cookies), and Roku PIN requirements for purchases. The key insight: streaming app controls are separate from device controls — you need both.

Follow along each week. Set aside 15 minutes on Sunday to lock down one device. By the end of the series, every screen in your house will be properly configured. We’ll link each full guide here as the series progresses.

Apple Screen Time is the most widely used parental control tool in existence — and it’s also the most misconfigured. Three specific mistakes undo almost everything you think you’ve set up.

Mistake #1: Using the same passcode for Screen Time and device unlock. If your child knows the device passcode (which they do — they unlock it 50 times a day), and your Screen Time passcode is the same number, they can go into Settings → Screen Time and change every restriction you’ve set. They can extend their time limits, remove app restrictions, disable Downtime, and turn off content filtering. The fix: Screen Time passcode must be a different 4-digit code that your child does not know.

Mistake #2: Not restricting Siri web search. You set up Safari content restrictions, you limited adult websites, you feel secure. But your child asks Siri a question, and Siri pulls up unrestricted web results right on the screen. Siri’s web search bypasses Safari’s content filter entirely. Go to Screen Time → Content & Privacy Restrictions → Content Restrictions → Siri → Web Search Content → OFF. This closes the backdoor.

Mistake #3: Not disabling app deletion. This one catches parents off guard. A child downloads TikTok despite your restrictions? No — they downloaded it before you set restrictions, or they got it through a friend’s device via AirDrop. But here’s the real issue: if they can delete apps, they can remove the Family Link app, the Bark monitoring app, or any MDM profile you’ve installed. Preventing app deletion keeps your controls persistent. Screen Time → Content & Privacy Restrictions → iTunes & App Store Purchases → Deleting Apps → Don’t Allow.

Additional settings most parents miss: Turn off ‘Allow Changes’ for Passcode Changes and Account Changes in Content & Privacy Restrictions → Allow Changes. This prevents your child from changing the device passcode (locking you out) or modifying the Apple ID settings. Set Location Services to ‘Don’t Allow Changes’ so they can’t disable Find My. Set ‘Share Across Devices’ to ON so Screen Time settings apply across all their Apple devices, not just the iPad.

The pattern here is clear: Apple gives you the tools, but buries them deep enough that most parents never find them. Every one of these settings takes less than 30 seconds to configure. The cost of not configuring them is your child having unrestricted access to the internet through a device you thought was locked down.

You hand your kid an iPad. You set a passcode. Maybe you turn on Screen Time. You feel pretty good about it. But if you didn’t do the five things below, your child has more access than you think — and some of those gaps can’t be fixed after the fact.

1. Set a SEPARATE Screen Time passcode. This is the number one mistake parents make. If your Screen Time passcode is the same as the device passcode, your child can change their own Screen Time settings. Go to Settings → Screen Time → Use Screen Time Passcode and set a 4-digit code that is DIFFERENT from the device unlock code. If your child already knows the device passcode, change it first, then set a new Screen Time passcode.

2. Enable Content & Privacy Restrictions. Inside Screen Time → Content & Privacy Restrictions, turn this ON. Then configure: iTunes & App Store Purchases → set to ‘Don’t Allow’ for Installing Apps (or require approval). Content Restrictions → set web content to ‘Limit Adult Websites’ or ‘Allowed Websites Only.’ Set Music, Podcasts & News to ‘Clean.’ Set Movies, TV, and Apps to age-appropriate ratings.

3. Turn on Ask to Buy. If your child is part of your Apple Family Sharing group, enable Ask to Buy for their account. Every app download, in-app purchase, and content acquisition requires your approval before it goes through. This applies across App Store, iTunes, and Apple Books. Go to Settings → Family → [child’s name] → Ask to Buy.

4. Restrict Siri web search. Most parents don’t realize Siri can search the web and return unfiltered results — even when Safari has content restrictions. Go to Screen Time → Content & Privacy Restrictions → Content Restrictions → Siri → turn off ‘Web Search Content’ and ‘Explicit Language.’ Without this step, your content filtering has a backdoor.

5. Disable the ability to delete apps. Kids are smart. If they figure out which app is monitoring or restricting them, their first move is to delete it. Go to Screen Time → Content & Privacy Restrictions → iTunes & App Store Purchases → Deleting Apps → set to ‘Don’t Allow.’ This prevents them from removing parental control apps, MDM profiles, or any app you’ve installed for monitoring.

Bonus: Set Downtime and App Limits. Downtime creates a schedule where only apps you specifically allow are available — great for bedtime and homework hours. App Limits let you set daily time caps on categories (Social, Games, Entertainment) or specific apps. Both are in Settings → Screen Time.

This entire setup takes about 3 minutes if you know where to look. Most parents don’t — which is why 82% of families with managed devices still have significant gaps in their controls. Do this before you hand over the device, not after your child has already figured out the workarounds.