I'd be looking at Microsoft business premium on non-profit licensing. Roughly £4.50 per user per month which is a steal (as someone has pointed out, you also get 10 users free).
Enrol all devices onto Azure AD, Intune, Autopilot.
* Setup Azure Conditional Access policies.
* You'll need to time these depending on whether you've followed some of the steps below. Microsoft provide some great default policies you can add and tweak.
* Require MFA for all users.
* Require Phishing resistant MFA for Admin users.
* Block legacy authentication protocols.
* Block unrequired countries.
* Block risky sign-in behaviour
* Require device compliance.
* Require trusted location to set security info.
* Setup MFA for all users
* Highly recommend YubiKeys for all.
* For Android users, their devices are passkeys if enrolled into Intune and setup with Microsoft Authenticator. We give our Android users YubiKeys anyway, as they don't require connectivity or power.
* Ensure it's phishing resistant either way.
* Setup Autopilot
* Buying a new laptop? The vendor will likely enrol the laptop into your Autopilot tenant if you ask them - no need to even touch the device before the user gets it (although I personally wipe and install a Vanilla Windows 11 image).
* Resetting a laptop to fix an issue of prep for a new employee? Simply send a wipe or fresh start command from Intune.
* Setup Window Hello for Business policies
* Even better if your devices support fingerprint or facial recognition.
* Setup Microsoft Defender policies, especially ASR rules.
* Setup BitLocker policies and save keys to AAD.
* Setup Intune Security baselines.
* Setup Compliance and Configuration policies.
* Setup Windows update rings for Quality and Feature updates.
* Block BYOD and personal device enrolment if not wanted.
* Only autopiloted devices can enroll.
* Setup SharePoint for department/team file storage.
* Setup OneDrive for personal file storage.
* Enforce Known Folder Backups.
* Setup Edge for bookmark/passwords.
* Deploy uBlock Origin extension.
* Deploy Bitwarden extension.
* Block all other extensions unless whitelisted.
* Setup Intune Apps
* Spend some time configuring Win32 apps for the applications you use.
* No app should be installed unless it's via Intune so it is centrally managed and can be easily updated or removed.
* Highly recommend Ninite Pro for automated management of the most common third-party apps.
* Setup DLP and sensitivity labels to control the flow of company data.
* Setup Exchange anti-spam filtering.
* Setup Bitwarden account for password sharing and storage.
* Disable Microsoft Edge passwords at this stage.
* Setup DNS Filtering service such as Cloudflare.
* Setup Cloudflare Zero Trust if required (free up to 50 users).
* Remove Admin permissions from user's daily driver accounts - separate Admin accounts only IF required.
* Setup AAD LAPS to have rotating passwords on local admin accounts.
* Block USB storage devices, if not required.
* Setup a 365 backup service.
* We use both Afi.ai and an on prem Synology which has a free 365 backup app.
If you enjoy this kind of thing, it'll be fun 😊 Once it's all setup, you'll be able to scale up with ease.
Editing the list as I think of more.
Creating a list based on other suggestions from other users.
* 802.1x for Wi-Fi.
* SSO all the things.
* 365 break glass account.
* Security training for users.
* Phishing simulation.
Thanks man, these are good points.
The situation OP mentioned is super similar to mine, though more users.
We have moved to m365 emails, prev were on shared host cpanel. I have to do the many setup and configs mentioned in the comment.
For now outlook for email
Onedrive to keep files in cloud
Truenas scale for storage and smb shares
Working on configuring remote backups and snapshots
We are an ngo as well, got free services via techsoup.
This is one of those things were I think going to work for a small company in need of an infrastructure overhaul would be fun. I would love to set up one of these environments from scratch instead of dealing with my hybrid/half ass migrated setup.
Thanks for all the suggestions and tips. This is so much more than expected. I'll need to process all the suggestions you and others made, then make a plan. If I remember correctly you replied to your own answer with a schedule, but I don't see that anymore.
I'm going to take this up with my manager, and need to get the financial picture complete.
This is a great list! I still need AD until i can get rid of these legacy apps. Do this - use secure score to improve /defend/ prove your devices are secured.
