It’s Time To Change The System.

My community suffered an unspeakable loss on Monday night, when Allie Hart, age 5, was biking on a crosswalk behind her Dad. A DC Connect van only saw her father, and not her. She succumbed to her injuries on the scene. Her death is one of many cyclists and pedestrians deaths this year at the hands of drivers. Most of these aren’t intentional deaths, caused by people who actively want to run people over. They’re caused by people who are careless, who aren’t paying attention, and happen to be encased in two tons of Detroit or Hermosillo steel.

I’ve been thinking a lot about this subject because it’s keeping me up at night. I bike with Charlie often, he rides on the back of our e-bike, or on his little bike when he feels up to it, but mostly he rides with me. Two weeks ago, as we went to school, a driver who wasn’t paying attention pulled into traffic, almost on top of me. I screamed. She stopped. It was half a second from me being severely injured or killed, along with my son.

We tolerate so, so, so much negative behavior from our systems. No, worse than that, we’re excusing negative behavior because it represents a status quo we’re not willing to upset. We nurture, intentionally or otherwise, outcomes by pretending that if we just acted slightly differently, those outcomes wouldn’t exist.

That’s not how systems work.

Systems can produce negative results, but systems can be altered to account for a negative result.

In IT, if a system is producing data loss, it can be altered to make backups, store multiple copies, or have redundant features. We file bug reports with vendors, we file bug reports against our own processes, we work to make changes in increments to resolve the issue. It doesn’t always fix it the first time, but these processes iterate and change.

Our city has a flaw – one could argue our whole nation does – and it’s too reliant on cars, too congested with them, and entirely too willing to tolerate road deaths, like Allie Hart, as black swans.

What are you tolerating in your own life that’s clearly the negative outcome of a system that you can influence? What are you letting slide in favor of the status quo that’s absolutely making your life, and the lives of others, worse?

It’s time to change the system and deal with it. This far, no further. Draw lines. Make changes.

Feedback Request: Tell Apple to Expand IDPs for Managed Apple IDs

The 2021 Apple Worldwide Developers Conference showed us a lot of great things that Apple has been working on. Included in Apple’s plans are improvements and focus around the iOS User Enrollment workflows for adopting MDM for BYOD devices. This is a welcome development that gives organizations the ability to enforce a few lightweight restrictions (A PIN code! Automatic Lock! Managed Open In!) without having to enroll into a full MDM with the possibility of corporate overreach on personal devices.

There’s a challenge here, and this is where I need your help.

User Enrollment requires a Managed Apple ID in the hands of the user. Currently, there are two ways to create a Managed Apple ID. You can manually fill out the form in Apple Business Manager, or you can federate your domain with Azure AD. This isn’t ideal for organizations that aren’t using Azure AD generally speaking. There are a lot of other IDPs out there. Okta. OneLogin. My very own JumpCloud. These are organizations that should have the ability to provide both SCIM provisioning and identity federation.

Apple handles feature requests in a novel way, via Feedback Assistant. This system allows them to receive feature requests and bug reports in the same system, and allows them to group issues and respond to them based on need. I’m here to encourage the community to let Apple know they want to federate Managed Apple IDs with other IDPs.

First step is logging into Feedback Assistant with an AppleSeed for IT Apple ID. You can use the same Apple ID that you login to Apple Business Manager with. Once you’re logged in, it’s time to create the Feedback:

Start your Feedback in the Enterprise & Education section. If you don’t see the Enterprise & Education section, check to make sure the top left says the name of your organization (for Developer accounts) or Personal (for Managed Apple IDs).

Writing feedback to Apple is a lot like writing feedback to your team. You want it to be actionable, you want it to be specific, and you want the reasoning to be clear and concise. In the product world, this is a User Story. As an IT manager, I want to allow my staff to sign into company resources on their personal device in a safe container, but I don’t want to manually create Apple IDs, or add another IDP to our workflow.

Provide a clear title that lays out your concern. In my case “Federate Managed Apple IDs with JumpCloud”. Set the area you’re seeing an issue with to Apple Business Manager.

The next piece is up to you. I can see this as a Suggestion, or an Incorrect/Unexpected Behavior. You choose.

Using the latter flags it as a bug that is preventing business activity, and requires an impact statement. Suggestion is a ‘nicer’ way of handling this.

The Feedback here is an art, and every organization needs to approach it organically. There are a couple of major points to make:

Apple has placed a huge emphasis on User Enrollment for BYOD Devices in Enterprise. They see BYOD devices as an important area for development. A major feature of iOS 15, and of MDM development, is tied to User Enrollment.

