Not "Configure Your Devices" — Here's the Guide for Each One
Almost every CMMC checklist says "configure your devices securely." None of them tell you that securing a MacBook, an iPhone, and a Windows laptop are three completely different jobs. Your toolkit does.
Open almost any CMMC guidance document and you'll eventually hit a line like this: "Configure your devices securely."
Then it moves on. To the next requirement. As if "configure your devices securely" were a single, obvious action you could just go do.
It isn't. It's not even one job — it's at least four. Hardening a Windows laptop, locking down a Mac, securing an iPhone, and configuring an Android phone are four genuinely different tasks, with four different settings menus, four different sets of controls, and four different ways to prove you did it. The advice "configure your devices" is technically true and practically useless, because the one thing it never includes is how — and how is entirely different on every platform your team actually uses.
This is the gap the toolkit's device configuration guides were built to close. Not one vague directive — a separate, concrete guide for each platform your people work on. Here's what that looks like, and why it matters more than almost anyone tells you.
Why "Configure Your Devices" Fails the Moment You Try to Do It
The problem with generic device guidance is a translation problem. The requirement lives at one altitude — "endpoints must be configured securely" — and your actual work lives at a completely different one: a specific toggle, in a specific menu, on a specific operating system, for a specific user.
Nobody hardens "a device." You harden this Windows 11 laptop, and that MacBook, and the three iPhones your field staff carry, and the two Android tablets in the shop. Each one has its own console, its own terminology, and its own list of things that matter. What's a single checkbox on one platform is buried three menus deep on another — or doesn't exist at all and has to be handled a different way entirely.
What the checklist gives you
- "Configure your devices securely."
- "Ensure endpoints are hardened."
- "Apply appropriate security settings."
- One line. Every platform. No specifics.
What your team actually needs
- The Windows guide, for the Windows machines.
- The Mac guide, for the Macs.
- The iOS guide, for the iPhones and iPads.
- The Android guide, for the Android devices.
When the guidance is generic, every contractor has to become an expert in four operating systems just to interpret a single sentence. That's the moment most small teams stall — not because the work is impossible, but because nobody handed them the version of the instruction that maps to the device in their hand.
A Guide for Each Platform — Not One Guide for "Devices"
Your L1 Turnkey package includes 8 device & network configuration guides. Several of those are platform-specific device guides — one for each kind of endpoint your team is likely to use. Each guide exists to do one thing: take the vague requirement and turn it into a documented, repeatable configuration for that specific platform, with the evidence to back it up.
Here's the purpose of each — what it's for, and what working through it helps you produce. (These are configuration guides, not a security lecture — the point is that you get the right guide for the right device, not a one-size-fits-nothing checklist.)
Windows Laptops & Desktops
The most common business endpoint — and the one with the deepest set of configuration surfaces. This guide walks the Windows-specific settings that matter for compliance, in the order that makes sense for a small team.
Helps you produce: a documented Windows configuration baseline with settings captured as evidence.
Macs
Macs aren't "Windows with a different logo," and configuring them like they are is how requirements get missed. This guide covers the Mac-specific path to the same compliance outcome — the macOS way.
Helps you produce: a documented macOS configuration record that stands on its own.
iPhones & iPads
Mobile devices are real endpoints, and assessors treat them that way. This guide addresses the iOS-specific settings and management approach for the iPhones and iPads your team uses for work.
Helps you produce: documented mobile configuration for your Apple devices.
Android Phones & Tablets
Android's settings and management model are its own world. This guide maps the Android-specific configuration so the phones and tablets in your fleet are covered the right way — not by analogy to iOS.
Helps you produce: documented Android configuration for your mobile fleet.
Not sure which device guides you'll actually need for your team's mix of laptops, phones, and tablets?
Documented Configuration Is Evidence. "We Think We Did It Right" Is Not.
Here's the part that turns a device guide from "nice to have" into "the thing that gets you through an assessment": a configuration you can document is evidence. A configuration you merely performed is a memory.
When an assessor — or your own self-assessment — asks how your endpoints are configured, there are two kinds of answers. One sounds like "we're pretty sure we set those up correctly." The other sounds like "here's the configuration guide we followed, here are the screenshots of the actual settings, and here's the export tied to each control." Only one of those survives scrutiny.
