Controls4 May 2026 7 min read

SOC 2 Endpoint Security: MDM, EDR, and Disk Encryption

Configure endpoint security controls for SOC 2 CC6.8. Covers MDM enrollment, EDR deployment, disk encryption, and collecting compliance evidence for auditors.

Key Takeaways

CC6.8 requires malware protection on all endpoints — EDR (CrowdStrike, SentinelOne) satisfies this for corporate devices.
MDM (Jamf, Intune, Kandji) provides enrollment tracking and compliance enforcement needed for SOC 2 evidence.
FileVault (macOS) and BitLocker (Windows) must be enabled and encryption keys managed centrally.
Endpoint compliance reports from MDM are the primary CC6.8 evidence artifact.
BYOD policies must define minimum security requirements and how compliance is verified.

In this guide

Endpoints and SOC 2 CC6.8
MDM Deployment: Jamf, Intune, Kandji
EDR Configuration for CC6.8
Disk Encryption: FileVault and BitLocker
Screen Lock and OS Patching Policies
BYOD Policy Considerations
Endpoint Evidence Checklist

Endpoints and SOC 2 CC6.8

Employee laptops and workstations are a significant attack surface. A phishing attack that compromises a developer's laptop can lead to credential theft and production system compromise. CC6.8 requires controls to prevent or detect malicious software, which extends to all endpoints that access production systems or sensitive data.

For SOC 2, the minimum endpoint security stack is: MDM enrollment (device management and compliance enforcement), EDR (malware and behavioral threat detection), disk encryption, screen lock with short timeout, and OS patch management.

MDM Deployment: Jamf, Intune, Kandji

An MDM solution is essential for SOC 2 because it provides: enrollment tracking (every corporate device is known and managed), compliance policy enforcement (devices that violate policy are blocked from accessing work resources), and compliance reporting (export a list of all devices with their compliance status as evidence).

Popular MDM tools for SOC 2: Jamf Pro/Now (macOS, iOS — preferred for Apple-heavy teams), Microsoft Intune (Windows, macOS — preferred for Microsoft-heavy organizations), Kandji (macOS — simpler setup, startup-friendly). All three integrate with conditional access in Okta or Azure AD to block non-compliant devices from authenticating.

Configure MDM compliance policies: require FileVault encryption, require EDR agent, require OS version above minimum, require screen lock with maximum 5-minute timeout, require no root/local admin for standard users.

EDR Configuration for CC6.8

Endpoint Detection and Response (EDR) tools monitor endpoints for malicious behavior — file modifications, process injections, network connections to malicious IPs, and lateral movement patterns. EDR is a stronger control than traditional antivirus because it detects behavioral anomalies, not just known signatures.

Leading EDR platforms for SOC 2: CrowdStrike Falcon (enterprise standard, excellent detection), SentinelOne (strong autonomous response), Jamf Protect (macOS-native, integrates with Jamf MDM), Microsoft Defender for Endpoint (built into Windows, also available for macOS).

Deploy the EDR agent via MDM to all corporate-managed devices. Configure the MDM compliance policy to require EDR agent installation — devices without the agent are marked non-compliant and blocked from accessing work resources via conditional access.

Disk Encryption: FileVault and BitLocker

Full disk encryption ensures that data on a lost or stolen device cannot be read without the encryption key. CC6.6 (encryption of sensitive data) applies to endpoints that store or cache sensitive data — and developer laptops accessing production data qualify.

macOS: enable FileVault in System Settings > Privacy & Security > FileVault. With Jamf, enforce FileVault via Configuration Profile and escrow the recovery key to Jamf. This allows IT to recover data from a device even if the user loses their password.

Windows: enable BitLocker in Control Panel > BitLocker Drive Encryption. With Intune, enforce BitLocker via compliance policy and escrow recovery keys to Azure AD or Intune. Verify encryption status via MDM compliance report.

Screen Lock and OS Patching Policies

Screen lock (requiring authentication after inactivity) prevents unauthorized physical access to an unlocked workstation — a CC6.1 physical access control. Configure MDM to enforce: screen lock after 5 minutes of inactivity, and password required to unlock (not just touch to wake).

OS patching keeps endpoints free of known vulnerabilities. Configure MDM to alert on devices running OS versions with known critical vulnerabilities. Enforce a policy: security patches must be applied within 14 days of release, critical patches within 7 days. MDM can automate patch deployment on macOS and Windows.

BYOD Policy Considerations

If employees use personal devices for work (BYOD), define a BYOD policy that specifies minimum security requirements: MDM enrollment on the work profile, screen lock enabled, OS version above minimum, no jailbreak/root. If the device doesn't meet these requirements, it cannot access work data.

For SOC 2, BYOD is a higher-risk scenario. Consider limiting BYOD to low-risk applications (email, Slack) and requiring corporate-issued devices for any access to production systems or sensitive customer data. Document this in your access control policy.

Endpoint Evidence Checklist

(1) MDM device compliance report showing all enrolled devices and their compliance status — disk encryption, EDR, OS version, screen lock. (2) Percentage of non-compliant devices (should be near zero). (3) EDR deployment coverage report from your EDR platform. (4) MDM compliance policy configuration screenshots showing required policies. (5) Conditional access policy showing non-compliant devices blocked from work applications. (6) Endpoint security policy document referencing EDR, disk encryption, and MDM requirements.

Frequently Asked Questions

Do we need EDR if we use Macs — isn't macOS secure by default?

macOS has strong built-in security (Gatekeeper, XProtect, notarization) but is not immune to malware or behavioral attacks. SOC 2 auditors expect EDR on all endpoints regardless of OS. For macOS teams, Jamf Protect, CrowdStrike Falcon for Mac, or Microsoft Defender for Endpoint on Mac satisfy CC6.8.

What if we have Linux developer workstations — do they need MDM?

MDM for Linux is limited — most solutions focus on macOS and Windows. For Linux workstations, compensating controls include: manual security baseline configuration documented and verified, Linux EDR agents (CrowdStrike supports Linux), full disk encryption with LUKS, and screen lock enforcement via OS policy. Document the approach and accept the residual risk of less automated enforcement.

How do we handle contractors' personal devices for SOC 2 endpoint compliance?

Contractors accessing production systems should use MDM-enrolled devices — either company-issued or BYOD with MDM enrollment. If they use personal devices without MDM, they should only access systems via a corporate VDI (virtual desktop) that runs in a managed environment, not directly from their device. Document this in your contractor access policy.

Does FileVault need to be enabled on all Macs, or just those with sensitive data?

Apply disk encryption to all corporate-managed devices without exception. Classifying which devices "have sensitive data" is operationally complex and creates gaps — any developer laptop accessing production systems, code repositories, or customer data should be encrypted. Configure MDM to enforce FileVault on all enrolled devices.

How often should we run endpoint compliance checks?

MDM provides continuous compliance monitoring — device compliance status is updated in real time as configuration changes. For SOC 2 evidence, export a compliance report at the end of each quarter. Additionally, trigger a compliance check as part of your monthly security review and document any non-compliant devices and their remediation.