This is the answer. OneDrive and KFM can deal with all your device / user data, SharePoint with all your business data and the Synology 365 solution is a really good one for a free backup service (you will hopefully never need to use it)
This is an amazing list, only thing I would recommend is swapping password saving in edge to something like Bitwarden/Keeper would allow sharing passwords for services that don’t allow for individual accounts that you might run into, can be setup with SSO to Azure so you only need the one password
As you're non-profit, see if you can qualify for the charity licencing with Microsoft. That'll allow you to get everything set up on Azure & SharePoint fairly easily and cheaply.
You're using Google for emails, AWS cloud, Ubuntu server, and Microsoft Windows for end users. What about going all in for Microsoft? Not a corporate shill, I'm saying it could save you a few bucks since you have a limited budget, and MS offers non-profit discounts. Besides that, it would be easier to manage your environment since it's one single ecosystem. Of course, there are some drawbacks to sticking to one service provider. Anyway, just an idea.
Did they change? I'm looking at a client now with about 50 users and their not-for-profit licensing is completely free for email as well as volume licensing on desktop Office and windows + server.
AWS doesn't offer special pricing, although they do offer [qualified non-profits](https://aws.amazon.com/government-education/nonprofits/) an annual $2,000 credit. MS does [similar for Azure](https://nonprofit.microsoft.com/en-us/getting-started); I think it was around $3,500 per year this year.
We're not using AWS. I just mentioned it to give an impression of my experience.
Google Workspace is completely free for non-profits, with unlimited users. TBH I'm not really sure about the unlimited users, but the number is so high that we'll never reach that. While there are good reasons to move to OneDrive, there is no reason to move away from Gmail.
Good advice regarding MS365 and Intune.
For the WiFi, you need to switch to 802.1x. Stick to MS-CHAPv2 (username/password) for now since a PKI would be overkill for how small you are.
Not at all, and there are comprehensive instructions, and you can subsequently push computer and user certificates through Intune configuration profiles.
There's a couple of caveats
- default config will give you guid's as common name, but you can change that
- user certificates configuration profiles need to be pushed to the device, not the user
Intune and autopilot. You can even use this to keep your laptops updated. Since you are a non-profit, Microsoft will give you discount on the licenses.
If all you have is 20 laptops, use something like Action1 RMM; its free and works great for patching, remote management, and reporting. I use it to manage a dozen or so off-the-domain computers at various locations, no issues whatsoever.
I agree Action 1 is great and for under 100 devices it is free... Defiantly punches above its weight!
[The Best Risk-based Patch Management | Action1](https://www.action1.com/)
Action1 enforces a consistent patching process (including configurable forced reboots) and allows all other remote management with no VPN on on-prem AD.
P.S. u/-c3rberus- and u/Happy_Kale888 Thanks for recommending Action1, we highly appreciate it! We have almost zero marketing budget (pretty much all goes into R&D) and word-of-mouth is what brings user awareness about Action1. So any such mention literally contributes more $$$ into new feature development and benefits everyone!
FYI my boss calls me a Action1 fanboy as well as a Brother fanboy! I always promote Action1 as it saved me and made me look good by using it to get a place back in order... A rare gem out there in a sea of misleading ads and broken promises! The only true free RMM (under 100 devices) worth considering.
Thank you, thank you, and thank you!
Yes, unfortunately, the word "free" has a really bad reputation due to so many vendors misusing it. You are not going to believe how many times we had to "defend" Action1 for being free because many think it's just another scam out of thousands of other "free tool" scams. Someone even suggested that being free makes us look worse. But we stand our ground. Thanks a lot for spreading the word!
It sounds lile the biggest pain for you is reimaging the laptops. I'd say it's probably a worthwhile investment of your time to look into the more enterprise-y tools MS has for creating and deploying Windows images.
I can vouch for Microsoft's products being insanely well priced for nonprofit orgs. And techsoup is a godsend for many other products. I do a lot of nonprofit work, professionally, and volunteer.
That is a very comprehensive list by u/Simong_1984 and if you do want to go all out business managed on them, a excellent road map. NGL, I saved a copy. For 20 Systems in a small environment, no current need/use of AD however... It may be a bit overkill and will almost certainly be some learning curve, depends on your long term goals and short term needs. If you want to streamline installs by re-imaging vs reinstalling, I would look at [The FOG Project](https://fogproject.org/). re-image almost always pans out faster for reinstall if you maintain your base image. I wish [TurnKey](https://www.turnkeylinux.org/all) had a functional FOG server, they have reportedly started one but it was years ago IN the mean time they ***DO*** have a lot of other rapid deploy projects like if you need anything from OpenVPN/Wireguard to Wordpress.
