The UK Business Guide to Zero-Touch Mac Deployment (2026 Edition)

Q: Can I do zero-touch Mac deployment for free in 2026?

For small Apple-only teams, yes. Apple Business now includes free built-in MDM with Blueprints, which covers zero-touch enrolment, passcode and encryption enforcement, and app distribution at no cost. It is genuinely enough for teams under roughly 25 devices with no heavy compliance needs. The moment you need EDR, granular configuration profiles, SOC 2 or ISO 27001 reporting, or Windows and Android management, you need a full MDM like Jamf Pro, Microsoft Intune, or Iru.

Q: Can I zero-touch deploy a Mac bought from a retail store?

No. Zero-touch only works for devices bought through Apple directly or an Apple Authorised Reseller that is linked to your Apple Business account. A Mac bought from a consumer retailer will not auto-enrol. You can still bring it under management manually using Apple Configurator, but that defeats the point of zero-touch. Always buy through a business channel.

Q: How long does it take to set up zero-touch deployment?

Plan for around three weeks. Apple Business account verification takes 3 to 5 business days on its own, then you configure your MDM, link your reseller, build your enrolment profile or Blueprint, and run a pilot device before rolling out. Once it is set up, every future device is automatic. We typically have a UK business fully live within three weeks, including a tested pilot.

Zero-touch Mac deployment in 2026

You are likely wasting 4 to 6 hours per device on manual configuration.

Zero-touch deployment removes the need for anyone in IT to touch a laptop before it reaches the employee. You ship the shrink-wrapped Mac straight to your remote worker in Shoreditch, Manchester, or Edinburgh. They open the box, connect to Wi-Fi, and the device configures itself: your apps, your security policies, your settings, all without a human in the loop.

This guide covers the exact workflow for UK businesses, updated for the biggest change to Apple's enterprise tooling in years.

What changed in 2026: Apple Business

If you set this up before April 2026, the names have moved. On 14 April 2026, Apple replaced Apple Business Manager, Apple Business Essentials, and Apple Business Connect with a single free platform called Apple Business. The zero-touch machinery underneath is the same, but three things are worth knowing before you start:

Free built-in MDM. Apple Business now ships with its own management layer at no cost. For a small Apple-only team, you can run zero-touch without paying for a third-party MDM at all.
Blueprints. These are preconfigured bundles of settings and apps you apply to a device or an employee group. A Blueprint is what turns a boxed Mac into a ready-to-work machine on first boot.
MDM migration without a wipe. You can now reassign a device's Automated Device Enrolment from one management system to another without factory-resetting it. That makes starting on Apple Business and moving to Jamf or Intune later a low-risk decision rather than a one-way door.

The terminology also tidied up. The old Device Enrolment Program (DEP) is now Automated Device Enrolment (ADE), and the Volume Purchase Program (VPP) is now Apps and Books. Same features, current names.

1. How zero-touch works

The old way meant buying a Mac, shipping it to IT, creating accounts by hand, installing software, re-boxing it, and couriering it to the employee. Days of effort and a courier bill.

The zero-touch way:

Purchase. You buy the Mac from Apple or an Apple Authorised Reseller (Softcat, CDW, Jigsaw24).
Ship. The box goes straight to the employee's home.
Auto-enrol. They power it on. The Mac checks in with Apple, sees it belongs to your company, and pulls down your management profile through ADE.
Configure. Apps, security policies like FileVault, and Wi-Fi settings install automatically in 15 to 30 minutes, driven by your Blueprint or MDM.

The payoff for a UK business:

Speed. Provisioning drops from hours to minutes.
Cost. Savings of £150 to £300 per device in IT labour and shipping.
Security. Devices are Cyber Essentials ready and encrypted from first boot.

2. The prerequisites: Apple Business

Apple Business is the web portal where you claim ownership of your devices. It is free, but it requires verification.

How to register (UK process)

Go to business.apple.com.
Have your D-U-N-S Number ready (check the Dun & Bradstreet directory).
Make sure your company name matches your Companies House registration exactly.
Apple verifies you by calling your designated legal representative. Allow 3 to 5 business days.

Linking your reseller

This is the step people miss. You must link your hardware supplier to Apple Business, or the Macs you buy will not auto-enrol.

Find your Apple Business customer ID in the account settings.
Give it to your reseller (Softcat, Jigsaw24, Econocom, Vodafone Business).
Get their Reseller ID and add it to your account.

A Mac bought from a consumer retailer will not auto-enrol unless you process it manually with Apple Configurator first. Always buy through a business channel.

3. Choosing your management layer

Apple Business owns the device. Your MDM controls it. In 2026 you have a genuine free option for the first time, alongside the established platforms.

