You’re Paying to Fight the Phone

The real labour and subscription cost of locking down a consumer device for SME corporate use — and what you get for it

Dibblee Industries Corporate Security, IT Policy, SME Operations March 2026 Dibblee Industries

Labour estimates in this post are approximations based on typical SME IT configurations. Subscription pricing reflects publicly available rates as of early 2026 and will vary by region, volume, and bundle. This is a starting point for discussion — not a procurement recommendation.

The Problem Is the Starting Point

The previous post in this series made the case that a corporate fleet device should be minimal by design — email, a proxied browser, a VPN, and little else. The firewall principle: default closed, open what you need.

This post is about what happens when you do not follow that principle. When you take a consumer smartphone — a device designed to do everything, pre-loaded with everything, connected to everything — and try to make it suitable for corporate use by disabling, restricting, and managing your way back to a secure configuration.

It costs more than most SMEs realize. Not just in subscriptions, but in IT labour that shows up nowhere on the vendor invoice and never stops compounding.

Setting Up 10 Phones: What It Actually Takes

These are realistic estimates for a small business or SME with no dedicated in-house IT department — the most common scenario. Labour is billed at a conservative $85/hour, typical for outsourced IT support in Canada.

Android Google Workspace + Microsoft Intune

MDM tenant setup, policy creation, conditional access rules 5–8 hrs
Per-device enrolment, profile push, app restriction testing 1–1.5 hrs × 10
User account setup, email configuration, VPN provisioning 3–4 hrs
Policy verification and remediation (things that did not apply cleanly) 2–4 hrs

Initial setup total 20–26 hrs

~$1,700 – $2,200 in labour

Apple Apple Business Manager + Jamf Now

Apple Business Manager setup, DEP token, MDM server registration 6–10 hrs
Per-device DEP enrolment, configuration profile push, supervised mode 45–75 min × 10
User account setup, email, VPN, app restrictions via Restrictions payload 3–5 hrs
Policy verification, supervised mode edge cases, testing 2–4 hrs

Initial setup total 19–27 hrs

~$1,600 – $2,300 in labour

And that is before a single employee has sent a single work email. That is purely the cost of taking devices built for consumers and negotiating them into a state that is acceptable for business use.

The Subscriptions You Now Owe Every Month

The labour is a one-time cost. The subscriptions are not. All figures below are in Canadian dollars, per device, per month. Mobile service and cellular plan charges are excluded from all calculations in this article.

Microsoft Intune (standalone) MDM — enforces your restriction policies ~$11

Jamf Now (Apple alternative) MDM for iOS/macOS fleets ~$6

Azure AD P1 / Entra ID Conditional access, identity management ~$8

Corporate VPN (per seat) Secure tunnel for device traffic ~$6–9

Mobile Threat Defence (optional) App behaviour monitoring, anomaly detection ~$7–11

Subscriptions total ~$32–$39 CAD/device/month

Add amortized setup labour (~$6/device/month over 36 months) and recurring update labour (~$5–10/device/month averaged annually) and the all-in management cost of a consumer lockdown fleet runs $43–$55 CAD per device per month — before hardware, before mobile service, before corporate email licences. Just the overhead of making a consumer device act like something it was not designed to be.

What You Are Actually Buying

Every dollar of that subscription spend is paying a vendor to continuously fight the device manufacturer's defaults. The MDM enforces policies that override what Android or iOS would otherwise permit. The Mobile Threat Defence watches for apps doing things your policy prohibits. The conditional access rules compensate for the fact that the device was not built with your security requirements in mind. You are not buying security. You are buying a subscription to the ongoing effort of reducing insecurity you started with.

The Cost That Never Stops: OS Updates

Apple releases one major iOS update per year. Android manufacturers vary, but flagship devices typically receive two major OS versions plus monthly security patches. Each update has the potential to change default behaviours, introduce new system apps, modify permission models, or simply break MDM profiles that were working fine the week before.

For an SME, each major OS update requires a policy review cycle. Someone has to test the updated devices against your restriction profile, identify what changed, update the MDM configuration, push and re-test. This is not optional. This is how you find out whether your security posture survived the update before an attacker does.

