International SaaS Firm Saves on Mac Deployments, Boosts Security

How one IT team deployed Mac computers to a worldwide workforce, then kept that fleet in compliance.

4
Continents
30
Annual employee growth (%)
2
Onboarding hours saved per Mac

When John Howell first began working as an IT manager at Deputy last year, he had three goals in mind: Save time on Mac deployments; improve visibility into the company’s Mac fleet; and tighten security. Here’s how Kandji helped him achieve all three.

Goal: 100 Percent Zero-Touch

Deputy—which offers workforce management services that aim to simplify employee scheduling, timesheets, and communication—has customers in more than 100 countries around the world. And the company itself is international.

“We've got people all over the planet,” Howell says—with offices in Sydney, San Francisco, Atlanta, and London and employees clustered in EMEA, APAC, and America. Headcount—about 350 people at the beginning of 2022—is poised to jump more than 30% this year. That’s why efficient provisioning is at the top of Howell’s to-do list. He uses a mix of provisioning models, depending on where employees are and how many are onboarding at once.

His team still does the occasional white-glove deployments for employees in Australia (where the company is headquartered) who can physically come into the office. And if there’s an especially large onboarding cohort, the IT team will do part of the setup themselves—unboxing the machines, powering them up to do the initial configuration, then shipping them out—and then let employees finish the process. Howell says this latter process makes the first-day experience smoother. 

John Howell
John Howell
IT Manager
”We can have Apple ship directly to any Deputy employee on the planet, have them sign in, and they're up and running within 10 minutes.”

“You've got 15 people on a call on day one, and people haven't joined their Wi-Fi properly, and they're like, “Oh, the screen hasn't come up,” it becomes disruptive in the onboarding session,” he explains. “So we try and minimize those kinds of problems.”

But the company uses zero-touch deployments whenever possible: “We ship a MacBook to a person, assign it to a Blueprint, then we talk them through the process—‘Power it on, connect to your Wi-Fi, wait for the remote management screen to come up...’” Howell’s ultimate goal is to go completely zero-touch for everyone. One key reason: Liftoff.

“We can have Apple ship directly to any Deputy employee on the planet, have them sign in, and they're up and running within 10 minutes, with our default spread of apps. And they haven't had to do anything.”

Howell says zero-touch saves Deputy both time and money. They’re saving the expense of shipping each computer to headquarters for configuration then out to the employee; instead, it’s just the shipping from Apple to the user. At roughly 20 computers per month, he figures that saves the company about 1,500 USD monthly on shipping alone. And having Apple send computers directly saves his team time—he estimates about 2 hours per computer—on scheduling, troubleshooting courier services, and setting up computers. 

Visibility = Security

Kandji also provides Howell what he calls “tighter management” of his globally dispersed fleet of Apple devices. 

“We've got some core tools that we deploy to the desktop: Slack, Zoom, Chrome extensions. And we're able to manage those very effectively through Kandji Blueprints.” Whenever possible, Auto Apps ensure that everyone’s got the latest version. 

He also likes the visibility Kandji gives him into the devices he’s managing. 

“The surprising thing to me was the amount of device information that’s available through the Kandji portal—things like when it last checked in or when its policies were last updated. It's just there, with no messing around, it's just all at your fingertips.”

His team also relies on osquery, as well as a separate inventory tool and the company’s user directory. But Howell finds that he often turns to Kandji first when it comes to finding out what’s going on. 

“Kandji is pretty much always our first port of call: Whenever there's an issue in the MacBook, we can go straight there.”

"The surprising thing to me was the amount of device information that’s available through the Kandji portal."

Howell's five-person team doesn't routinely look at what people have on their machines or impose blanket restrictions on the whole org—they’re more surgical about it.

For example, Howell explains, Deputy has a team of engineers who need admin access to their computers. “There's no way around that, if you're a developer, you need access to the tool, so we give them fairly free rein. We just ask them to let us know what they're installing on there.”

But if the IT group does find out about any security gaps, “we can go to Kandji to help fix it. We’ve used the blocking function on applications, such as some unsanctioned screen recording apps.”

Howell also relies on Kandji when it comes to collaborating with Deputy’s security team. (They prefer the term “trust team.”) He meets with his trust team counterpart weekly. 

“It's very collaborative. He'll sit down and say, ‘Is it possible to run a report on the state of encryption across the fleet?’ Yes, it is, we can help you with that.”

“He's all over our certification—we’re ISO 27001 now. So he might say to me, ‘Hey, per our certification, our macOS version can't be more than n-1. So we don't want any machines out there that are still running Catalina.’ So we use Kandji to enforce the latest OS major version and minor updates.” 

 

Share post