Like a lot of startups, Syndio sometimes needs employees to wear more than one hat. That was the case when the company—which helps customers measure and achieve workplace equity—hired Aaron Bauman as a systems security engineer.
Prior to his hire, Aaron had worked for Syndio as a compliance contractor. But thanks to his previous experience managing tens of thousands of mobile devices for the U.S. Marine Corps, he was given two jobs when he came on board full-time: “One, making sure that everything is secured. And, two, making sure that we have a solution in place to help us manage those devices remotely.”
Streamlining Management, Security
In his Marine Corps gig, he’d worked with tools like Workspace One and Blackberry Enterprise Server—“massive things that you need for multiple platforms.” Now he was being asked to manage an all-Apple fleet in a hybrid workplace. (Currently, everyone is remote, but the company has offices in Seattle and New York to which team members will eventually return; it may open more.) Aaron needed a device-management solution that could handle that.
It also needed to help the company comply with the strict security standards that apply when dealing with confidential compensation data.
Aaron BaumanSenior Systems Security Engineer“Remediations weren't firing; there wasn’t continuous monitoring or enforcement.”
The management solution that Syndio had in place before he arrived just wasn't up to the task. For example, it couldn’t reliably ensure that FileVault was implemented on his Mac endpoints. “Remediations weren't firing; there wasn’t continuous monitoring or enforcement.” And it couldn’t reliably manage installing and updating third-party apps. As a result, “users might go to the Zoom site and download it, but then they would never update it.”
Aaron could have made that legacy solution work—he had the necessary scripting chops—if he didn’t have a ton of other things to do. He didn’t need a big-gun, cross-platform solution, like the ones he’d used in his Marine Corps gig. He needed an Apple-centric tool that would save him time managing devices while also helping him meet security requirements—a solution that would help him do both of his jobs. That’s what led him to Kandji.
Automating Patching, Compliance
Kandji helped immediately with software deployments. “I was looking for a platform that allowed me to deploy things right, then do continuous enforcement, continuous monitoring.” He thought Kandji’s library of third-party Auto Apps was “phenomenal” in that regard. And for apps that aren’t available as Auto Apps, such as CrowdStrike, Aaron was able to use scripts supplied by Kandji Support to set it up right. “Here's your pre-install script, here’s your post-install script, here’s a support article—nice and easy.”
Syndio has 27 essential applications that are kept up-to-date automatically, thanks to Kandji’s Auto Apps. Without Auto Apps, Bauman estimates, keeping apps updated can take an average of 1.5 hours per month—or up to 486 hours per year for his software suite.
For compliance, Aaron was able to start with Kandji’s built-in Blueprint templates, customize those as needed, and so deploy dozens of security settings. Syndio needs to be SOC 2 compliant, and Kandji made that simple. “If SOC 2 says we need to be encrypted on our endpoints, I'm going to deploy FileVault.”
“Here's your pre-install script, here’s your post-install script, here’s a support article—nice and easy.”
“It made it so much simpler for me to have those things already prepackaged and ready to go because it means I'm spending less time building out the policies.”
Kandji continuously enforces those security settings across the fleet. If a given computer falls out of compliance for whatever reason—“they aren’t reporting in, users aren't turning them on, that type of thing”—he gets alerts so he can investigate. “We have a continuous picture of what our fleet looks like.”
Bauman conservatively estimates that the time he saves on compliance—by not needing to cross-check PDFs or to audit and enforce security settings—is in the range of 5-10 hours a month, for another 60 hours saved per year.
The bottom line: “We have 120-plus laptops, they're all managed, and we meet SOC 2 compliance.”
Zero-Touch = More Time Saved
The time Aaron saved on deploying apps and compliance meant he had more time for other projects, like converting Syndio to a zero-touch deployment model.
“What we used to do was, we’d send out a set of instructions that every new user would have to go through: Take the laptop out of the box, turn on FileVault, turn on the firewall, and do all of the things that we required, all the way down to disabling the guest user account.”
“Many users would be like, I don't know what any of this means, and I don't know why I need to do it.” Aaron has led the transition to Apple Business Manager, so now users are enrolling properly.
“We want them to take the laptop out of the box, find their documentation, then have their browser open and walk them through all the HR things. Then all we have to do is mail you a MacBook, zero-touch it from there, and everything else is done.”
Aaron estimates that switching to a zero-touch deployment process with Kandji has freed up at least 30 minutes of admin time per new computer. That pencils out to a savings of nearly 60 hours of admin time in onboarding the 115 new hires Syndio expects this year—and that doesn't count the time zero-touch saves new team members.
He’s also got his end-users installing the apps they need via Kandji's Self Service. “Occasionally I'll get somebody that says, ‘Hey, can I download this application?’ And I just say, ‘Go to Self Service, it's right there.’”
All in, the team clocks in at a conservative estimate of 606 hours per year saved in device administration and enforcement of security settings. While the improvements in quality of life for team members can be hard to quantify in dollars, multiplying just the IT hours saved by the average payroll for a systems engineer comes out to an impressive 3X return on investment.
“Having one person—me—as a full-time security employee and handling all of that is a testament to the capabilities that Kandji brings to a startup, even an all-remote company. I could see scaling past 300 to 400 devices, and one person would still be able to handle it.”