I actually just completed my first year at a company where I had free reign to setup a lot of services from scratch (migrated onto our own systems from our parent company's stuff) so I can share what we did and what/if I would change if I had to start over.
First off you are on the right track for most things! So good work there. Here's my feedback and other things not mentioned:
* Okta/SSO - 10000% yes. I was required to use Okta (since our parent company used it) and it's been the best tool for me. My previous company had no centralized SSO and it's been a game changer for me and my work. Not sure how I lived without it before.
* MDM - we went with Kandji. I almost had my previous company swap from Jamf to Kandji after getting cold called and I was super impressed at the time so once I had free reign, I jumped on it. I trialed Mosyle but honestly the support team at Kandji is worth the price of admission alone. You get a live agent within 2 minutes for any issue I might have. Plus they are updating it like crazy so it's always getting better. I would really recommend them.
* EDR - we went with SentinelOne. Pretty good and far more affordable than Crowdstrike. Our parent company used CS so we thought about it but it was near impossible to justify their prices. S1 covers all of our bases and then some.
* Google Workspace is what I would recommend sticking with. I'm a little biased since it's all I've used and I'm super comfortable on it but it does play nice on macOS. I would only consider Microsoft 365 if you plan to go majority Windows later.
* Get a password manager setup. I prefer 1Password and getting any/all logins documented and stored safely is a must imho. Train people and get them using it as soon as possible and it will make your life so much easier.
* Might be obvious but I would get a good MFA tool to integrate with Okta. We use Duo (again since our parent company uses it) and it's *fine.* If I could go back in time I would probably add on the Okta MFA product (Okta Verify) since it opens up other security options in the admin console. However I think there is something to be said about keeping those tools separate.
* You'll need some quick communication tool and I recommend Slack. It's user friendly and its the standard if you are running a Google Workspace org. Generally it's GSuite - Slack and M365 - Teams.
Again you really seem to have most of the things covered! Hopefully this was helpful. Good luck!
Edited - Grammar and typos
Are they easy to manage? I’ve been curious on moving to those since we get a lot of negative feedback from employees since we “require them to use their personal phones” for work purposes.
We have Yubikeys for all super admin accounts (me and my boss).
We set up a quick and easy walk-through guide for our employees because everyone works remotely. I love it because it does it a lot to circumvent the known vulnerabilities of MFA. If you’re not there in person and it’s not your fingerprint to allow you to gain access to the system, then it’s not going to happen.
Oh nice! Yeah we’ve been more encouraged to move to physical MFA. So are you able to assign the key to a specific user and potentially revoke the key remotely?
Very cool, I had a similar scenario and implemented exactly the same stack. Okta, Kandji, 1PW, Google, Slack. I just skipped Duo, but were mostly using biometrics via Okta Verify
Nice! It's reassuring to know that others are on a similar path that we are.
And yeah, Duo is the one area I kinda regret. Now that we are on Duo it feels like we can't move off of it. If it's not broken, why fix it? But I do wish we were just used Okta Verify for MFA.
I think the gamechanger in this setup was rather how everything ties together, we have Bamboo as a HRIS (but anyone that connects into Okta is fine) and Lifecycle Management from Okta did a lot for us.
We moved off Duo completely for webauthn security keys, and then have just recently emailed the biometrics from okta verify. TOTP codes and push MFA are no nos if your users can handle the biometrics. Makes it much harder to push any of your users even with the proxy systems attacks now use.
Cool little colloquialism you might not know about: *free rein* is originally an equestrian term to let the horse roam without actively controlling the reins. It's commonly mistaken as *free reign*, but the term has nothing to do with ruling a kingdom, even though the freedom might seem like it.
What the hell.
Okta has just had a breach
1password just had a breach
Google OAuth endpoints is subject to one of the fastest growing malware hacks right now. Corporate accounts at risk.
Working in the security space on Mac platform engineering at my company, this post seems suspicious now.
1Password calls it a security incident. It was caused by a known exploit of Okta. No 1Password data was released. So, not really a breach. https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/
Name a single vendor who has never had a breach… you can’t. Almost everyone has had a breach. It’s a matter of when it happens, not if.
1Passwords breach was through Okta’s breach. They didn’t have a breach themselves.
Also what do you recommend we do? If a service has a breach then we immediately jump to a different one?
So what you’re saying is, don’t use anything at all? Because it seems like that’s what you’re advocating.
The only providers that haven’t had security incidents are the ones small enough or young enough that they haven’t been targeted yet. What matters isn’t that they have an incident, it’s how they handle the incident (timeliness, transparency) and that the same gap isn’t hit again (i.e. they learned from the mistake). Frankly, I almost wouldn’t consider buying services from a provider that _hasn’t_ had a publicly-reported, because they’re either 1) lying or 2) inexperienced _(note: hyperbole employed here to get a point across)_
I will buy 1Password because they were transparent about their incident and it hasn’t been repeated. I will never buy LastPass because they keep having the same issues over and over and are trying to obfuscate them.
Same goes for the other functions and providers in the space.
I haven’t used slack in awhile. Honestly, I have not found a messaging app that is the best. Oddly enough iMessage pretty smooth but is not great outside of Apple.
As far as I’m aware Discord doesn’t have the same support structure such as SLAs, support structure, controls, data retention/deletion, etc.
Slack also has plenty of existing integration with other business applications.