Device Configuration Is Evidence
A documented configuration — a guide you followed, screenshots of the settings, exports tied to the controls — is something you can show. A good intention is something you can only assert. CMMC runs on the first kind. The whole reason each device guide exists is to leave behind proof, not just a securely configured machine.
This is the quiet superpower of having a real guide per platform: it doesn't just tell you what to set — it produces the artifact that shows you set it. Screenshot evidence and settings exports tied to a specific guide are exactly what an evidence locker is built to hold, and exactly what "we tried to secure our laptops" can never become after the fact.
A guide per platform is the difference between "we tried to secure our laptops" and "here's the documented configuration, screenshot evidence and all."
Level 2 and CUI-Only Devices: A Different Job, with Its Own Guides
If you handle Controlled Unclassified Information under a DoD contract, the device picture changes — and the toolkit changes with it. The L2 CUI Enclave Package is built around the idea of a dedicated CUI enclave: a tightly scoped environment where CUI work happens, separate from the rest of your business.
Inside that enclave, the devices themselves are dedicated. We're talking about dedicated Windows laptops or Chromebooks reserved for CUI-only work — not the same machines people use for everyday email and web browsing. Dedicated devices in a dedicated enclave is one of the things that keeps a small business's CUI scope small and manageable.
Dedicated CUI Devices Get Dedicated Guides
The L2 package includes enclave-specific device configuration guides for the dedicated CUI machines — Windows laptops or Chromebooks set aside for CUI work. These aren't the general-purpose L1 device guides; they're written for the enclave context, where the scope is narrower and the configuration is purpose-built around protecting CUI.
Same principle as Level 1, raised to match the stakes: a documented, guide-driven configuration for each CUI device — so the enclave's protection isn't an assertion, it's an artifact. The L2 package maps 110 practices to 182 defined artifacts, and the dedicated-device guides are part of that picture.
Whether it's a Windows laptop or a Chromebook is your choice of platform — and there's a guide for the one you pick. As always: we provide the configuration guides; we don't provide the hardware. The dedicated laptops or Chromebooks are yours to acquire. The documented path to configuring them for the enclave is ours to provide.
Who Implements — and How the Sessions Keep It on Track
One thing the device guides are not: a service where we log into your machines and configure them for you. That's worth being clear about, because it's where our model differs from a traditional consultant.
Here's how it actually works: we provide the configuration guides. You — or your IT point person — implement them. The consulting sessions are the checkpoint. That division of labor is what keeps the package right-sized and affordable, and it maps cleanly onto the L2 role structure.
The IT Point Person Owns Device Configuration
In the L2 role model, the IT Point Person is the one who implements technical controls and collects evidence — and device configuration sits squarely in that role. They don't need to be a security expert. They need to be comfortable following a clear, platform-specific guide inside a settings menu or an admin console, and capturing the result.
The Owner/Manager approves and reviews; the CUI User(s) follow the procedures on their dedicated devices. But the hands-on device configuration work belongs to the IT Point Person — and the guides are written for exactly that person.
And the bi-weekly consulting sessions — 8 in the L1 Turnkey, 12 in the L2 Enclave package — are where the configuration work gets reviewed. Stuck on a setting? Not sure the evidence you captured is the right kind? That's what the session is for. The guide gives you the path; the session confirms you're on it. You're never configuring a device, guessing whether you got it right, and finding out at assessment time.
The Real Takeaway
You don't run "a device." You run a Windows laptop and a couple of Macs and a handful of iPhones and an Android tablet or two — and maybe, in an enclave, a dedicated Chromebook for CUI. A single line that says "configure your devices securely" was never going to cover all of that. It was always going to leave you to figure out four operating systems on your own.
The toolkit's answer is simple and, frankly, a relief: one guide per platform. The Windows guide for the Windows machines. The Mac guide for the Macs. The iOS guide for the Apple mobile devices. The Android guide for the Android ones. The network guides for the networks they live on. And for Level 2, dedicated-device guides for the CUI enclave. Each one documented, each one producing evidence, each one written for the device actually in your hand.
You don't have one kind of device. You shouldn't have one vague guide. You get one for each.
Let's Match the Right Device Guides to Your Actual Fleet — Free
Bring your real mix of devices — the laptops, the phones, the tablets, the Macs, the Chromebooks. In 30 minutes we'll walk through which device and network guides apply to your team, how the evidence comes together, and what implementation looks like with your IT point person doing the work and our sessions backing them up. No pitch, no obligation.
Book Your Free Consultation Explore the Packages