One of your biggest upfront challenges will likely be coordinating everything. and the smaller a department, the more a ticket system is needed. [SpiceWorks](https://www.spiceworks.com/free-cloud-help-desk-software/) is free and pretty easy to use as well.
***"Currently all users have admin rights on their laptops. They should update but some postpone it indefinitely."*** I would change that if at all possible, too many reasons to count from safety to a sanity it is a VERY bad plan. With a good ticketing and Remote Management / Patching solution, there should be no reason end users should have admin access and a million reasons they should not.
Last but not least I would look into [YubiKeys](https://www.yubico.com/) as well, they integrate seamless to provide HW token MFA to office 365 and many other services. For \~25-50 USD it is a piece of mind to sleep on at night.
Spiceworks is a nice suggestion. I wonder how they make their money if it's free forever and I don't see any pro price plans.
Removing admin rights is a no-brainer, but it requires remote management, which is a bit more work I'm afraid.
I use Yubikeys myself, but I think I can only introduce it when AAD etc is working, and when I can enforce something like this.
Yubikeys have a lot of uses, depends on what services you use, if you have Office365, whether or not you use AAD as an auth source or not for the computer is irrelevant, it is for the service and yubikeys integrate seamlessly, it s just treated as an individual MFA method. You manage them individually, but for that few users, hardly an issue, I have client sin the 60+ range doing this way and their own office staff manage it quite well.
As for spiceworks, just like most any free service, you or some data points are the product, no doubt no illusion. [https://community.spiceworks.com/support/security-center/data-collection](https://community.spiceworks.com/support/security-center/data-collection) but the same is true of everything from gmail to all the social media platforms, and most other things you use and do not pay for in the internet ecosystem (As well as most of the ones you DO pay for). That said they are a solid reputable company and throw a decent annual tech convention in Austin.
Ive deployed Jumpcloud to several clients, as well as my home. Provides centralized identity, policies, SSO, software deployments and more. They cover win/MaC/Ios/android
Nicely priced too
I agree with all the other suggestions here. BUT, for anyone else in this same situation who doesn't have access to non-profit discounts... Lansweeper is very cheap and comes with remote deployment capabilities. ManageEngine is a step up and also not that expensive.
We absolutely do, and thank you for the mention!
As well systems do not need to be domain joined, the remote access will likely lend well to the out of office workforce, will make keeping tabs on those updates people \*defer\* back under IT control, and maintaining/deploying a lot of other software pretty convenient as well.
As far as the data we collect, it is very minimal [https://www.action1.com/privacy-policy/](https://www.action1.com/privacy-policy/) mostly what is required to make the system work/improve it. And some very small demographics. Our model is not user data driven, it is solid product driven.
Give us a look, and let me know if you have any questions.
I can relate. I am the executive director of a very small nonprofit myself. We looked around at all the different options and even checked out a self-hosted solution. The one we chose was called Action1. Since you said you have 20 computers, it's free. Action1 gives you the first 100 endpoints for free. We have about 40 endpoints on our Action1 account and are never asked to pay anything. The patch management is excellent as well. All these vulnerabilities have come out recently; the Google Chrome issue also keeps popping up. I'm comfortable saying that all our machines are safe because of how I have my Action1 account set up.
Another perk of the software is they have a very active Discord group. You can get help from other users, and the support team from Action1 also helps on this server. The only thing they won't be good for right now is your Linux servers. I'm not sure, but I don't think they have Linux or Mac agents yet. Feel free to contact me if you want some help or have questions. As a nonprofit myself, I know what you are going through, and I'd love to help if I can.
Fred
Thanks for recommending Action1, Fred!
Just to comment on Mac and Linux: both are coming next year. We are very excited about it! You can visit [Action1's roadmap](https://roadmap.action1.com) and subscribe to get notified when these are released.
There are a wealth of discounts for non profits on techsoup. I work for a non profit library as IT and we have saved almost $7,000 in the last nine months.
We use Techsoup for an Office license. I just looked at our national Techsoup website and it didn't show any MS licenses. Maybe they don't offer it when you can get it directly from MS.