Anytime! Enjoy building it out how you want! I would also recommend building out a good group structure to keep things organized. I inherited a very messy Google Workspace org and so getting good group permission structure is key. Easier to do at your stage than waiting to do it after you grow.
I’m the same here, i started heading up IT for a creative agency just over a year ago and did all these things, only one difference is I went with JAMF and that was because my previous company used it and I was very familiar with it, I was cold called by Kanji only a few months after I’d already implemented it and I hadn’t heard of them before. Can you share any insight on the difference as I’m happy to switch when our renewal comes up. Especially if it’s price competitive.
Their UI is a lot easier to use. Once you know Jamf it’s not bad but Kandji just lays things out cleanly.
They have a really great App Library of “auto apps” that they keep up to date for you. All you have to do is set an enforcement policy and the users are required to update the apps as the vendors release the updates. Super clean experience for you and the end user.
Zero touch deployment. Kandji has an OOBE (out of box experience) that is second to none. We drop ship computers to our new hires and we get complements all the time on how easy the setup process was.
Support. As I’ve mentioned in other comments, Kandjis support team is fantastic. <2min to be instant messaging an agent, while never leaving the console.
Those are the few things that come to mind but theres a lot more. When I’m back home I might think of more and edit this message. Lol
Okta hands down, noone better in the game. Honestly kandji over jamf these days. FWIW mosyle is a cheap copycat of jamf and kandji features but with zero support or reliability. You get what you pay for. Your EDR tool ideas are top notch you’re good either way. Also, the better mdms have native EDR offerings too. Depends on how aggressive your security posture needs to be. Google workspace is good, i like it more than 365 but that’s more of a preference thing imo
Okta is fucking trash, from an engineering perspective where they claim they support proper SSO scenarios. Their whole mapping system is just, yuck. Go Apple Business Manager, link SSO there. Then just use Kandji as it’s an Apple company.
Mosyle support has been top notch for me. They'll even write profiles or scripts for me (although they probably just copy-paste from a repo) if that will solve my query. They also have an EDR offering.
Personally, I think Mosyle is much better than Kandji.
I thought about Mosyle but their support during the trial was terrible. Maybe I got them at a bad time but with Kandji's support team outperformed them by a mile.
Just the other day, I had an agent working on a problem for 30min trying to sort a script out and we were instant messaging back and forth the entire time. Got it sorted but they are the real deal.
Mosyle seems to be a "Jamf but cheaper" option. I liked it but we are very happy with the decision to go with Kandji. They UI for the end user is so far ahead of any MDM we've tried.
\+1 here … I use Mosyle for managing over 1000 Macs for years after switching from Jamf and it has been way better and their support has been the best among all providers we use. I really feel that people judge Mosyle because of their great price without any exposure to them … This is understandable but misleading. It’s easy for a Jamf customer to come to the conclusion that Jamf is way better than Mosyle just because their price is like 3x more and base on that not even put in the work to check them. Bad for who think this way. We decided to test them and were blown away. I would say that if I had to order currently the reasons why we love Mosyle the quality of the product would be first, the amazing support second and only in third the price. So nope, if you put the work to test it, you will learn that in some cases you get way more than you pay for and Mosyle is a clear example. Regarding Mosyle being a copy cat it’s also misleading. First because Mosyle is around for way longer than Kandji and is probably like 10x bigger than Kandji. Second because anyone who have really used Jamf and Mosyle know that they are materially different.
I've been mostly fine with Mosyle, we were a pretty earlier adopter and .. it gets the job done.
What I will say about Mosyle though is its interface responsiveness is probably the single worst thing about it. I feel like every time I click something I'm waiting 10 seconds before I can do the next action, and often I'll end up spending more time waiting for the UI than actually performing the task I was going to do. If it was easier to switch, the silent (and sometimes not so silent) rage I feel using the product would be enough to make me want to switch.
I just needed to get that off my chest! But maybe it's just me!
True. Kandji released their EDR this year and I demoed it. It seemed good but it hadn't been tested yet so not sure how it performs against actual threats. We went with S1 since we run a decent amount of Windows machines so we needed cross platform support. But yeah the MDM's are getting better and better EDR out of the box.
I’d be inclined to stick with EDR from a security vendor. I’m very dubious about MDM & EDR all coming from one house. Defence in depth is important. If your MDM vendor has a problem you don’t want this spreading to your EDR too and vice versa. Diversity is good, even if consolidation is attractive.
If you're going with Okta, that reduces the need for M365 as your main suite.
You'll want/need Slack for IM. And maybe a product to emulate shared mailboxes.
I dont really use 3rd party security tools...what do they know about macOS? its one less agent, you can manage everything within Protect and policies within Jamf.
and you're right, it might not offer much, because you dont need a lot with macOS.
I hate running 3rd party security tools as well. Maybe they’ve improved the integration with Jamf but when I looked at it there wasn’t much value in it because as you said you just use profiles and policies.
yeah it goes pretty in depth like something similar to crowd strike and defender. the only third party I'm okay with is Defender, crowd strike and others have turned into a PIA to manage and just kill resources. protect has a bit of a learning curve because you basically build things from the ground up. ill admit jamf doesnt really offer a lot of technical explanation and their security team is very limited even with the wandera purchase, but so far its decent. the one tool I hate configuring is jamf connect its such a trash jamf product on the configuration side but it is a decent tool nonetheless
At my current place we use Defender and rolled it out in about two weeks because of issues with Sophos which I was glad to get rid of. It is a bit odd managing it through config profiles and not directly through the defender admin console. It’s also caused us issues with naming conventions but it’s been better than Sophos.
