My friend Anthony Reimer had an excellent post on Sunday on Recognition, Retirement and Remembrance in the Mac Admins corner of the world. It hit home with me pretty hard. Anthony’s thinking ahead in the way that few in our community do, it’s the hallmark of a leader with their eyes not solely in the tactical and technical, but on the health and well-being of our whole, a much more amorphous problem than any tech stack. It’s important for us all to look at more than just what’s right in front of us.

I am incredibly grateful to this community for pushing me to be a better Mac Admin, for encouraging me to take chances and give talks, to build my skillset and toolkit to be stronger and more effective. I realized with Anthony’s post that I haven’t done nearly enough to thank those people for showing me the path.

That’s people who do the hard work in our conference community, like Anthony; like Mat X in Vancouver; Gretchen, Rusty and Justin at Penn State; Alex Hawes, Ben Toms, and David Acland in London; Marcus and Tony in Australia; like the entire massive team at Jamf who work so hard on JNUC; they’ve all contributed immensely toward my own development as a speaker and presenter.

My good friends Chris Dawe, Allen Golbig, Emily Kausalik, and Jim Rispin have all been huge parts of my conference talk preparation over the last few years, and have been incredibly helpful at helping me refine ideas into cogent talks. Of course, they’re hardly alone, and the incredible works of my peers like Arek Dreyer, Lucas Hall, Graham Gilbert, Sean Kaiser, Jennifer Unger, Pam Lefkowitz, and Greg Neagle. Their talks have deeply influenced my own work, my own IT direction choices, and how I think about technology.

More than that, we have to start thinking about how we encourage and develop the next generation of Mac admins. I know that the art and craft of managing Macs has changed immensely over the last few years, but I don’t see Mac management as a dead-end, either. Looking at the Declarative Management model that Apple is currently testing with iOS 15 User Enrollments, I see a renaissance on the horizon for writing clever management for Macs that is both human-centric and bounded by good common sense controls.

A little later this year, I’ll mark 20 years as a Mac Admin in a non-student context. My own support story goes back to helping my Mom with PageMaker in middle school and fixing Macs in college labs, but I’ll mark two full decades in the space this year. That’s half a career or more, and now it’s time to start thinking of building the next generation of Mac Admins. We need to do a better job as a community at finding and mentoring new voices. This is something I’m strongly committed to for the future. It’s been hard over the last 18 months to help find those new voices, but it’s more and more clear that we have to start doing this, or we risk losing this community that has meant so much.

The pandemic has cost us so much, but I think the workshops at conferences like Mac Admins and Mac Dev Ops are the things that I have missed most. The new admin experience of those workshops is what has given us so many incredible Mac Admins over the years, and they’re badly missed in an era of online conferences that don’t lend themselves well to multi-hour learning.

How do we rebuild these workshops for a new context? I don’t know yet, but it’s time to start trying.

The same goes for recognition and fostering the future. There’s a clear and present need for some kind of professional organization of Mac Admins to help stabilize churn and loss due to retirement, and help build the next generation of professional admin, and also provide professional recognition for the generous contributions of all the people I mentioned at the top of this post.

The future isn’t going to stop coming.

Apple’s not going to stop releasing software and hardware. The work may not always look like it does today, but the work will always be there. And we need to prepare the way by making this an attractive community for new kinds of talent and new skill sets, and we do that by beginning to create the structures that Anthony so clearly identified. We need ways to recognize contributions, we need ways to prepare for future generations of Mac Admins, and we need ways of developing the people we have now. This is how we keep this community and care for it in the long term.

The video has now been posted for Three Paragons of IT. I hope you enjoy it!

Today, I gave this talk at the Mac Admins Conference at Penn State, and video will be available at a future date. The concept is thus: Chidi Anagonye of The Good Place, Ted Lasso of Ted Lasso and Jules Winnfield of Pulp Fiction represent paragons of IT virtues that organizations need to understand and explore.

Slides from my talk on IT Management are now available. The important links are embedded here:

• ACM Code of Ethics
• Harvard IT Code of Ethics
• IEEE Code of Ethics

It’s #WorldPasswordDay2021, and that means some good advice on what the heck to do about passwords in a work context! I gave my personal advice over on twitter, and you can find that thread if you want, but I want to tailor this more toward the IT Admins and business decision makers they work with every day.

Passwords are the difference between your business foundering and flourishing, and if you said to yourself just now “Tom, you are high as a kite,” well, I can assure you the only drug I’m on right now is my morning coffee and 15 minutes of time in the Calm app. Security is a make or break part of your business whether you recognize it or not. One small mistake by a production engineer who reuses a personal password that shows up in a breach somewhere can mean the difference between a huge payout to affected customers.