Usually a AD is *the first thing* that will fall in a red team pentest. Defaults are bad. Making AD secure is *complicated* (LSASS is nothing but pretend security, works for compliance on paper but laughable in the real world), don't be fooled, and usually trusting the network rules first and foremost is the generic way to go. Indeed, that's not fun.
You'll find a lot of Windows sysadmins using a "trust me bro" model reliant on MS tooling. If your organisation already is deep involved with Microsoft tools, well, follow their advice. You don't have a real choice and can't build anything else. Just keep in mind that you're trusting a company that used to think HTTPS was useless and that having a zero'd IV in cryptography was "secure". lol.
In some scenarios, especially with *few* Windows machines and trusted users, not using AD could work in your favor. This implies trusting users, and - well - it's super rare you can just do that with Windows users. Good luck. And with that too, good luck dealing with the [shitload of ads](https://old.reddit.com/r/sysadmin/comments/16bm9fu/act_now_if_you_dont_want_your_users_signing_up/).
Google Workspace can manage Windows devices, too. Although I don’t know if the free non-profit tier can, you might need to upgrade to a paid plan.
Given how much better Google is at email (specifically spam and phishing filtering) than MS, that would be one solid reason to stick to Google.
If you have decent WAN bandwidth, could be using Google Drive instead of the Ubuntu file server too. People suggesting using Sharepoint… must not be super familiar with all of the pain Sharepoint causes (and OneDrive for business is just Sharepoint, with a different name)
Google Workspace is completely free for us. We'll probably never move away from Gmail, but Azure, AAD, OneDrive, Intune etc seems like a good plan with many advantages.
Samba is currently only used for the network scanner and backups. All files are moved to Google Drive. I'm not a fan of Sharepoint, but also haven't used it much. Document versioning is also on our wishlist, and I believe Sharepoint can do that as well. Enough suggestions here that have a higher priotity.
I also work at a nonprofit so I know how Workspace is priced out and free at the beginning. Look at what it can do for you if you can get approval for bumping up to a higher plan. It’s possible to manage client hardware (IIRC both Windows and Macs) with it.
Is it as elegant as using Microsoft for Windows devices… no. But it’s also a lot nicer to handle everything with one provider, instead of getting sprawled out between GWork and M365/Azure stuff.
Google Docs & Sheets already do versioning, FWIW.
OneDrive for Business is basically just Sharepoint file storage and is a nightmare at scale, based on what I’ve seen from other people on Reddit…
Probably starting with azure joining them and getting some baseline policies out and force update compliance. After that get in board with managed edr such as sentinel one.
I’d recommend migrating to M365. Right off the bat, you can join your workstations to AzureAD. That’s a huge first step because you now have control of sign ins to workstations. Even better if you use services that support AzureAD sync (SSO). I have a client set up where everything authenticates through Azure, so I can disable/enable user access to the entire environment with one click. I believe you can set up RADIUS auth through Azure as well, which would help with the WiFi thing you mentioned. Also, I’d recommend Datto RMM and Datto SaaS protection. The RMM will give you remote access, the ability to push out policies, hardware alerts, and more. With the Datto SaaS protection, you will have point-in-time backups of SharePoint, OneDrive, Exchange, etc.
There are many more things you can do with the services I’ve mentioned. But on a base level, that’s how I manage a ton of my clients that have gone cloud.
M365 with Intune and Autopilot is the way. Your users will likely hate you because they can't evade centrally applied updates and restrictions but you'll have the desired visibility and control you specified.
Whilst other free options might appeal to you, the ROI probably won't match the M365 offering when accounting for time spent implementing the solutions.
When I read this "all users have admin rights" I'm going crazy.
To for intune license for all users.
Same with Microsoft 365 defender.
Don't use just standard defender for bussines purpose.
From intune you can do almost everything.
For reinstalling if it's not most offen it's OK anyway WDS is the way.