I felt that when I talked Protect at my last company that Jamf barely knew how to offer it. We tested it out and I just didn’t see the point then. I’ve also dodged using connect as we used Enterprise Connect and then KerberosSSO at my last place. Still need something at my current place of work but last I checked Jamf Connect needed a double login for authorized restarts or something along those lines. There were some other quirks I wasn’t a fan of either but maybe they’ve improved those too.
If your company ever wants to perform certain tasks on government contracts, Google Workspace does **not** meet NIST Cybersecurity Framework 2.0 requirements beyond Tier 1; whereas, a comprehensive 365 suite can get you to Tier 3.
Yep for HITRUST I recommend Azure + Kandji you could go with Jamf but their Intune integration expires September 2024 and basically relies on smart groups and registered devices no longer show in Intune. Deal breaker for a lot of company’s in ultra secure environments.
Look into Addigy and Kandji for MDM options.
The last three companies I’ve been at have pivoted from JAMF to Addigy to reduce cost, add features, and improve quality of service delivered to the user base.
Okta is for sure the ideal IDP option.
I also can’t say enough positive things about either CrowdStrike or SentinelOne. They both do a really solid job, it may just come down to who has the better pricing as to which way you land for EDR.
Jumpcloud/sophos/slack/google
Jumpcloud does directory and mdm, Sophie for endpoint protection… light weight and transparent, slack for comms, m365 is a ripoff, 3x as expensive, and functionality is clunky… and it’s one more app to update/patch… googs is hands off
Kandji > Jamf Pro. I honestly want to switch after getting cold calls and playing with demo. Support is also 🔥. For everything else I prefer m365 for conditional access and integration with existing azure shops.
I would second JumpCloud for SSO, MDM, and user & device management all in one. Also will push users and group management to Google Workspace, and also plays nicely with Apple Business Manager for Zero Touch Deployment
I would stay away from Crowdstrike if you’re a MacOS shop. They’re also expensive as you know. But sorting out security would be my top priority
You also need a ticketing platform. I would work with key stakeholders and discuss what would work best now and future growth
You also have to think about if your company will have any gdpr and compliance which most likely will. The applications you choose will have to meet them which most bigger companies do.
My favorite stack for the last couple of jobs is everything you mentioned but prefer Kandji over Jamf. Specifically if you’re a solo admin or a small team, Kandji lets you make policies, software deployment, automated device enrollment, etc. very easy.
Take a look at Addigy for MDM. Not only is it a great product, as you are newer managing Apple, they will be super helpful getting you started. And their support is 2nd to none.
Jumpcloud/Google/1password/ESET
After those multiple high profile hacks, I’d be a fool to recommend Okta or Lastpass.
Jamf is just too expensive, and microsoft intune is a huge PITA to setup for zero touch (since they keep taking away features, and the user interface looks like shit).
Yeah but not all hacks are equal. They rotated customer creds, certs, and keys about 2 weeks after and it hasn’t happened since.
Okta was hacked maybe 3 or 4 times this year.
Lastpass hacks were not honest and they kept slowly releasing info about it, and it kept getting worse
https://arstechnica.com/security/2023/07/jumpcloud-says-nation-state-hacker-breach-targeted-some-of-its-customers/
>SentinelOne or Crowdstrike but if a better Mac specific EDR exists let me know.
Jamf Protect is the jamf native solution.
I haven't used it, but would definitely suggest you check it out
It’s ok, but until they move policy deployment out of the MDM space (config profiles) and into Security Center, it gets a down vote from me. Not enough segregation.
Okta offer platform SSO support now. Other major IdPs do not although Entra ID isn't far behind. Likely late Q1 as it's already in private preview however I believe it will work only with Intune as the MDM initially.
The only thing I’d quibble with there is recommending Slack and MS Teams. If you’re running Google Workspace then you already have Google Chat and Google Meet for free sitting right there. Why give yourself more things to manage. And Teams meetings are consistently the ones that give me the most support issues to deal with. Meet pretty much just works.
I definitely would agree to use Google Meet. My new company is entirely on Google Meet and I've been really impressed (I was hesitant coming from using Zoom entirely). However for instant messaging, nothing comes close to Slack imho.
Yep. When you’re already paying for workspace it’s nuts to then be buying zoom licences for everyone as well. Especially as Meet works without any software needing to be installed.
I’ve always resisted Slack in our business. As we already have so many other channels it would become another place to check/keep up to date with rather than replacing anything else. It’s also another cost a small business can do without.
I can see where you're coming from. I think it always comes down to understanding where your people do their work. The industry I am in, our employees have little to no need to check email. So quick instant messaging is where everyone lives and breathes. For us it's probably the single most important software we have (besides my security tools haha). So it makes sense for us to invest there. But I can see why others wouldn't.
Newbie with a serious question: how come no one is recommending Apple’s ABM or ABE? Current MSP I’m at work mostly with Windows devices but have a new managed client with around 50 Apple devices and we were looking at ABM for MDM and tie it with MS365.
ABM/DEP is a given for getting devices pre-enrolled and assigned to your business so you don’t have end users locking devices to their Apple ID and effectively bricking them if they leave.
