An MDM should be installed on all company-issued devices (mobile and tablets can be left out of scope for SOC 2).
- All employees will need to have an MDM in place.
- Contractors that do not have access to the production environment or sensitive customer information (information beyond customer name or basic information) are out of scope for the MDM solution.
An MDM is not a SOC 2 requirement however, it simplifies the requirements for SOC 2 device management within the company. We recommend getting an MDM solution because it simplifies enforcing the SOC 2 requirements (i.e. OS patching, antimalware management, configuration management, etc.) for each employee's device.