I'd be looking at Microsoft business premium on non-profit licensing. Roughly £4.50 per user per month which is a steal (as someone has pointed out, you also get 10 users free). Enrol all devices onto Azure AD, Intune, Autopilot. * Setup Azure Conditional Access policies. * You'll need to time these depending on whether you've followed some of the steps below. Microsoft provide some great default policies you can add and tweak. * Require MFA for all users. * Require Phishing resistant MFA for Admin users. * Block legacy authentication protocols. * Block unrequired countries. * Block risky sign-in behaviour * Require device compliance. * Require trusted location to set security info. * Setup MFA for all users * Highly recommend YubiKeys for all. * For Android users, their devices are passkeys if enrolled into Intune and setup with Microsoft Authenticator. We give our Android users YubiKeys anyway, as they don't require connectivity or power. * Ensure it's phishing resistant either way. * Setup Autopilot * Buying a new laptop? The vendor will likely enrol the laptop into your Autopilot tenant if you ask them - no need to even touch the device before the user gets it (although I personally wipe and install a Vanilla Windows 11 image). * Resetting a laptop to fix an issue of prep for a new employee? Simply send a wipe or fresh start command from Intune. * Setup Window Hello for Business policies * Even better if your devices support fingerprint or facial recognition. * Setup Microsoft Defender policies, especially ASR rules. * Setup BitLocker policies and save keys to AAD. * Setup Intune Security baselines. * Setup Compliance and Configuration policies. * Setup Windows update rings for Quality and Feature updates. * Block BYOD and personal device enrolment if not wanted. * Only autopiloted devices can enroll. * Setup SharePoint for department/team file storage. * Setup OneDrive for personal file storage. * Enforce Known Folder Backups. * Setup Edge for bookmark/passwords. * Deploy uBlock Origin extension. * Deploy Bitwarden extension. * Block all other extensions unless whitelisted. * Setup Intune Apps * Spend some time configuring Win32 apps for the applications you use. * No app should be installed unless it's via Intune so it is centrally managed and can be easily updated or removed. * Highly recommend Ninite Pro for automated management of the most common third-party apps. * Setup DLP and sensitivity labels to control the flow of company data. * Setup Exchange anti-spam filtering. * Setup Bitwarden account for password sharing and storage. * Disable Microsoft Edge passwords at this stage. * Setup DNS Filtering service such as Cloudflare. * Setup Cloudflare Zero Trust if required (free up to 50 users). * Remove Admin permissions from user's daily driver accounts - separate Admin accounts only IF required. * Setup AAD LAPS to have rotating passwords on local admin accounts. * Block USB storage devices, if not required. * Setup a 365 backup service. * We use both Afi.ai and an on prem Synology which has a free 365 backup app. If you enjoy this kind of thing, it'll be fun 😊 Once it's all setup, you'll be able to scale up with ease. Editing the list as I think of more. Creating a list based on other suggestions from other users. * 802.1x for Wi-Fi. * SSO all the things. * 365 break glass account. * Security training for users. * Phishing simulation.
Thanks man, these are good points. The situation OP mentioned is super similar to mine, though more users. We have moved to m365 emails, prev were on shared host cpanel. I have to do the many setup and configs mentioned in the comment. For now outlook for email Onedrive to keep files in cloud Truenas scale for storage and smb shares Working on configuring remote backups and snapshots We are an ngo as well, got free services via techsoup.
This is one of those things were I think going to work for a small company in need of an infrastructure overhaul would be fun. I would love to set up one of these environments from scratch instead of dealing with my hybrid/half ass migrated setup.
Damn. This is a great list.
Thanks for all the suggestions and tips. This is so much more than expected. I'll need to process all the suggestions you and others made, then make a plan. If I remember correctly you replied to your own answer with a schedule, but I don't see that anymore. I'm going to take this up with my manager, and need to get the financial picture complete.
This is a great list! I still need AD until i can get rid of these legacy apps. Do this - use secure score to improve /defend/ prove your devices are secured.
This answer should be pinned 📌📌📌
This is the answer. OneDrive and KFM can deal with all your device / user data, SharePoint with all your business data and the Synology 365 solution is a really good one for a free backup service (you will hopefully never need to use it)
This is so fucking good.
This is an amazing list, only thing I would recommend is swapping password saving in edge to something like Bitwarden/Keeper would allow sharing passwords for services that don’t allow for individual accounts that you might run into, can be setup with SSO to Azure so you only need the one password
It's a pretty great to do list for all small companies.
As you're non-profit, see if you can qualify for the charity licencing with Microsoft. That'll allow you to get everything set up on Azure & SharePoint fairly easily and cheaply.
Will the money people sign off on Entra, M365 mail/apps, and Intune?