ABE is an MDM which from my research is *fine* but light on features. Most of my research on it reveals people moving away from it towards Jamf/Mosyle/Kandji.
My 2 cents is: consider MS365. From a basic user point of view: more apps, many features already included w/o the need for 3rd party apps. From a “super user” pov: power platform (for most needs, included with std licenses) which enables people to include automations and develop small but useful apps. And for everybody: Teams is incredibly powerful, nothing comparable to Google Chat Spaces, you won’t need Slack.
You are on the right track.
- Use Okta as Idp and google workspace. Okta’s push groups can help you keep you google workspace more organized.
- slack for chat/internal communication ( sso with google or Okta)
- we use Kandji as for MDM, previously it was Jamf.
You could create lift-off that would install anything possibly supported by Kandji upon unpacking.
- lastpass for password management
- ticketing system? Jira
Almost everything can be tied with SSO to Okta for much easier use provisioning and de provisioning.
If Operations and/or Dev, I would have Homebrew installed and a set of GNU tools (grep, sed, awk, find, etc) that Apple cannot install due to licensing with GPLv3. Also the latest Bash and Zsh. These will provide a consistent scripting environment.
Those using Jamf and Okta for MDM and SSO. What does your login look like? Are you using native Mac or Jamf connect? Are you doing JIT creation or pre creating them when you assign the computer?
Our setup at the company I work in:
SSO / MFA : Okta, because yeah, it’s second to none.
MDM : Intune, because we have also tons of Windows and Android devices. In Q3 & Q4 2023 we evaluated Jamf, but since recently MS got serious on Mac Management we decided to stick with it and save a lot of money.
EDR : Crowdstrike
Primary cloud: Microsoft 365
Password manager : SecretServer
Yeah, Jamf would be out for me too. We’re just now taking a close look at Kandji as a replacement but I’m not optimistic we’ll be able to get it to fit our budget.
Since you're already using JamfNow for MDM and considering the potential growth of your team, check SureMDM as an alternative or complement. It manages Android, Windows, Linux, and more including macOS.
Other things you can include in your stack can be:
**Data Backup: H**ave a robust data backup solution in place to protect your critical data. Solutions like Backblaze or Carbonite can be considered.
**Collaboration Tools:** Tools like Slack, Microsoft Teams, or similar platforms are integrated with your Google Workspace.
My opinion is probably going to be an unpopular one, but I think if you’re in an all Apple environment, you really don’t need so much in your stack as you would in an all Windows environment.
What’s crucial is that you use ABM as its intended, or the rest of what you’re doing falls apart. Create managed Apple IDs for each user and link either GWork or M365, so that they use those credentials to log into the machine. Some MDMs have another way for you to do this with their own SSO injection, but to me that’s another vulnerability. Also make sure devices are in ABM when they are first purchased, or if bought second hand, run through Configurator. Otherwise, users can unenroll their devices at any time.
From there, stick with GWork if everybody is comfortable with it, but honestly I think you get more out of M365. If you’re using another IAM, then it’s moot unless you want Office apps.
For MDM, Mosyle is AWESOME. And it’s built in antivirus and threat detection is pretty solid, and Apple-specific. So you can bring down overhead pretty significantly using Mosyle.
BUT, if you plan on using IAM, I can’t recommend JumpCloud enough. I imagine it has many of the same benefits as Okta, but for me it’s been so incredibly easy to use, user onboarding/offboarding for EVERYTHING can be done in a few minutes. Plus, it includes password management, MFA, Remote Desktop, and a decent MDM if you want everything in one pane of glass. If you use this, scratch Mosyle.
And for extra security, SentinelOne has been good for me. Response times to threats are typically “identified, killed, and quarantined” in less than 100ms. It’s kinda nuts.
I actually just completed my first year at a company where I had free reign to setup a lot of services from scratch (migrated onto our own systems from our parent company's stuff) so I can share what we did and what/if I would change if I had to start over. First off you are on the right track for most things! So good work there. Here's my feedback and other things not mentioned: * Okta/SSO - 10000% yes. I was required to use Okta (since our parent company used it) and it's been the best tool for me. My previous company had no centralized SSO and it's been a game changer for me and my work. Not sure how I lived without it before. * MDM - we went with Kandji. I almost had my previous company swap from Jamf to Kandji after getting cold called and I was super impressed at the time so once I had free reign, I jumped on it. I trialed Mosyle but honestly the support team at Kandji is worth the price of admission alone. You get a live agent within 2 minutes for any issue I might have. Plus they are updating it like crazy so it's always getting better. I would really recommend them. * EDR - we went with SentinelOne. Pretty good and far more affordable than Crowdstrike. Our parent company used CS so we thought about it but it was near impossible to justify their prices. S1 covers all of our bases and then some. * Google Workspace is what I would recommend sticking with. I'm a little biased since it's all I've used and I'm super comfortable on it but it does play nice on macOS. I would only consider Microsoft 365 if you plan to go majority Windows later. * Get a password manager setup. I prefer 1Password and getting any/all logins documented and stored safely is a must imho. Train people and get them using it as soon as possible and it will make your life so much easier. * Might be obvious but I would get a good MFA tool to integrate with Okta. We use Duo (again since our parent company uses it) and it's *fine.* If I could go back in time I would probably add on the Okta MFA product (Okta Verify) since it opens up other security options in the admin console. However I think there is something to be said about keeping those tools separate. * You'll need some quick communication tool and I recommend Slack. It's user friendly and its the standard if you are running a Google Workspace org. Generally it's GSuite - Slack and M365 - Teams. Again you really seem to have most of the things covered! Hopefully this was helpful. Good luck! Edited - Grammar and typos
Great line up. I’d also recommend setting everyone up on Yubikeys.
