Having previously managed a Windows network, security is always a major concern, trying to balance locking things down without impeding the company and its ability to work. Luckily here at Studio 24, we are Mac OS based, which does seem to reduce the risks and issues dramatically. We already had Cyber Essentials accreditation and decided that we should renew it, not only for the security and peace of mind for clients but also due to various changes in how the process works and to ensure that we are as up-to-date as possible with our processes.
Since our last accreditation, we now have additional changes to contend with, such as:
- Staff members in other countries and working remotely due to the COVID-19 pandemic
- An upgrade of internal IT equipment with an office move
- Apple introducing Big Sur and the new M1 processor
- The previous company that we used no longer taking part in the program
- Lack of a central management solution for staff laptops
Luckily, we were able to get a good head start on the process as the previous company we used gave us a good recommendation on who to use instead. A couple of phone calls later and we had a clear picture of where we were and where we needed to be.
Previously compliance was easy, we had one office that everybody worked from, one firewall, one network, and one managed set of wi-fi routers. Oh, the good ol’ days! Now due to everyone working from home in the UK or overseas we have 21 networks and routers to concern us.
Although (at the time of writing) we are no longer under lockdown, our new office has a limited capacity compared to the previous office and we still implement a limited attendance policy.
Where to start?
Luckily we have a trustworthy team, so the first step was simply to ask them a series of questions. This also proved a good chance to review what software the staff use and what BYOD (Bring Your Own Device) or company purchased devices we all use.
This helped us to work through each staff member and each Cyber Essentials requirement one by one. Now we just needed to work out how best to manage this.
Central management for staff laptops
Prior to the pandemic, life was simple. We ordered a new Macbook from Apple and it was delivered to the office. One of the maintenance team would then happily work through our (very manual) process of setting it up for the relevant user. The user was given the laptop and logged in to each of the required services Google, Slack, Office, Email, etc.
However, the logistics of this process became much harder when we were under lockdown. It was pointless (and expensive) to ship new systems around two or three locations to ensure they were set up manually. Having previously tested a few MDM (Mobile Device Management) solutions and found they can get complicated very quickly, it was decided that we would manage our systems with Addigy.
Although it has a very user-friendly portal, it was still a steep learning curve. But the Addigy support team and the MacAdmins Slack channel have been very helpful. This has helped us to automate virtually every step of our setup process. We’ve even managed to add in additional security such as remote device locking and assigning asset tags electronically.
We now have a basic system setup that covers every staff member and then a small series of steps for our developers to carry out once they receive a new machine.
Good news! No more obsolete software, and automatic updates and licence management all in one (very) easy-to-use portal.
Big Sur and the new M1 processor
The introduction of Big Sur had an impact on our developers due to the changes in system vs kernel extensions. This meant that some of the processes we had just rewritten needed another update. There was also the usual delay in vendors releasing (reliable) versions of software that were Big Sur compatible.
Then it happened, we needed a new MacBook Pro and it was going to have an M1 processor. This has never been a problem in the past, we run our setup scripts, we install MAMP, start the servers and start working. However, we had also decided that due to the various issues we continually had with MAMP we would no longer use this.
Easy! We could simply use the Mac OS built-in version of Apache. Except there isn’t one. Next step, work out a process for setting up local Apache. That’s a blog for another day…
The largest challenges and how we solved them
Updating staff and their machines
Rather than have a full company meeting to try and educate staff and update their laptops, we would run a series of one-to-one online calls so that we could methodically make changes and explain the reasons behind them.
This worked very well and was probably far more productive than running larger groups. It also meant that thanks to our questionnaire, we could concentrate only on the relevant changes for each user.
App store apps
Previously, users logged in and purchased Apps and it was very hard to keep up to date with who used what and who it was registered to. Again thanks to Addigy and linking our account securely to the Apple Business portal, licences are now managed centrally and automatically in one place. The licences are all distributed on a first come first served basis or to specific users based upon the various policies.
We’ve all seen and done it, a quick test of an app to see if it works and then not uninstalling it. Or an update to an app that creates a new version and leaves an old copy in place. Wind forward to a developer that has had the same laptop for 4 years and that’s quite a lot of apps and wasted storage.
Luckily again, we can do a full audit of installed software and apps via Addigy. This made it very easy to see which systems needed software removing and an alternative found when required. An additional benefit was that this also helped to free up storage space on some of the older systems.
Non-admin user accounts
Being a web agency, some of the limitations and challenges of using non-admin user accounts has always been an obstacle, especially for the development team. They may need to run commands in the terminal for Composer, Node, Symfony, or many others. Also running a copy of MAMP requires administrator privileges to start the app.
Non-developers don’t have the same issues but do still require administrator privileges to change settings or to perform some upgrades.
This was clear that we needed two solutions for this, one for developers and one for non-developers.
First step, non-developers
- Create a new IT only admin account for the maintenance team to use as required
- As part of our staff one-to-ones, we had each user set a private password for the local administrator account. and store the details in their own private 1Password vault
- Now when they need elevated privileges, they are prompted for their own administrator details
- For additional software that requires elevated privileges (such as Anti-Virus and Security), they simply log in as their own administrator and install.
Next step, the developers
The non-developer approach works well for 99% of cases, however, there is no prompt for elevated privileges when running software such as MAMP and it needs to start under the developer’s profile.
This is where another very useful tool appeared, SAP Mac OS Enterprise Privileges. This handy tool allows the user to ‘toggle privileges’ to become an administrator for a brief period of time and then automatically reverts back to a standard user. This allows enough time to start any software required.
Another challenge solved.
It is well known that when you set up a new router you change the administrator password. But in these ever trusting days of pre-configured routers many people are happy with the password set by BT, Virgin, Talk-Talk, etc.
Our staff was no different (me included), where’s the harm?
Here was the next step of education and changes and this one couldn’t be solved via an automated tool. Again our questionnaire had already identified the surprisingly few staff members that needed to change their home router passwords.
Another one-to-one call with each staff member (if required) and we can now rest easy that all home routers have a new secure password.
Policies and processes
Through all of this exercise, I have also been updating our internal policies and process documentation to ensure that we carry on with compliance. This is always a work in progress and shows over the course of the last 12–18 months how much has changed, both in the way we work and with the technology itself to support remote working.
After all of the preparation, we finally applied for accreditation. Thanks to the hard work and efforts of the team to adopt new policies we had three observations that stopped us from succeeding. These luckily were very simple items:
- An OS version clarification.
- Some unsupported Android devices could no longer be used.
- A couple of mobile devices needed updates.
The above was all fixed within an hour and confirmed as OK.
It’s been a longer journey than I originally envisaged with many changes to our working environment and requirements. It’s fair to say, that luckily, our staff is very co-operative and helpful, so there was far less resistance than there could have been.
There were a lot of things to consider, to ensure a good balance between compliance and ease of use when working.
We’ve now gone from our manual setup process to a new, mainly automated process that gives all users access to what they need: better security, better licence management, system monitoring, and a higher level of consistency in our systems.
All achieved with very little personal contact and maintainable with little to no staff interaction as we move forward. The most important result of all is we now have our Cyber Essentials accreditation successfully renewed and in place.