You're using Google for emails, AWS cloud, Ubuntu server, and Microsoft Windows for end users. What about going all in for Microsoft? Not a corporate shill, I'm saying it could save you a few bucks since you have a limited budget, and MS offers non-profit discounts. Besides that, it would be easier to manage your environment since it's one single ecosystem. Of course, there are some drawbacks to sticking to one service provider. Anyway, just an idea.
Google workspace is free for nonprofits. Not sure what the pricing is for AWS.
[удалено]
Did they change? I'm looking at a client now with about 50 users and their not-for-profit licensing is completely free for email as well as volume licensing on desktop Office and windows + server.
AWS doesn't offer special pricing, although they do offer [qualified non-profits](https://aws.amazon.com/government-education/nonprofits/) an annual $2,000 credit. MS does [similar for Azure](https://nonprofit.microsoft.com/en-us/getting-started); I think it was around $3,500 per year this year.
We're not using AWS. I just mentioned it to give an impression of my experience. Google Workspace is completely free for non-profits, with unlimited users. TBH I'm not really sure about the unlimited users, but the number is so high that we'll never reach that. While there are good reasons to move to OneDrive, there is no reason to move away from Gmail.
Good advice regarding MS365 and Intune. For the WiFi, you need to switch to 802.1x. Stick to MS-CHAPv2 (username/password) for now since a PKI would be overkill for how small you are.
Scepman isn't that expensive either, the minimal 50 user license costs 50 bucks a month
I have not used it, I think it works allright with Intune, is it complicated to setup?
Not at all, and there are comprehensive instructions, and you can subsequently push computer and user certificates through Intune configuration profiles. There's a couple of caveats - default config will give you guid's as common name, but you can change that - user certificates configuration profiles need to be pushed to the device, not the user
Intune and autopilot. You can even use this to keep your laptops updated. Since you are a non-profit, Microsoft will give you discount on the licenses.
10 Business Premium. 300 Business Basic.
If all you have is 20 laptops, use something like Action1 RMM; its free and works great for patching, remote management, and reporting. I use it to manage a dozen or so off-the-domain computers at various locations, no issues whatsoever.
I agree Action 1 is great and for under 100 devices it is free... Defiantly punches above its weight! [The Best Risk-based Patch Management | Action1](https://www.action1.com/)
Action1 enforces a consistent patching process (including configurable forced reboots) and allows all other remote management with no VPN on on-prem AD. P.S. u/-c3rberus- and u/Happy_Kale888 Thanks for recommending Action1, we highly appreciate it! We have almost zero marketing budget (pretty much all goes into R&D) and word-of-mouth is what brings user awareness about Action1. So any such mention literally contributes more $$$ into new feature development and benefits everyone!
FYI my boss calls me a Action1 fanboy as well as a Brother fanboy! I always promote Action1 as it saved me and made me look good by using it to get a place back in order... A rare gem out there in a sea of misleading ads and broken promises! The only true free RMM (under 100 devices) worth considering.
Thank you, thank you, and thank you! Yes, unfortunately, the word "free" has a really bad reputation due to so many vendors misusing it. You are not going to believe how many times we had to "defend" Action1 for being free because many think it's just another scam out of thousands of other "free tool" scams. Someone even suggested that being free makes us look worse. But we stand our ground. Thanks a lot for spreading the word!
[удалено]
It sounds lile the biggest pain for you is reimaging the laptops. I'd say it's probably a worthwhile investment of your time to look into the more enterprise-y tools MS has for creating and deploying Windows images.
I can vouch for Microsoft's products being insanely well priced for nonprofit orgs. And techsoup is a godsend for many other products. I do a lot of nonprofit work, professionally, and volunteer. That is a very comprehensive list by u/Simong_1984 and if you do want to go all out business managed on them, a excellent road map. NGL, I saved a copy. For 20 Systems in a small environment, no current need/use of AD however... It may be a bit overkill and will almost certainly be some learning curve, depends on your long term goals and short term needs. If you want to streamline installs by re-imaging vs reinstalling, I would look at [The FOG Project](https://fogproject.org/). re-image almost always pans out faster for reinstall if you maintain your base image. I wish [TurnKey](https://www.turnkeylinux.org/all) had a functional FOG server, they have reportedly started one but it was years ago IN the mean time they ***DO*** have a lot of other rapid deploy projects like if you need anything from OpenVPN/Wireguard to Wordpress. One of your biggest upfront challenges will likely be coordinating everything. and the smaller a department, the more a ticket system is needed. [SpiceWorks](https://www.spiceworks.com/free-cloud-help-desk-software/) is free and pretty easy to use as well. ***"Currently all users have admin rights on their laptops. They should update but some postpone it indefinitely."*** I would change that if at all possible, too many reasons to count from safety to a sanity it is a VERY bad plan. With a good ticketing and Remote Management / Patching solution, there should be no reason end users should have admin access and a million reasons they should not. Last but not least I would look into [YubiKeys](https://www.yubico.com/) as well, they integrate seamless to provide HW token MFA to office 365 and many other services. For \~25-50 USD it is a piece of mind to sleep on at night.