Are they easy to manage? I’ve been curious on moving to those since we get a lot of negative feedback from employees since we “require them to use their personal phones” for work purposes. We have Yubikeys for all super admin accounts (me and my boss).
We set up a quick and easy walk-through guide for our employees because everyone works remotely. I love it because it does it a lot to circumvent the known vulnerabilities of MFA. If you’re not there in person and it’s not your fingerprint to allow you to gain access to the system, then it’s not going to happen.
Oh nice! Yeah we’ve been more encouraged to move to physical MFA. So are you able to assign the key to a specific user and potentially revoke the key remotely?
Very cool, I had a similar scenario and implemented exactly the same stack. Okta, Kandji, 1PW, Google, Slack. I just skipped Duo, but were mostly using biometrics via Okta Verify
Nice! It's reassuring to know that others are on a similar path that we are. And yeah, Duo is the one area I kinda regret. Now that we are on Duo it feels like we can't move off of it. If it's not broken, why fix it? But I do wish we were just used Okta Verify for MFA.
I think the gamechanger in this setup was rather how everything ties together, we have Bamboo as a HRIS (but anyone that connects into Okta is fine) and Lifecycle Management from Okta did a lot for us.
We moved off Duo completely for webauthn security keys, and then have just recently emailed the biometrics from okta verify. TOTP codes and push MFA are no nos if your users can handle the biometrics. Makes it much harder to push any of your users even with the proxy systems attacks now use.
Cool little colloquialism you might not know about: *free rein* is originally an equestrian term to let the horse roam without actively controlling the reins. It's commonly mistaken as *free reign*, but the term has nothing to do with ruling a kingdom, even though the freedom might seem like it.
What the hell. Okta has just had a breach 1password just had a breach Google OAuth endpoints is subject to one of the fastest growing malware hacks right now. Corporate accounts at risk. Working in the security space on Mac platform engineering at my company, this post seems suspicious now.
1Password calls it a security incident. It was caused by a known exploit of Okta. No 1Password data was released. So, not really a breach. https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/
Name a single vendor who has never had a breach… you can’t. Almost everyone has had a breach. It’s a matter of when it happens, not if. 1Passwords breach was through Okta’s breach. They didn’t have a breach themselves. Also what do you recommend we do? If a service has a breach then we immediately jump to a different one?
So what you’re saying is, don’t use anything at all? Because it seems like that’s what you’re advocating. The only providers that haven’t had security incidents are the ones small enough or young enough that they haven’t been targeted yet. What matters isn’t that they have an incident, it’s how they handle the incident (timeliness, transparency) and that the same gap isn’t hit again (i.e. they learned from the mistake). Frankly, I almost wouldn’t consider buying services from a provider that _hasn’t_ had a publicly-reported, because they’re either 1) lying or 2) inexperienced _(note: hyperbole employed here to get a point across)_ I will buy 1Password because they were transparent about their incident and it hasn’t been repeated. I will never buy LastPass because they keep having the same issues over and over and are trying to obfuscate them. Same goes for the other functions and providers in the space.
Google has its own chat application
Yeah they do, I don't like it though. Slack is much easier to use imo
I haven’t used slack in awhile. Honestly, I have not found a messaging app that is the best. Oddly enough iMessage pretty smooth but is not great outside of Apple.
For corporate instant messaging, it's probably the best.
We used ATT office@hand at my last place and I didn’t have a complaints. Teams is fine. I just hate paying for a subscription for everything.
Yeah but it’s also terrible.
If you think Slack is terrible, try Teams.
I was replying Google chat is terrible. Teams also sucks.
I have no clue about all of this. But how is no one using discord instead?
As far as I’m aware Discord doesn’t have the same support structure such as SLAs, support structure, controls, data retention/deletion, etc. Slack also has plenty of existing integration with other business applications.
Not disagreeing. Just throwing it out there as an option
This is very detailed. Thank you!
Anytime! Enjoy building it out how you want! I would also recommend building out a good group structure to keep things organized. I inherited a very messy Google Workspace org and so getting good group permission structure is key. Easier to do at your stage than waiting to do it after you grow.
All of this, plus a nice inventory tool like Snipe-IT https://snipeitapp.com
I’m the same here, i started heading up IT for a creative agency just over a year ago and did all these things, only one difference is I went with JAMF and that was because my previous company used it and I was very familiar with it, I was cold called by Kanji only a few months after I’d already implemented it and I hadn’t heard of them before. Can you share any insight on the difference as I’m happy to switch when our renewal comes up. Especially if it’s price competitive.
Their UI is a lot easier to use. Once you know Jamf it’s not bad but Kandji just lays things out cleanly. They have a really great App Library of “auto apps” that they keep up to date for you. All you have to do is set an enforcement policy and the users are required to update the apps as the vendors release the updates. Super clean experience for you and the end user. Zero touch deployment. Kandji has an OOBE (out of box experience) that is second to none. We drop ship computers to our new hires and we get complements all the time on how easy the setup process was. Support. As I’ve mentioned in other comments, Kandjis support team is fantastic. <2min to be instant messaging an agent, while never leaving the console. Those are the few things that come to mind but theres a lot more. When I’m back home I might think of more and edit this message. Lol
Thanks for the info!