I would align feedback to the effect of:

“As an organization, we want to encourage the adoption of User Enrollment to our MDM. We believe that our corporate data should be safe on our employees’ iPhones and iPads, and that our organization should be allowed to set some basic guidelines for access to that data around security. To that end, we want to support User Enrollment, but we have XXX people, and manual creation of Managed Apple IDs is a dealbreaker for our IT department, and federation and provisioning with our Single Sign On Provider, JumpCloud, would allow us to implement this feature in a manner consistent with our IT goals and requirements.

Our current user count is XXX and we currently spend $XX,XXX on Apple products, and estimate that our XXX employees spend approximately (XXX times $800) per 2 years on personal iPhones.”

It’s important to provide impact dollar amounts so that categorization can be done on the feedback request.

Once you’ve written your story, submit your feedback! If you wanted to do me a favor, let me know about your Feedback Request.

Dispatches from DC

Thursday morning bright and early we discovered an emergency alert – a pipe burst in NW DC and that caused a pressure drop in our part of town, meaning our water was no longer safe to drink. Boil Order! At least two days of boiling anything we wanted to drink, cook with, or water the cat with.

Last night, we were invited by another playgroup parent to join them at the Friday Evening Parade at Marine Corps Barracks Washington on the Hill. The Barracks sit right in the middle of Capitol Hill, 8th St SE. One minute you’re walking by storefronts and restaurants, the next you’re on the block with dress-uniform Marines and Naval officers saluting everyone who comes as a guest to the post.

The guests of honor were three Medal of Honor recipients. The only one I remember currently is Hershel “Woody” Williams, namesake of the USS Hershel “Woody” Williams (ESB-4).

The parade opened with the arrival of the President’s Own Marine Band, and then the Marine Drum & Bugle Corps. Each was in fine form, but I think the Drum & Bugle Corps had the edge. They played both Sousa, and Queen’s Bohemian Rhapsody, but I think the highlight of the night for me was both Scotland the Brave, and the Shosktakovich fanfare, complete with cannon fire, played to close the concert.

The President's Own
The President’s Own, photo by author

At the end of the night, the Marines brought the 1801 15-star/15-stripe flag down while the band played. A lone bugler sounded taps from the rampart at the top of the barracks, and the VIPs and citizens alike turned out along 8th Street near the old lamps. Privates in dress uniforms stood their posts along the corners and gates, and the oldest continuously occupied home in Washington remained, standing ever-faithful watch over our fair city. As if to exhale, after being a successful host, the breeze blew north off the river, cooling the August night as we walked on the bricks that have been in the ground as long as this city has been here on the banks of the Anacostia.

The Commandant's House
The House of the Commandants, photo by author.

Life in Washington is a mix of things. We are a city like any other, with poverty and affluence, peace and violence, development and decay. We are like much of the United States that way. This was a week of contrasts in a city of contrasts. A boil order in our house, and a perfectly-ordered performance, one of hundreds done over decades with traditions centuries old.

Complexity can be its own beauty, and this city has plenty of it. Not far from those barracks are neighborhoods where development isn’t attractive to business because it doesn’t remake enough of the neighborhood to satisfy economic needs. Violence can be rampant because opportunity is limited, and despite a near-blanket ban on guns, they’re everywhere.

The critiques of DC aren’t new to me. They come from people who see anything less than suburban or rural order and sparseness as dirty and undesirable.

There’s beauty in those neighborhoods too, and it is just as complex. Go-go and street music, community gardens amid the projects, street art with incredible depth and technique. This city’s life is complicated. The Evening Parade at the Barracks isn’t the city’s only standing ceremony, or even its longest. The parade may be larger than most, but social clubs like the Capital Checkers Club, and the Brookland Literary and Hunting Club have kept the pace and peace of our city.

This is a complicated place, without question, but when it is beautiful, it is beautiful beyond measure.

And it wouldn’t be DC if we weren’t as complicated and beautiful as the nation we are capital of.

Do The Thing. Talk To Your Doctor. Do The Thing.

After 18 months of near isolation, including more than 11 months of near total isolation, we’re in the middle of the fourth wave of Covid 19. Cases here in DC are on the rise, and we’re back near the 10 cases per 100,000 residents. Vaccination rate is stalled out at 62% with one shot, and 54% full vaccinated.

These numbers aren’t high enough.

The new Delta variant is as transmissible as chicken pox, which, for those of you never had it (because we developed a vaccine), has a transmission rate about 3x the previous variants. Worse, folks who are getting infected — even those who are vaccinated — are carrying higher viral loads in their respiratory tracts, and that means they can spread it further. And, if they’re vaccinated, there’s a pretty solid chance they’re not symptomatic.