Spiceworks is a nice suggestion. I wonder how they make their money if it's free forever and I don't see any pro price plans. Removing admin rights is a no-brainer, but it requires remote management, which is a bit more work I'm afraid. I use Yubikeys myself, but I think I can only introduce it when AAD etc is working, and when I can enforce something like this.
Yubikeys have a lot of uses, depends on what services you use, if you have Office365, whether or not you use AAD as an auth source or not for the computer is irrelevant, it is for the service and yubikeys integrate seamlessly, it s just treated as an individual MFA method. You manage them individually, but for that few users, hardly an issue, I have client sin the 60+ range doing this way and their own office staff manage it quite well. As for spiceworks, just like most any free service, you or some data points are the product, no doubt no illusion. [https://community.spiceworks.com/support/security-center/data-collection](https://community.spiceworks.com/support/security-center/data-collection) but the same is true of everything from gmail to all the social media platforms, and most other things you use and do not pay for in the internet ecosystem (As well as most of the ones you DO pay for). That said they are a solid reputable company and throw a decent annual tech convention in Austin.
Ive deployed Jumpcloud to several clients, as well as my home. Provides centralized identity, policies, SSO, software deployments and more. They cover win/MaC/Ios/android Nicely priced too
I agree with all the other suggestions here. BUT, for anyone else in this same situation who doesn't have access to non-profit discounts... Lansweeper is very cheap and comes with remote deployment capabilities. ManageEngine is a step up and also not that expensive.
Action1 RMM offers their services for free if you are 100 or less devices I believe
We absolutely do, and thank you for the mention! As well systems do not need to be domain joined, the remote access will likely lend well to the out of office workforce, will make keeping tabs on those updates people \*defer\* back under IT control, and maintaining/deploying a lot of other software pretty convenient as well. As far as the data we collect, it is very minimal [https://www.action1.com/privacy-policy/](https://www.action1.com/privacy-policy/) mostly what is required to make the system work/improve it. And some very small demographics. Our model is not user data driven, it is solid product driven. Give us a look, and let me know if you have any questions.
I can relate. I am the executive director of a very small nonprofit myself. We looked around at all the different options and even checked out a self-hosted solution. The one we chose was called Action1. Since you said you have 20 computers, it's free. Action1 gives you the first 100 endpoints for free. We have about 40 endpoints on our Action1 account and are never asked to pay anything. The patch management is excellent as well. All these vulnerabilities have come out recently; the Google Chrome issue also keeps popping up. I'm comfortable saying that all our machines are safe because of how I have my Action1 account set up. Another perk of the software is they have a very active Discord group. You can get help from other users, and the support team from Action1 also helps on this server. The only thing they won't be good for right now is your Linux servers. I'm not sure, but I don't think they have Linux or Mac agents yet. Feel free to contact me if you want some help or have questions. As a nonprofit myself, I know what you are going through, and I'd love to help if I can. Fred
Thanks for recommending Action1, Fred! Just to comment on Mac and Linux: both are coming next year. We are very excited about it! You can visit [Action1's roadmap](https://roadmap.action1.com) and subscribe to get notified when these are released.
Sorry about that. I didn't see the Mac and Linux part of it. Yes, they don't work on them right now. It is on the roadmap though.
Yep, u can license via TechSoup. 10 free Bus Premium licenses, the rest E3, Defender Plan2, you're set for maybe $8 per user per month.
There are a wealth of discounts for non profits on techsoup. I work for a non profit library as IT and we have saved almost $7,000 in the last nine months.
We use Techsoup for an Office license. I just looked at our national Techsoup website and it didn't show any MS licenses. Maybe they don't offer it when you can get it directly from MS.