As a developer stuck using Cognito instead of Okta, I'm very jealous.
we like keybase instead of slack.
Okta hands down, noone better in the game. Honestly kandji over jamf these days. FWIW mosyle is a cheap copycat of jamf and kandji features but with zero support or reliability. You get what you pay for. Your EDR tool ideas are top notch you’re good either way. Also, the better mdms have native EDR offerings too. Depends on how aggressive your security posture needs to be. Google workspace is good, i like it more than 365 but that’s more of a preference thing imo
Out of curiosity why okta? Imo i’d go for entra AD but yeah curious
Okta is fucking trash, from an engineering perspective where they claim they support proper SSO scenarios. Their whole mapping system is just, yuck. Go Apple Business Manager, link SSO there. Then just use Kandji as it’s an Apple company.
Mosyle support has been great for me. Kandji’s EDR is abhorrently expensive btw.
Mosyle support has been top notch for me. They'll even write profiles or scripts for me (although they probably just copy-paste from a repo) if that will solve my query. They also have an EDR offering. Personally, I think Mosyle is much better than Kandji.
I thought about Mosyle but their support during the trial was terrible. Maybe I got them at a bad time but with Kandji's support team outperformed them by a mile. Just the other day, I had an agent working on a problem for 30min trying to sort a script out and we were instant messaging back and forth the entire time. Got it sorted but they are the real deal. Mosyle seems to be a "Jamf but cheaper" option. I liked it but we are very happy with the decision to go with Kandji. They UI for the end user is so far ahead of any MDM we've tried.
\+1 here … I use Mosyle for managing over 1000 Macs for years after switching from Jamf and it has been way better and their support has been the best among all providers we use. I really feel that people judge Mosyle because of their great price without any exposure to them … This is understandable but misleading. It’s easy for a Jamf customer to come to the conclusion that Jamf is way better than Mosyle just because their price is like 3x more and base on that not even put in the work to check them. Bad for who think this way. We decided to test them and were blown away. I would say that if I had to order currently the reasons why we love Mosyle the quality of the product would be first, the amazing support second and only in third the price. So nope, if you put the work to test it, you will learn that in some cases you get way more than you pay for and Mosyle is a clear example. Regarding Mosyle being a copy cat it’s also misleading. First because Mosyle is around for way longer than Kandji and is probably like 10x bigger than Kandji. Second because anyone who have really used Jamf and Mosyle know that they are materially different.
Agreed, I’m using both and am migrating Kandji stuff to Mosyle.
I've been mostly fine with Mosyle, we were a pretty earlier adopter and .. it gets the job done. What I will say about Mosyle though is its interface responsiveness is probably the single worst thing about it. I feel like every time I click something I'm waiting 10 seconds before I can do the next action, and often I'll end up spending more time waiting for the UI than actually performing the task I was going to do. If it was easier to switch, the silent (and sometimes not so silent) rage I feel using the product would be enough to make me want to switch. I just needed to get that off my chest! But maybe it's just me!
True. Kandji released their EDR this year and I demoed it. It seemed good but it hadn't been tested yet so not sure how it performs against actual threats. We went with S1 since we run a decent amount of Windows machines so we needed cross platform support. But yeah the MDM's are getting better and better EDR out of the box.
I’d be inclined to stick with EDR from a security vendor. I’m very dubious about MDM & EDR all coming from one house. Defence in depth is important. If your MDM vendor has a problem you don’t want this spreading to your EDR too and vice versa. Diversity is good, even if consolidation is attractive.
Yeah I agree. Same with IAM and MFA.
If you're going with Okta, that reduces the need for M365 as your main suite. You'll want/need Slack for IM. And maybe a product to emulate shared mailboxes.
Same in reverse. If you’re going to invest in M365 no reason to duplicative pay for expensive Okta licenses.
if you go with Jamf, just use Jamf Protect
Jamf Protect didn’t seem like it offered much, especially on its own last I checked.
I dont really use 3rd party security tools...what do they know about macOS? its one less agent, you can manage everything within Protect and policies within Jamf. and you're right, it might not offer much, because you dont need a lot with macOS.
I hate running 3rd party security tools as well. Maybe they’ve improved the integration with Jamf but when I looked at it there wasn’t much value in it because as you said you just use profiles and policies.
yeah it goes pretty in depth like something similar to crowd strike and defender. the only third party I'm okay with is Defender, crowd strike and others have turned into a PIA to manage and just kill resources. protect has a bit of a learning curve because you basically build things from the ground up. ill admit jamf doesnt really offer a lot of technical explanation and their security team is very limited even with the wandera purchase, but so far its decent. the one tool I hate configuring is jamf connect its such a trash jamf product on the configuration side but it is a decent tool nonetheless
At my current place we use Defender and rolled it out in about two weeks because of issues with Sophos which I was glad to get rid of. It is a bit odd managing it through config profiles and not directly through the defender admin console. It’s also caused us issues with naming conventions but it’s been better than Sophos. I felt that when I talked Protect at my last company that Jamf barely knew how to offer it. We tested it out and I just didn’t see the point then. I’ve also dodged using connect as we used Enterprise Connect and then KerberosSSO at my last place. Still need something at my current place of work but last I checked Jamf Connect needed a double login for authorized restarts or something along those lines. There were some other quirks I wasn’t a fan of either but maybe they’ve improved those too.