So, here’s my advice:

1. Get a directory. If you don’t have one, I think it’s safe to say I recommend looking at JumpCloud, but providing a strong single sign-on environment, backed up by good security and multi-factor authentication is critical. Your goal here is a better, more automation-focused admin story for your department.
   
2. Once you have a directory, you need to use it. Bind as many applications as you can use to SAML, OAuth 2.0, OpenID Connect, and WS-Federation. This is a great way to make your employees’ lives easier, and it will reduce the amount of time you spend resetting peoples passwords in all the services you tied together in step 1.
   
3. Get a company Password Manager. I really recommend 1Password for Business, not least of which is because they have a good SCIM gateway, and you can also gift your team members a free Families license with each seat. Use the Vaults feature to create good walls between departmental passwords, and use an Audit team to allow IT admins to help deal with this adventure.
   
4. Train your co-workers on how to handle breaches. Not just the engineers. Not just the execs. Everyone in your organization should know how to deal with a password breach event, even if it’s just their own personal password that got breached. This training should focus from the start on empathy toward the person dealing with the breach, because the last thing you want to feel in this moment is shame, because shame leads to silence and hiding what happened. Focus instead on rapid response and restoring things to good order. This is like dropping a glass in the kitchen. You can feel bad about it for a second, but everyone’s done it, and it’s important to clean things up before someone gets hurt. That’s all. Grab the broom and a mop. It’s cool.
   
5. Revisit your old decisions on password security periodically. If you’re still rotating passwords every 90 days, are you really doing something security smart, or are you following bad old guidance? Are you making it possible for people to use Password1! as their password still? Maybe it’s time to require a good 15-20 character passphrase, but lift the number/symbol goofiness. “It’s always been that way” can be a recipe for a problem.
   
6. Have a manual of key identity information for your department. Keep it locked up with someone important. Keep it updated. Make sure someone outside of IT could help with your organization’s security if you were sick or otherwise out of the office. This is about caring for your team in the event you can’t be there to do the job in the moment.

Passwords are probably the worst part of working with computers for your co-workers. Do what you can to make them have to deal with fewer passwords by adopting the above. And take a look at how JumpCloud approaches Zero Trust.

JumpCloud’s strength is in their identity focus, which turns a single directory into a lens for an organization’s core needs in IT. Their identity extends deep into the devices of their customers, and I’m excited to join the team working on making that identity present and focused on the Apple platform. The Apple platform is at an exciting crossroads, making in-roads into enterprise clients in leaps and bounds. JumpCloud understands the value of embracing new platforms and working to empower users on their workstations, build strong networks of data for the IT departments they serve, and provide insights for organizations at so many levels.

My Next Chapter, JumpCloud Blog

Yes, after 15 years at Technolutionary, hyperfocused on the needs of our clients, I am joining the Product team at JumpCloud to work on the next great platform for managing Macs. This is a zoom out on my focus, and lets me start to build tools for Mac Admins throughout the industry. I’m really excited to get to work on the hard problems in the Apple space right now: patch management, stateless client management with MDM, and on-device security and identity.

You probably have a few questions, so let’s talk about that for a second:

What about the Mac Admins Podcast? Can you still do it?!

Yes, absolutely. Nothing has changed there. I’ll have more to say about what this means for the pod in two weeks. It’s a very special episode. But, rest assured: the podcast is safe and sound.

Does this mean you’re not going to Mac Admin Conferences?

If anything, it means I’ll be going to more Mac Admin Conferences.

It has been a year since the world changed for us all. For some, it’s been fifteen months. We remember the before. We remember dinner parties, and dates, and socializing in groups. We remember the gym, the coffee shop, the office. These are still things affixed in our memories, often romanticized, often lionized, as signs of the normal.

A year on, and after my first dose of the vaccine, I have started to collect a scrapbook of the pandemic times. An N-95 mask. A cloth mask to go over it. My vaccination card. A box of latex gloves in my car. A tube of Clorox wipes. I remember those early days, when we didn’t know what this was yet, when it was just two weeks to flatten the curve. I remember a springtime of cramming two offices and a school into a house that wasn’t constructed for that. I remember a summer with no pools, with little group activity, of lonely chats with friends on text chains and over group zooms.

When it comes to an event like this, as we come to the beginning of the end of this phase, it’s important to take stock of what you are taking away from it all.

View this post on Instagram

A post shared by Tom Bridge (@tbridge)

For me, I will take away this: you will never again take for granted travel, or school, or work, or people. I think of the crushing isolation of the last 12 months, and I will never again skip out on an invite to see a friend’s band at a dive bar, or to take them dinner, or to go to another city to experience their world.