Mainly I’m posting because I don’t want to see anyone I know, personally or professionally, killed or given longterm disability by Covid. Please, get vaccinated. If you’re concerned about the vaccination’s efficacy, the data says it’s highly effective at preventing serious illness and death. The side effects of the shot are neither life-threatening nor serious in all but the rarest of cases. If you have concerns talk to your primary care doctor. Talk with medical professionals who’ve dedicated themselves to making other people better. And listen. Please. We’re all counting on you.

Jeremy Butcher back on the Mac Admins Podcast

It’s a special week on the Mac Admins Podcast! Back to join us is Jeremy Butcher, Product Marketing Manager for Enterprise & Education at Apple, to talk about what’s new in enterprise management. You can listen live on Apple Podcast, in any podcast client, or here, below!

Gratitude and Leadership

My friend Anthony Reimer had an excellent post on Sunday on Recognition, Retirement and Remembrance in the Mac Admins corner of the world. It hit home with me pretty hard. Anthony’s thinking ahead in the way that few in our community do, it’s the hallmark of a leader with their eyes not solely in the tactical and technical, but on the health and well-being of our whole, a much more amorphous problem than any tech stack. It’s important for us all to look at more than just what’s right in front of us.

I am incredibly grateful to this community for pushing me to be a better Mac Admin, for encouraging me to take chances and give talks, to build my skillset and toolkit to be stronger and more effective. I realized with Anthony’s post that I haven’t done nearly enough to thank those people for showing me the path.

That’s people who do the hard work in our conference community, like Anthony; like Mat X in Vancouver; Gretchen, Rusty and Justin at Penn State; Alex Hawes, Ben Toms, and David Acland in London; Marcus and Tony in Australia; like the entire massive team at Jamf who work so hard on JNUC; they’ve all contributed immensely toward my own development as a speaker and presenter.

My good friends Chris Dawe, Allen Golbig, Emily Kausalik, and Jim Rispin have all been huge parts of my conference talk preparation over the last few years, and have been incredibly helpful at helping me refine ideas into cogent talks. Of course, they’re hardly alone, and the incredible works of my peers like Arek Dreyer, Lucas Hall, Graham Gilbert, Sean Kaiser, Jennifer Unger, Pam Lefkowitz, and Greg Neagle. Their talks have deeply influenced my own work, my own IT direction choices, and how I think about technology.

More than that, we have to start thinking about how we encourage and develop the next generation of Mac admins. I know that the art and craft of managing Macs has changed immensely over the last few years, but I don’t see Mac management as a dead-end, either. Looking at the Declarative Management model that Apple is currently testing with iOS 15 User Enrollments, I see a renaissance on the horizon for writing clever management for Macs that is both human-centric and bounded by good common sense controls.

A little later this year, I’ll mark 20 years as a Mac Admin in a non-student context. My own support story goes back to helping my Mom with PageMaker in middle school and fixing Macs in college labs, but I’ll mark two full decades in the space this year. That’s half a career or more, and now it’s time to start thinking of building the next generation of Mac Admins. We need to do a better job as a community at finding and mentoring new voices. This is something I’m strongly committed to for the future. It’s been hard over the last 18 months to help find those new voices, but it’s more and more clear that we have to start doing this, or we risk losing this community that has meant so much.

The pandemic has cost us so much, but I think the workshops at conferences like Mac Admins and Mac Dev Ops are the things that I have missed most. The new admin experience of those workshops is what has given us so many incredible Mac Admins over the years, and they’re badly missed in an era of online conferences that don’t lend themselves well to multi-hour learning.

How do we rebuild these workshops for a new context? I don’t know yet, but it’s time to start trying.

The same goes for recognition and fostering the future. There’s a clear and present need for some kind of professional organization of Mac Admins to help stabilize churn and loss due to retirement, and help build the next generation of professional admin, and also provide professional recognition for the generous contributions of all the people I mentioned at the top of this post.

The future isn’t going to stop coming.

Apple’s not going to stop releasing software and hardware. The work may not always look like it does today, but the work will always be there. And we need to prepare the way by making this an attractive community for new kinds of talent and new skill sets, and we do that by beginning to create the structures that Anthony so clearly identified. We need ways to recognize contributions, we need ways to prepare for future generations of Mac Admins, and we need ways of developing the people we have now. This is how we keep this community and care for it in the long term.

The Three Paragons of IT: Chidi, Ted & Jules

Today, I gave this talk at the Mac Admins Conference at Penn State, and video will be available at a future date. The concept is thus: Chidi Anagonye of The Good Place, Ted Lasso of Ted Lasso and Jules Winnfield of Pulp Fiction represent paragons of IT virtues that organizations need to understand and explore.