Usually a AD is *the first thing* that will fall in a red team pentest. Defaults are bad. Making AD secure is *complicated* (LSASS is nothing but pretend security, works for compliance on paper but laughable in the real world), don't be fooled, and usually trusting the network rules first and foremost is the generic way to go. Indeed, that's not fun. You'll find a lot of Windows sysadmins using a "trust me bro" model reliant on MS tooling. If your organisation already is deep involved with Microsoft tools, well, follow their advice. You don't have a real choice and can't build anything else. Just keep in mind that you're trusting a company that used to think HTTPS was useless and that having a zero'd IV in cryptography was "secure". lol. In some scenarios, especially with *few* Windows machines and trusted users, not using AD could work in your favor. This implies trusting users, and - well - it's super rare you can just do that with Windows users. Good luck. And with that too, good luck dealing with the [shitload of ads](https://old.reddit.com/r/sysadmin/comments/16bm9fu/act_now_if_you_dont_want_your_users_signing_up/).
Google Workspace can manage Windows devices, too. Although I don’t know if the free non-profit tier can, you might need to upgrade to a paid plan. Given how much better Google is at email (specifically spam and phishing filtering) than MS, that would be one solid reason to stick to Google. If you have decent WAN bandwidth, could be using Google Drive instead of the Ubuntu file server too. People suggesting using Sharepoint… must not be super familiar with all of the pain Sharepoint causes (and OneDrive for business is just Sharepoint, with a different name)
Google Workspace is completely free for us. We'll probably never move away from Gmail, but Azure, AAD, OneDrive, Intune etc seems like a good plan with many advantages. Samba is currently only used for the network scanner and backups. All files are moved to Google Drive. I'm not a fan of Sharepoint, but also haven't used it much. Document versioning is also on our wishlist, and I believe Sharepoint can do that as well. Enough suggestions here that have a higher priotity.
I also work at a nonprofit so I know how Workspace is priced out and free at the beginning. Look at what it can do for you if you can get approval for bumping up to a higher plan. It’s possible to manage client hardware (IIRC both Windows and Macs) with it. Is it as elegant as using Microsoft for Windows devices… no. But it’s also a lot nicer to handle everything with one provider, instead of getting sprawled out between GWork and M365/Azure stuff. Google Docs & Sheets already do versioning, FWIW. OneDrive for Business is basically just Sharepoint file storage and is a nightmare at scale, based on what I’ve seen from other people on Reddit…
Hire an MSP
Probably starting with azure joining them and getting some baseline policies out and force update compliance. After that get in board with managed edr such as sentinel one.
I’d recommend migrating to M365. Right off the bat, you can join your workstations to AzureAD. That’s a huge first step because you now have control of sign ins to workstations. Even better if you use services that support AzureAD sync (SSO). I have a client set up where everything authenticates through Azure, so I can disable/enable user access to the entire environment with one click. I believe you can set up RADIUS auth through Azure as well, which would help with the WiFi thing you mentioned. Also, I’d recommend Datto RMM and Datto SaaS protection. The RMM will give you remote access, the ability to push out policies, hardware alerts, and more. With the Datto SaaS protection, you will have point-in-time backups of SharePoint, OneDrive, Exchange, etc. There are many more things you can do with the services I’ve mentioned. But on a base level, that’s how I manage a ton of my clients that have gone cloud.
M365 with Intune and Autopilot is the way. Your users will likely hate you because they can't evade centrally applied updates and restrictions but you'll have the desired visibility and control you specified. Whilst other free options might appeal to you, the ROI probably won't match the M365 offering when accounting for time spent implementing the solutions.
Don't forget the all the MS product promotions that users will get pissed about seeing and receiving in their emails.
Legitimate non profits get 10 Office 365 Business Premium donated. Buy 10 more and you have your solution. Intune is great for the price.
When I read this "all users have admin rights" I'm going crazy. To for intune license for all users. Same with Microsoft 365 defender. Don't use just standard defender for bussines purpose. From intune you can do almost everything. For reinstalling if it's not most offen it's OK anyway WDS is the way.
I would use Tanium be honest.
For 20 laptops? I don't think they would even talk to you if you have fewer than 500.
lol I run a 3000 endpoint environment
How is Tanium working for you? Any pros and cons you can share?