I will take away that the people in your life matter so much more than you ever thought, when you miss them. I will mourn with my friends who have lost loved ones, and take joy in their memories with them. I will sit in the stands on a hot hot day, and order an extra drink, and sit and watch a languid game of baseball. I will see a place that felt far away before, just to go be with someone I’ve missed.

This pandemic was not a gift. It was not a joy. It was a hardship, and a torment, and it took so much from us all. It took friends and family. It took love and created loss. There is nothing about this pandemic I will miss.

But that does not mean that good cannot come from what we do next.

I, for one, cannot wait to share your company again, to eat and drink with you, to see your world through my eyes, and to experience that shared present together. That is what I take away.

This morning, Episode 200 of the Mac Admins Podcast dropped, and in eight weeks, we’ll celebrate five years of the pod. Its unofficial birthday is around the original MacADUK conference in 2016, where Charles, Pepijn and I were all speaking. There’d been some Tweeting and Slacking that there was room for another Mac-focused Podcast, one built around the needs of Mac Admins.

There were already plenty of generalist Mac podcasts (ATP, Upgrade, Connected), sources of news and rumor about what Apple was up to, and there were some consulting-focused efforts (Command-Control-Power) that had plenty of great tech and consulting tips, but nothing that really felt like home for the Mac Admins community.

We had a few other folks onboard – Marcus Ransom, Adam Codega, Emily Kausalik-Whittle, Jason Miller – and wanted to setup a rotating panel of hosts who could provide different perspectives from different markets. And off we went! We talked with Kitzy about using the macadmins.org domain, and they graciously assented. James Smith eventually joined us as our sound editor, taking over from Aaron Lippincott. And, of course, Adam Codega wrote our theme the very first time he opened GarageBand.

We’ve held episodes at MacADUK, JNUC, PSU Mac Admins (unofficially!), MacTech, X World and more. We were hoping to make it to MacSysadmin in 2020, before the year of the Pandemic hit.

In those intervening 5 years, we’ve had close to three quarters of a million downloads, sponsorships from a dozen companies, and developed an avid group of backers on Patreon. And last night, we started the third century of the Mac Admins Podcast, talking to favorite guest (or at least most frequent!) Joel Rennich of Jamf.

Here’s to 200 episodes down, and at least 200 to go! Thanks to everyone who’s been on as a guest, everyone who’s written in with questions or feedback, everyone who’s participated in making the podcast on the back-end, and everyone who’s backed our efforts. We couldn’t have done it without you.

6 January 2021
Davis, CA

Dear Charlie,

What a day. One to remember for all of us. I write to you on days like this so that I have something to show you when you’re older and ask questions. You’re 7 now, and you’ve spent most of the afternoon with your grandparents, working on building a tabletop game and playing Zelda. Grandpa plays a solid Link, it’s true. That’s what I want you to remember about today.

But it’s not the only thing that happened.

For the last three hours, there’s been an armed insurrection at United States Capitol, lead by a group of seditious rioters driven by the rhetoric of the President of the United States. I can’t stress to you enough how disquieting this is. In my 42 years, nothing like this has ever happened. The Capitol Police were assaulted, and at least eight of them were injured. A woman was shot and killed during the incident.

The Senators and Congresspeople and their staffs, and the professional staff of the Capitol and her houses had to be evacuated to shelters via secret tunnels. The Vice President was whisked from the chamber by the Secret Service. Offices were defiled, the Speaker’s podium stolen from her office. These actions are the actions of despots, tyrants and fascists. They are weak cowards who rule by threat because they have no ideas that last on their own. They govern by threat because it’s all they know.

I cannot tell you how distressed I am by these events, taking place in your home town, in the place I have called home for more than 20 years, almost half my life. I have always felt that the American way of governance was unique among the democracies of the world, and that that government belonged to the people, designed with checks and balances to prevent the abuse of power by tyrants. The last four years have given the lie to that principle, and it has killed something in me to watch our nation wane so in the last four years.

I don’t know what comes next.

As I write this, and rewrite this, and rewrite this, our leadership is trying to put things back to right. Congress has been cleared, and they are proceeding to certify the presidential election. Joe Biden will be sworn in on January 20th at noon, as is described in the Constitution.

We ought to be a nation of laws. We ought to be a nation of equal protection — and responsibility — under the law, but we are not. Had the mob today had black or brown skin, they would have been met with the same force that horrified us this summer. But, because this mob was white, the Capitol Police didn’t shoot, didn’t have riot shields, didn’t fire rubbet bullets.

There will always be a percentage of Americans who are white supremacist. Any society sufficiently large will decide to fragment and fracture to protect some magical opinion of purity that is absent fron reality. I had hoped that this ignorant and bigoted behavior was as much on the wane now as it was twenty years ago. Instead, the current moment is full of those who will stoke those fires of resentment and fear based on ignorance and bigotry.

