In our Hyde Park Johannesburg workshop we have spent years servicing fleets for legal practices ranging from boutique litigation outfits in Rosebank to the larger Sandton firms with offices on every floor of a Wierda Valley tower. What follows is a concrete, line-by-line picture of what an Apple-fleet managed IT contract should deliver for a small-to-mid Sandton firm β not the brochure version.
Why Generic Managed IT Fails Law Firms
We have seen too many firms inherit an MSP contract written for an accounting practice. It treats a MacBook Pro M3 Max like a beige desktop. The engineers know Active Directory but cannot tell you the difference between a T2 chip and an Apple Silicon Secure Enclave. When a senior associate's machine refuses to decrypt FileVault the morning of an arbitration at the AFSA building, "we will log a ticket" is not an answer.
Legal work has three properties that ordinary managed IT services do not respect. First, the data is privileged β a leak is not an inconvenience, it is a regulatory event under POPIA and a professional conduct issue under the Legal Practice Council rules. Second, the timing is non-negotiable β court rolls do not move because your MDM pushed a bad profile overnight. Third, the devices travel β into the High Court, into client boardrooms in Sandton Central, into homes in Hyde Park, Houghton and Bryanston during load shedding when the office is dark.
An Apple-fluent fleet contract has to address all three from the first line.
Device Enrolment, MDM and the Zero-Touch Reality
The spine of any modern Apple fleet is Mobile Device Management. For legal practices we typically deploy JAMF Pro or Microsoft Intune, depending on what the rest of the firm's identity stack looks like. Firms already deep into Microsoft 365 with Entra ID tend to go Intune. Firms that want best-of-breed Apple management β particularly those running mixed macOS and iPadOS workflows for litigation β go JAMF.
What the contract should specify in writing:
Without zero-touch enrolment, a lost MacBook in a Gautrain carriage becomes a six-hour reprovisioning job. With it, the replacement is signed in and pulling documents before the associate's coffee gets cold.
POPIA, ECTA and the Compliance Layer Most Firms Get Wrong
Section 19 of POPIA requires "appropriate, reasonable technical and organisational measures" for personal information. The Electronic Communications and Transactions Act adds requirements around the integrity of electronic records, which matters enormously when you are submitting affidavits or producing discovery.
In practice this means your fleet contract needs to deliver, in writing:
The Information Regulator has been active. Practice managers should not be discovering their MDM cannot produce an audit trail on the day a complaint lands. We help firms draft the technical sections of their POPIA manual to match what the fleet can actually evidence.
Hardware Support, Repair and the Spare Pool
MDM is the easy part. The harder part is what happens when a partner's MacBook Pro display cable fails the night before a Constitutional Court matter. This is where managed IT contracts written by generalists tend to collapse.
A serious Apple fleet contract for a Sandton firm should include:
Across our Hyde Park bench we have completed well over 18,000 Apple repairs since opening, and the patterns in legal fleets are predictable: keyboard ingress, dropped iPads with cracked digitisers, swollen batteries on machines that live permanently on AC power. Apple publishes useful guidance on battery health at Apple Support but the operational answer is a preventative replacement cycle, not a reactive one.
Backup, Recovery and the Deposition Problem
Time Machine is not a backup strategy for a law firm. We deploy tiered backup for legal clients: endpoint snapshot backup (typically Druva or Acronis) for the device itself, cloud backup for OneDrive or Google Drive contents, and a separate immutable copy of the document management system held outside the primary tenant.
The test we apply is the deposition test. If a senior associate's MacBook is stolen from a vehicle at Sandton City parking on Friday evening, can the firm produce every document she was working on, with timestamps, by Monday morning? If the answer is "probably" then the backup is not good enough.
For matters where chain-of-custody matters β forensic accounting evidence, electronic discovery for litigation β we configure additional logging and hash-verified archives. Few firms ask for this until they need it, and by then it is too late.
What This Costs and How We Structure It
Our Fleet Managed Service Provider retainers for legal practices start at R8,500 per month for fleets of 10 to 25 devices. That covers MDM administration, monthly patching cycles, the spare device pool, unlimited remote support during business hours, on-site response in Sandton and surrounds within four hours for P1 incidents, and quarterly fleet health reporting that your information officer can actually use.
Larger firms β 50 to 100 devices β typically run R18,000 to R32,000 per month depending on the depth of after-hours cover, whether we are also managing iPhones and iPads, and whether the contract includes the compliance documentation work.
Component-level repair outside the retainer is billed at workshop rates, with the R599 assessment credited against any approved repair. Loaner devices during repair are included for retainer clients.
Getting Started
If you are a practice manager evaluating Apple-fluent managed IT, the most useful thing we can do is a fleet audit. We catalogue every device, check warranty status, review your current MDM configuration against your POPIA documentation, and produce a written gap analysis. That conversation usually takes 90 minutes on site.
Contact us to arrange that audit, send a WhatsApp directly via WhatsApp us on 064 529 5863, or book online at zasupport.com/book.
Frequently Asked Questions
Q: Can you manage a mixed Apple and Windows fleet, or do we need separate contracts?
Yes, we manage mixed environments routinely. Most Sandton firms have Windows on the support staff side and Apple on the partner and associate side. We co-administer with your existing Windows MSP or take on the whole fleet, depending on what makes sense. The MDM stack β typically Intune β covers both platforms.
Q: What happens to data on a lost MacBook before remote wipe completes?
FileVault 2 full-disk encryption means the data is unreadable without the recovery key, even if the device is powered off and the drive is removed. Remote wipe is the belt-and-braces step. With escrowed keys and MDM in place, a lost device is a hardware loss, not a data breach under POPIA.
Q: Do you handle Apple device procurement, or do we buy through iStore?
Both options work. We procure through Apple Authorised Resellers with Apple Business Manager enrolment built in, which is usually cleaner. If you have an existing iStore Business relationship we can integrate with that β we just need the devices added to your ABM tenant at point of sale.
Q: How do you handle support during load shedding when our office is offline?
Our retainer includes documented continuity procedures: cellular failover configurations on partner devices, UPS sizing recommendations for the server room, and offline access to critical documents through the DMS sync client. During stage 4 and above we proactively monitor for device issues caused by unclean shutdowns.
Q: Can you support partners who travel internationally with their MacBooks?
Yes. MDM cover does not stop at OR Tambo. We have remoted into partner devices in London, Mauritius, and Dubai. For hardware failure abroad we coordinate with local Apple Authorised Service Providers and arrange shipping of loaner devices where the timeline allows.
Q: What is the minimum contract term?
Our standard retainer is a 12-month term with a 60-day notice period thereafter. We also offer a 90-day pilot for firms that want to evaluate the service before committing β typically scoped to one practice group or floor.
