Onboarding
New-hire Apple setup is the single most common place small businesses lose time and make avoidable security mistakes. This is the repeatable checklist Arclion runs for clients so a new Mac, iPhone, or iPad reaches the employee already configured, already secured, and already assigned to the right person.
In this checklist
Before the device ships
Most onboarding pain happens because a device arrives before the rest of the setup is ready. Every step below happens before the employee sees the hardware.
HR or the hiring manager should have the employee's full legal name, start date, work email, and role assigned before purchasing places the device order. Most mismatches downstream trace back to this step.
Decide whether the device is an employee Mac, a shared iPad, a kiosk iPhone, or a field-use device. The role determines which MDM Blueprint or configuration profile applies, which apps are assigned, and which restrictions are enforced.
Devices should be purchased through Apple directly or a linked Apple Authorized Reseller so they auto-enroll into Apple Business. Consumer retail purchases or unofficial channels land outside Apple Business and need manual enrollment later.
Create the employee's Managed Apple Account on the business domain in advance, issue credentials through the same channel the company uses for other SaaS access, and verify the account before shipment.
Device assignment
Once the device shows up in Apple Business, the steps below take only a few minutes if the foundation is clean. If any step is painful, the foundation itself usually needs work.
Check Apple Business Devices to confirm the new serial number appears and is assigned to the company's default MDM server. If defaults are set correctly this happens automatically within a day of purchase.
In Mosyle, Jamf, Kandji, or Apple Business's built-in MDM, assign the device to the correct user, Blueprint or group, and location. This is what tells the device which policies, restrictions, and apps to pull on first boot.
Tag the device in inventory with the employee's name, role, start date, serial number, asset tag if used, and purchase date. Ownership that is not written down now becomes unrecoverable at offboarding.
Accounts and apps
First boot should be boring. The employee signs in and the device is already close to ready. That requires everything below being queued up before the employee ever opens the box.
The employee signs in with their Managed Apple Account and, where the business uses one, their identity provider (Google Workspace, Microsoft Entra, Okta, Jumpcloud). Identity is the one thing that cannot be pushed cleanly after the fact.
Business apps assigned through Apps and Books install silently. Required apps for the role (password manager, VPN, Slack, 1Password, Microsoft 365, whatever applies) land from the MDM without the employee needing an admin password.
Email profiles and cloud storage access are configured in the MDM where possible. If the employee is setting these up manually on day one, that is a signal the MDM config needs more work, not a signal the employee needs more training.
Security baseline
Every company-owned Mac, iPhone, and iPad should meet the same baseline before it reaches the employee. Skipping any of these is how small businesses accumulate risk that becomes a problem during an audit or a lost-device incident.
Full disk encryption enabled, recovery key escrowed to the MDM, passcode or password policy enforced, automatic lock after a reasonable idle timeout. Every managed device, every time.
Automatic OS updates enabled, with a small deferral window so IT can test major releases. App updates managed through the MDM rather than left to the employee. This is the single highest-leverage security control a small business has.
Decide in advance whether the employee gets a standard account or a local admin account, and document it. Mosyle and most MDMs support time-limited elevation so the employee can install approved software without holding permanent admin rights.
Find My enabled on all devices so a lost laptop or iPhone can be tracked and wiped. Remote lock and wipe tested at least once, on at least one device, so you know the flow works before you need it.
Day one
Day-one handoff should feel unremarkable to the employee. If it feels effortful, that effort is usually carried by a manager scrambling to catch things IT missed.
One page: how to sign in, which apps are already installed, who to email for access to anything else, and the help-desk or IT inbox. Send it before the device arrives so the employee already knows the flow.
A quick check-in on day one (or a simple automated check from the MDM) to confirm the employee actually signed in, the device enrolled, policies applied, and required apps installed. Catch failures now, not two weeks in.
Onboarding is also the quietest opportunity to set up clean offboarding. Record asset ownership, any personal accounts the employee signed into on work devices (they should not), and the expected return path when they leave.
Want Arclion to run this?
Arclion's Managed service covers new-hire onboarding, offboarding, approved app deployment, and the documentation layer that makes the whole thing repeatable. Share the environment and Arclion will send back a clear next step.
What to send
Keep reading
The full setup walkthrough for Apple Business, including reseller linking so new devices auto-enroll into the company's MDM.
Read the setup guideA decision guide for picking between Apple Business's new free MDM and Mosyle, especially if onboarding is where the current setup feels weakest.
Read the comparisonThe Foundation, Managed, and Managed + Security packages and what each one covers, with transparent starting prices on the pricing section.
See services