Management layer	Best for	2026 cost (indicative)
Apple Business built-in MDM	Small Apple-only teams under ~25 devices, no heavy compliance	Free
Jamf Pro	The Apple gold standard. Creative, media, pure-Apple fleets	$12.50 per Mac per month, 25-device minimum
Microsoft Intune	Businesses already on Microsoft 365. Mixed Windows and Mac	From £6.20 per user per month, often bundled in M365
Mosyle	Google Workspace users and cost-sensitive startups	From roughly £2 to £4 per device per month
Iru (formerly Kandji)	Automation and compliance, mid-market wanting one suite	Quote-based, ~100-device minimum

Our verdict: if you are a small Apple-only team, start with Apple Business built-in MDM and spend nothing. If you are a Microsoft shop, Intune is effectively free once you are on Business Premium or E3/E5. If you need deep control for creatives (Adobe suites, font management, scripting), Jamf Pro remains superior. We break the choice down in full in our Jamf vs Intune vs Iru comparison, and on when Apple Business built-in MDM is genuinely enough.

4. Identity: Microsoft and Google integration

Modern security means no local Mac passwords. You want employees signing in to their Mac with their corporate credentials.

Microsoft 365 shops (Platform SSO)

Platform Single Sign-On (PSSO) lets users sign in to the Mac with their Entra ID password. Change the M365 password and it syncs to the Mac. On macOS Tahoe 26, Apple's Simplified Setup makes PSSO enrolment cleaner than it has ever been. Configure the SSO Extension profile in your MDM with the Microsoft Team ID UBF8T346G9.

Google Workspace shops

Apple Business supports federated authentication and automated Managed Apple Account creation through your identity provider. Point identity at Google Workspace, and onboarding a new employee can provision their account without manual steps. Employees sign in with their Google credentials, managed from the Google Admin Console.

5. Security: FileVault and UK GDPR

Zero-touch lets you enforce UK compliance from the first boot, not as an afterthought.

FileVault encryption

You cannot risk an unencrypted laptop being left on a train. We cover the full picture in our GDPR and Mac data protection guide, but the essentials are simple:

Policy. Set the MDM or Blueprint to require FileVault.
Key escrow. Do not let users keep the recovery key. Escrow the Personal Recovery Key to your management dashboard, so you can recover corporate data if someone leaves or forgets their password.

Data minimisation and privacy

Under UK GDPR you must be transparent about what you monitor.

What you can see: serial number, OS version, managed apps, encryption status.
What you cannot see: iMessage contents, personal email, browser history, location (unless Lost Mode is active).
Action: publish an Acceptable Use Policy that spells out exactly what the MDM tracks.

6. The workflow: a step-by-step checklist

Follow this sequence so you do not strand a device mid-setup.

Phase 1: foundation (week 1)

Register for Apple Business and verify your domain (DNS TXT record).
Configure your MDM, including the APNs certificate.
Link your Reseller ID.

Phase 2: build (week 2)

Create your enrolment profile or Blueprint. Enable "install critical updates" and "await final configuration" so the user cannot reach the desktop until security apps are installed.
Customise Setup Assistant. Hide the Siri, Apple Pay, and Apple ID screens to speed onboarding.
Sync Apps and Books (formerly VPP) to push apps like Slack, Word, and Adobe silently.

Phase 3: pilot (week 3)

Order one test device and assign it to your MDM inside Apple Business.
Boot it on a guest Wi-Fi network, not your certificate-secured corporate network, to mimic the remote onboarding experience.

Troubleshooting: the chicken and egg

If your office uses certificate-based Wi-Fi, a brand-new Mac cannot join it, because it needs the certificate first, and it gets the certificate through enrolment, which needs the network. Always keep a guest WPA2 network available for initial enrolment, or have remote staff set up on home Wi-Fi.

Need help?

Zero-touch is simple once it works and fiddly to get right the first time, especially when you are integrating Intune with Jamf or untangling hybrid identity. We do this for London and UK businesses every week.

See how we run it on our Apple Business Manager and zero-touch deployment page, or book a free audit and we will map your setup. You can also read our full Mac business guide.

Frequently asked questions

What replaced Apple Business Manager for zero-touch deployment in 2026? On 14 April 2026, Apple consolidated Apple Business Manager, Apple Business Essentials, and Apple Business Connect into one free platform called Apple Business. Zero-touch works the same way underneath: devices link to your account, Automated Device Enrolment assigns them to your management system, and they configure themselves on first boot. The additions are Blueprints, which drive zero-touch, and free built-in MDM for teams that do not need a full third-party platform.

Can I do zero-touch Mac deployment for free in 2026? For small Apple-only teams, yes. Apple Business includes free built-in MDM with Blueprints, covering zero-touch enrolment, encryption and passcode enforcement, and app distribution. It is enough for teams under roughly 25 devices with no heavy compliance needs. Beyond that, you need a full MDM like Jamf Pro, Microsoft Intune, or Iru.

What is the difference between DEP and ADE? They are the same thing. Apple renamed the Device Enrolment Program to Automated Device Enrolment, and that name carries through to Apple Business. Volume Purchase (VPP) was likewise renamed and now sits under Apps and Books.

Can I zero-touch deploy a Mac bought from a retail store? No. It only works for devices bought through Apple or an Apple Authorised Reseller linked to your Apple Business account. A retail Mac will not auto-enrol. You can bring it under management manually with Apple Configurator, but that defeats the point. Buy through a business channel.

How long does it take to set up zero-touch deployment? Plan for around three weeks. Apple Business verification takes 3 to 5 business days, then you configure your MDM, link your reseller, build your Blueprint or enrolment profile, and pilot one device before rolling out. Once set up, every future device is automatic.