I don’t have an answer for what to do with these people. I don’t think anyone does.

But I know this much: as long as there are those committed to democratic rule here in the United States, there will be a shred of that dream alive somewhere. We have a nation together, these states, of which you have seen half in your short life. We can stand for decency, we can stand for science and knowledge and technology, we can stand up to bullies, we can stand up to tyrants.

We’re not the authority we once were, and we are at odds with ourselves over the very basics of what democratic society are. While this fight goes on, we cannot do the big things we need to do as a nation to lead the world again.

I don’t know if it will happen in my lifetime. The last nine months have felt like so many lifetimes.

But I know that we are capable of greatness, if only we can live up to it. And so often lately, we have failed to live up to our own ideals. As we talk about often, though, tomorrow can be different. We can wake up and make better decisions. We can do more, try more, read more, learn more, experiment more, write more, build more.

Democracy is a process, son. Society is a process. We get up, we live those ideals, we go to bed, we do it again. Each and every day. Every day is a chance to make better choices. To lift up, to promote, to unite, to better us all.

And tomorrow’s another day.

I love you. Always.

Dad

Late yesterday, on the first day of Amazon’s annual AWS Re:invent conference, David Brown, VP of EC2 for Amazon, announced that they have added macOS instances, running on macOS hardware, to AWS’ Elastic Compute Cloud menu of services. This has, of course, lead to a lot of thinking on how this changes things for Mac Admins everywhere.

In late 2005, when we started Technolutionary, our first two servers were G4 Mac minis that ended up in a Winston-Salem data center called Solidspace. These two boxes cost us about $600 each, and we paid around $120/mo for the two spots on their bakers rack of Mac minis inside their secure data center space. As costs went, these machines were phenomenal for us, and I think we retired the last of the original pair in 2015 or so. By then, it was just a Macjordomo server and a FirstClass test instance.

Amazon’s announcement wasn’t a huge surprise. There have been data centers of Mac minis for at least 15 years, and of those, the most notable has been MacStadium. The Mac Admins Podcast, which I host, interviewed their VP of Engineering Chris Chapman last year to talk about Orka, their platform for managing and orchestrating macOS with Kubernetes. The idea being: what if you didn’t have to spend a lot of time managing a huge fleet of remote Macs manually, and instead could manage them with code orchestrators whose job is to render machines from bare metal into a known-good state for code deployment and testing purposes. Orka does this job well, I understand.

So when Amazon announced that you could just spin up new instances of macOS in EC2 — as simple as a short command from your own Mac:

aws ec2 allocate-hosts --instance-type mac1.metal \ --availability-zone us-east-1a --auto-placement on \ --quantity 1 --region us-east-1

The possibilities become very interesting very quickly!

AutoPkg at AWS! Development machines at a whim! Backed by super connectivity and uptime! All on Elastic Block Storage, which means your startup disk is infinite! Ability to talk directly to AWS Network objects! All tied into AWS’ security and resources!

There’s a lot to like here.

But it’s not what you’d call cheap.

The price, which I didn’t find on their website yet — an artifact of the announcement, I’m sure — works out to be about $1.083/hr. And, since it’s dedicated hosting on Mac hardware, you get to pay Dedicated Instances pricing. And that includes a $48/day per region fee. So, $26/day per mini, plus $48/day per region.

This is the opposite of “the first one’s free.”

The first one is expensive. $27,000 a year expensive.

Now, if your org already has a Dedicated Instance plan, that cost gets amortized out to your instance, and you’re still looking at just a shade under $9,500 per year at list prices. Sure, there’s Savings Plans, which could reduce your costs substantially, but we’re still not talking the $59/month for MacStadium.

Even if you took the weekends off, that’s $6,750 per year per mini.

Unless your org has an AWS-first, AWS-always policy, this isn’t for your singleton AutoPkg server.

Now, there’s exceptions to that statement, and like every case where there are exceptions, the exceptions are what make the case.

EC2 isn’t just any place to put a built-from-code, described-purpose server, it’s the place to put a server. Amazon Web Services is an incredible platform. From a security perspective? It’s the gold standard. You can tie the access control to an individual SSH key, defined by your org’s identity management system, with security groups that help limit access to the right people at the right place from the right zone.

One cool feature that this allows will be the ability to shift a Mac’s booted operating system to a new Amazon Machine Image via command line code. You can provide your own AMI, or use Amazon’s native AMI for Mojave and Catalina, and so segmenting a part of a fleet for beta builds based on a new AMI will be a much simpler task than it otherwise would be.

In the end, what this comes down to is organizational posture. If your organization is big enough to have a bunch of AWS infrastructure that will make this bill an afterthought, you’re big enough to use this for all kinds of things.

But a single AutoPkg server? Probably not.