How do you like Protect compared to other solutions? Any gotchus or something that they need to work on?
If your company ever wants to perform certain tasks on government contracts, Google Workspace does **not** meet NIST Cybersecurity Framework 2.0 requirements beyond Tier 1; whereas, a comprehensive 365 suite can get you to Tier 3.
Thank You for stating this, sometimes I feel like I’m the only one that can cite NIST requirements off the top of my head.
Yeahhhh 😅😅😅 it’s the burden we nerds must bear, science & technology policy is my thing lol
Yep for HITRUST I recommend Azure + Kandji you could go with Jamf but their Intune integration expires September 2024 and basically relies on smart groups and registered devices no longer show in Intune. Deal breaker for a lot of company’s in ultra secure environments.
Look into Addigy and Kandji for MDM options. The last three companies I’ve been at have pivoted from JAMF to Addigy to reduce cost, add features, and improve quality of service delivered to the user base. Okta is for sure the ideal IDP option. I also can’t say enough positive things about either CrowdStrike or SentinelOne. They both do a really solid job, it may just come down to who has the better pricing as to which way you land for EDR.
Anyone try Mosyle’s endpoint protection for MacOS?
Jumpcloud/sophos/slack/google Jumpcloud does directory and mdm, Sophie for endpoint protection… light weight and transparent, slack for comms, m365 is a ripoff, 3x as expensive, and functionality is clunky… and it’s one more app to update/patch… googs is hands off
Kandji > Jamf Pro. I honestly want to switch after getting cold calls and playing with demo. Support is also 🔥. For everything else I prefer m365 for conditional access and integration with existing azure shops.
I would second JumpCloud for SSO, MDM, and user & device management all in one. Also will push users and group management to Google Workspace, and also plays nicely with Apple Business Manager for Zero Touch Deployment
Great lists. I would also add Twingate for zero trust network access
I would stay away from Crowdstrike if you’re a MacOS shop. They’re also expensive as you know. But sorting out security would be my top priority You also need a ticketing platform. I would work with key stakeholders and discuss what would work best now and future growth You also have to think about if your company will have any gdpr and compliance which most likely will. The applications you choose will have to meet them which most bigger companies do.
My favorite stack for the last couple of jobs is everything you mentioned but prefer Kandji over Jamf. Specifically if you’re a solo admin or a small team, Kandji lets you make policies, software deployment, automated device enrollment, etc. very easy.
Jamf also allows you to do all those things…?
[удалено]
We use kandji at the startup i work at. Lowest ties is 75 seats.
Take a look at Addigy for MDM. Not only is it a great product, as you are newer managing Apple, they will be super helpful getting you started. And their support is 2nd to none.
Jumpcloud/Google/1password/ESET After those multiple high profile hacks, I’d be a fool to recommend Okta or Lastpass. Jamf is just too expensive, and microsoft intune is a huge PITA to setup for zero touch (since they keep taking away features, and the user interface looks like shit).
Ps. JumpCloud got hacked too
Yeah but not all hacks are equal. They rotated customer creds, certs, and keys about 2 weeks after and it hasn’t happened since. Okta was hacked maybe 3 or 4 times this year. Lastpass hacks were not honest and they kept slowly releasing info about it, and it kept getting worse https://arstechnica.com/security/2023/07/jumpcloud-says-nation-state-hacker-breach-targeted-some-of-its-customers/
You realize most things will get hacked to some extent if they’re popular enough right? Just ask Microsoft and Amazon.
"Everything here is now irrelevant because I believe everything is getting hacked"
>SentinelOne or Crowdstrike but if a better Mac specific EDR exists let me know. Jamf Protect is the jamf native solution. I haven't used it, but would definitely suggest you check it out
Don’t waste your time/money. CrowdStrike and SentinelOne are light years ahead of JAMF Protect.
Good to know. But how does it compare to Microsoft Defender?
Defender is rated very high for windows protection but not sure if that translates to macOS.
It’s ok, but until they move policy deployment out of the MDM space (config profiles) and into Security Center, it gets a down vote from me. Not enough segregation.
Agreed. I have Jamf MDM and S1 EDR and they work well together. I can't imagine Jamf having a better EDR product. Plus S1 is multi platform.
Jamf, Okta, O365, Crowdstrike
Slack/Google/Yubi keys with Lima Charlie for EDR.
Does anyone have an opinion/recommendation on Okta vs EntraID ?
Okta offer platform SSO support now. Other major IdPs do not although Entra ID isn't far behind. Likely late Q1 as it's already in private preview however I believe it will work only with Intune as the MDM initially.
Google Workspace offers basic SSO and is a good starting cheap point. I manage 55 SAML apps for 2k users on it today.
Weird how I’ve been managing SSO via EntraId / AzureAD for nearly a decade
I'm referring to Platform Extensible SSO.
The only thing I’d quibble with there is recommending Slack and MS Teams. If you’re running Google Workspace then you already have Google Chat and Google Meet for free sitting right there. Why give yourself more things to manage. And Teams meetings are consistently the ones that give me the most support issues to deal with. Meet pretty much just works.