Slides from my talk on IT Management are now available. The important links are embedded here:

The Three Paragons of IT: How Chidi, Ted & Jules helped me master IT management

Make Work Better With Better Passwords

It’s #WorldPasswordDay2021, and that means some good advice on what the heck to do about passwords in a work context! I gave my personal advice over on twitter, and you can find that thread if you want, but I want to tailor this more toward the IT Admins and business decision makers they work with every day.

Passwords are the difference between your business foundering and flourishing, and if you said to yourself just now “Tom, you are high as a kite,” well, I can assure you the only drug I’m on right now is my morning coffee and 15 minutes of time in the Calm app. Security is a make or break part of your business whether you recognize it or not. One small mistake by a production engineer who reuses a personal password that shows up in a breach somewhere can mean the difference between a huge payout to affected customers.

Good security makes good companies

So, here’s my advice:

  1. Get a directory. If you don’t have one, I think it’s safe to say I recommend looking at JumpCloud, but providing a strong single sign-on environment, backed up by good security and multi-factor authentication is critical. Your goal here is a better, more automation-focused admin story for your department.
  2. Once you have a directory, you need to use it. Bind as many applications as you can use to SAML, OAuth 2.0, OpenID Connect, and WS-Federation. This is a great way to make your employees’ lives easier, and it will reduce the amount of time you spend resetting peoples passwords in all the services you tied together in step 1.
  3. Get a company Password Manager. I really recommend 1Password for Business, not least of which is because they have a good SCIM gateway, and you can also gift your team members a free Families license with each seat. Use the Vaults feature to create good walls between departmental passwords, and use an Audit team to allow IT admins to help deal with this adventure.
  4. Train your co-workers on how to handle breaches. Not just the engineers. Not just the execs. Everyone in your organization should know how to deal with a password breach event, even if it’s just their own personal password that got breached. This training should focus from the start on empathy toward the person dealing with the breach, because the last thing you want to feel in this moment is shame, because shame leads to silence and hiding what happened. Focus instead on rapid response and restoring things to good order. This is like dropping a glass in the kitchen. You can feel bad about it for a second, but everyone’s done it, and it’s important to clean things up before someone gets hurt. That’s all. Grab the broom and a mop. It’s cool.
  5. Revisit your old decisions on password security periodically. If you’re still rotating passwords every 90 days, are you really doing something security smart, or are you following bad old guidance? Are you making it possible for people to use Password1! as their password still? Maybe it’s time to require a good 15-20 character passphrase, but lift the number/symbol goofiness. “It’s always been that way” can be a recipe for a problem.
  6. Have a manual of key identity information for your department. Keep it locked up with someone important. Keep it updated. Make sure someone outside of IT could help with your organization’s security if you were sick or otherwise out of the office. This is about caring for your team in the event you can’t be there to do the job in the moment.

Passwords are probably the worst part of working with computers for your co-workers. Do what you can to make them have to deal with fewer passwords by adopting the above. And take a look at how JumpCloud approaches Zero Trust.

The Balloon Tree (~1950 – 2021)

In the long ago, in the waning years of the early half of the twentieth century, a silver maple tree found its way to the middle of the front yard of what would become my childhood home. There, it grew large, some 40 feet into the California valley sky in front of what started as a small ranch home, and grew into the house where my parents raised three kids, countless pets of beloved memory, and provided shade for the family, and protection. Some 30 inches in diameter, it was a tree that you couldn’t quite get your arms around, no matter how hard you tried.

This was a special tree, and while it produced thousands and thousands of little helicopters each year, it also bore fruit on our birthdays, bouncing balloons, held with shimmering serpentine ribbon. The balloon tree, and its partner, a second soaring maple, lost to disease more than a decade ago, were the bannermen announcing birthdays and holidays with large sheets as canvas. Welcome Margaret Elizabeth they shouted as my sister came home from the hospital.

The balloon tree came down today, a victim to its old age, and not wanting to have to replace the roof, or a car, or mourn a person if it came down in an uncontrolled fashion.

I will long remember the branches of that tree bedecked in orange balloons, with drawn jack-o-lantern faces done every October 30th with our friend Uncle Jack. He always drew the spookiest jack-o-lanterns, and they always danced in the cold autumn breeze on the corner of A St and B St in the middle of Davis, California.

We have some rounds of the balloon tree, and I know some helicopters were gathered up from its last spring. Some day, there will be another tree there, but in my mind’s eye, the tree I will always imagine there will be that lovely silver maple, tall and strong, beneath the scorching sun of the Central Valley.