Per major OS update 3–6 hrs Policy review, profile testing, remediation, re-deployment across 10 devices

Major updates per year 2–3 iOS: 1 major + point releases. Android: 1–2 major per device line, varies by manufacturer

Annual update labour 6–18 hrs ~$510 – $1,530 at $85/hr — recurring, every year, indefinitely

Over three years, the update labour alone runs $1,530 – $4,590 CAD. Added to initial setup and subscriptions, a 10-device SME fleet managed on consumer hardware costs in the range of $15,500 – $21,000 CAD over three years — before hardware, before mobile service, before corporate email licences.

What You Get for All of That

A device that is less insecure than it was out of the box. Not a secure device. A device where some of the default-open attack surface has been closed, by policy, by a vendor whose job is to compensate for a problem the manufacturer created.

The MDM can prevent installation of unapproved apps — on the managed partition. It cannot control what a personal app on the same device does with data in shared storage. The VPN tunnels corporate traffic — when it is active. The restriction profile disables features the manufacturer ships enabled — until an update ships them enabled again.

You are working against the device's design. Every configuration you push is fighting the default. Every update resets some of what you won. The attack surface you are managing was not a design choice you made — it was inherited from a product built for a consumer market that has entirely different priorities than yours.

The Number That Should Stop You

At $43–$55 CAD per device per month, the management overhead of a consumer lockdown fleet exceeds the cost of a basic corporate mobile plan from Bell, Rogers, or Telus — which typically runs $35–$50 CAD/month. You are paying more to manage the phone than you are paying to connect it. That is not a security budget. That is the price of starting from the wrong place.

The Alternative: A Blank Android, Built Up Selectively

The comparison case is not theoretical. A mid-range Android device — Samsung Galaxy A-series, Motorola G-series, or any Android Enterprise Recommended handset — enrolled clean via zero-touch provisioning, with apps installed selectively on top of a bare base image, managed remotely as part of a fleet. Nothing disabled. Nothing fought. Nothing inherited from a consumer product roadmap.

The MDM subscription for a minimal fleet management platform — Scalefusion, Hexnode, ManageEngine MDM, or equivalent — runs roughly $4–6 USD per device per month. No identity management layer. No Mobile Threat Defence watching for apps you should not have installed in the first place. No conditional access compensating for a permission model you cannot trust.

Fleet MDM subscription Remote management, app deployment, wipe ~$6–8

VPN (included in most MDM tiers) Tunnel for corporate traffic ~$0–2

Identity / conditional access Not required at SME scale for a minimal device $0

Mobile Threat Defence Not needed — minimal surface, no personal apps $0

Amortized setup labour 8–10 hrs total for 10 devices, over 36 months ~$2

Amortized annual maintenance Minimal — less policy surface to break on updates ~$1

Total ~$9–13 CAD/device/month

Approximately one-quarter of the consumer lockdown cost. Over three years, a 10-device minimal fleet runs $3,240 – $4,680 CAD in management overhead. The consumer lockdown approach runs $15,500 – $21,000 CAD over the same period. The difference — $11,000 – $16,000 CAD — buys a lot of hardware. Mobile service charges are excluded from both figures.

What Changes

Setup drops from 20–27 hours to 8–10 hours. You are provisioning a device that was designed to be deployed this way — Android Enterprise zero-touch is purpose-built for exactly this configuration. Update cycles stop being a policy review event and become routine security patches. The IT consultant you call twice a year for update remediation on the consumer fleet does not get called at all. The device does the job. It does not do anything else. There is nothing to fight.

The SME Reality

Large enterprises absorb these costs inside IT departments where the labour is salaried and the subscriptions are line items in a security budget. For an SME, it is different. The 20-odd hours of initial setup is a week of billable time from the IT consultant you call when things break. The monthly subscriptions are a recurring cost that rarely gets reviewed once it is established. The update cycles are an annual surprise.

And at the end of it, many SME owners have a nagging sense that something is not quite right — that the phones are locked down in theory but they are not really sure what is actually happening on them. That instinct is correct. Consumer devices managed by MDM policy are opaque in ways that purpose-built fleet devices are not. The complexity you are managing is not generating clarity. It is generating overhead and uncertainty simultaneously.

The cheaper choice, at the point of purchase, turns out not to be cheaper over time. A $300 mid-range Android device enrolled clean, running only what the job requires, costs less to set up, less to maintain, and less to replace. The expensive part of the consumer smartphone strategy is not the phone. It is everything you have to do to the phone after you buy it.

← Blog