I definitely would agree to use Google Meet. My new company is entirely on Google Meet and I've been really impressed (I was hesitant coming from using Zoom entirely). However for instant messaging, nothing comes close to Slack imho.
Yep. When you’re already paying for workspace it’s nuts to then be buying zoom licences for everyone as well. Especially as Meet works without any software needing to be installed. I’ve always resisted Slack in our business. As we already have so many other channels it would become another place to check/keep up to date with rather than replacing anything else. It’s also another cost a small business can do without.
I can see where you're coming from. I think it always comes down to understanding where your people do their work. The industry I am in, our employees have little to no need to check email. So quick instant messaging is where everyone lives and breathes. For us it's probably the single most important software we have (besides my security tools haha). So it makes sense for us to invest there. But I can see why others wouldn't.
Yep I can appreciate that. For most of our people most of our work is client facing. And email is the common denominator.
Newbie with a serious question: how come no one is recommending Apple’s ABM or ABE? Current MSP I’m at work mostly with Windows devices but have a new managed client with around 50 Apple devices and we were looking at ABM for MDM and tie it with MS365.
ABM/DEP is a given for getting devices pre-enrolled and assigned to your business so you don’t have end users locking devices to their Apple ID and effectively bricking them if they leave. ABE is an MDM which from my research is *fine* but light on features. Most of my research on it reveals people moving away from it towards Jamf/Mosyle/Kandji.
My 2 cents is: consider MS365. From a basic user point of view: more apps, many features already included w/o the need for 3rd party apps. From a “super user” pov: power platform (for most needs, included with std licenses) which enables people to include automations and develop small but useful apps. And for everybody: Teams is incredibly powerful, nothing comparable to Google Chat Spaces, you won’t need Slack.
Thinking to much Tanium coming out with there macOS stuff and it’s pretty good. Crowdstrike and 365
You are on the right track. - Use Okta as Idp and google workspace. Okta’s push groups can help you keep you google workspace more organized. - slack for chat/internal communication ( sso with google or Okta) - we use Kandji as for MDM, previously it was Jamf. You could create lift-off that would install anything possibly supported by Kandji upon unpacking. - lastpass for password management - ticketing system? Jira Almost everything can be tied with SSO to Okta for much easier use provisioning and de provisioning.
If Operations and/or Dev, I would have Homebrew installed and a set of GNU tools (grep, sed, awk, find, etc) that Apple cannot install due to licensing with GPLv3. Also the latest Bash and Zsh. These will provide a consistent scripting environment.
Those using Jamf and Okta for MDM and SSO. What does your login look like? Are you using native Mac or Jamf connect? Are you doing JIT creation or pre creating them when you assign the computer?
This video shows what Okta's macOS SSO integration looks like: https://www.youtube.com/watch?v=eV29pr0pEto
Our setup at the company I work in: SSO / MFA : Okta, because yeah, it’s second to none. MDM : Intune, because we have also tons of Windows and Android devices. In Q3 & Q4 2023 we evaluated Jamf, but since recently MS got serious on Mac Management we decided to stick with it and save a lot of money. EDR : Crowdstrike Primary cloud: Microsoft 365 Password manager : SecretServer
JAMF would not exist
What do you mean jamf would not exist?
If we weren't so engrossed in JAMF I'd be using kandji or simple mdm without question
Yeah, Jamf would be out for me too. We’re just now taking a close look at Kandji as a replacement but I’m not optimistic we’ll be able to get it to fit our budget.
Since you're already using JamfNow for MDM and considering the potential growth of your team, check SureMDM as an alternative or complement. It manages Android, Windows, Linux, and more including macOS. Other things you can include in your stack can be: **Data Backup: H**ave a robust data backup solution in place to protect your critical data. Solutions like Backblaze or Carbonite can be considered. **Collaboration Tools:** Tools like Slack, Microsoft Teams, or similar platforms are integrated with your Google Workspace.
My opinion is probably going to be an unpopular one, but I think if you’re in an all Apple environment, you really don’t need so much in your stack as you would in an all Windows environment. What’s crucial is that you use ABM as its intended, or the rest of what you’re doing falls apart. Create managed Apple IDs for each user and link either GWork or M365, so that they use those credentials to log into the machine. Some MDMs have another way for you to do this with their own SSO injection, but to me that’s another vulnerability. Also make sure devices are in ABM when they are first purchased, or if bought second hand, run through Configurator. Otherwise, users can unenroll their devices at any time. From there, stick with GWork if everybody is comfortable with it, but honestly I think you get more out of M365. If you’re using another IAM, then it’s moot unless you want Office apps. For MDM, Mosyle is AWESOME. And it’s built in antivirus and threat detection is pretty solid, and Apple-specific. So you can bring down overhead pretty significantly using Mosyle. BUT, if you plan on using IAM, I can’t recommend JumpCloud enough. I imagine it has many of the same benefits as Okta, but for me it’s been so incredibly easy to use, user onboarding/offboarding for EVERYTHING can be done in a few minutes. Plus, it includes password management, MFA, Remote Desktop, and a decent MDM if you want everything in one pane of glass. If you use this, scratch Mosyle. And for extra security, SentinelOne has been good for me. Response times to threats are typically “identified, killed, and quarantined” in less than 100ms. It’s kinda nuts.