Episode 285: What’s New At Kandji?
Today we’re welcoming Weldon Dodd from Kandji back to the podcast to discuss how things have been going this year, and today’s announcement around bringing IT and InfoSec together.
Hosts:
- Tom Bridge, Principal Product Manager, JumpCloud – @tbridge777
- Marcus Ransom, Senior Sales Engineer, Jamf – @marcusransom
- Charles Edge, CTO, Bootstrappers.mn – @cedge318
- Dr. Emily Kausalik-Whittle, Manager, Client Platform Engineering, Jamf – @emilyooo
Guest
- Weldon Dodd, SVP of Product Strategy, Kandji – @weldon
Transcription of this episode brought to you by Meter.com
Click here to read the transcript
Meter is the easiest way for businesses to get internet, networking, and WiFi. Our full-stack approach combines hardware, software, and operations so that any company can seamlessly run on a reliable and modern network.
- Streamlined installation: We take on the complexities to make designing and deployments easy, fast, and stress-free. We manage the entire installation process, and provide ongoing maintenance and support.
- Network hardware, security & management: We design and build our own controllers, switches, and wireless access points. After the network is deployed, review your speed, usage, and security in one unified dashboard. No need to hire vendors in every location or have IT teams fiddle with manual configurations — everything is automated with our software.
- Simple pricing: Pay one monthly rate with no up-front costs for installation, configuration, or hardware.
James Smith:
Today’s episode is brought to you by our friends at Kandji. On Monday, October 3rd at 10:00 AM Pacific, or 1:00 PM Eastern, join Kandji for their biggest announcement of the year. Find out how the Kandji platform is evolving to bring IT and InfoSec together, to keep every Apple user secure and productive. To sign up for the event, visit kandji.io/launch. That’s K-A-N-D-J-I .io/launch. Thanks again to our friends at kandji for sponsor this episode of the Mac Admins Podcast.
Tom Bridge:
Hello, and welcome to the Mac Admins Podcast. I’m your host, Tom Bridge. And Marcus, that is a bright yellow shirt.
Marcus Ransom:
It is a bright yellow shirt. And do you know that macOS, has a built in screen reader called voiceover, Tom?
Tom Bridge:
As a matter of fact, I did. I have the gray one. I couldn’t get the yellow one in my size. I have to wear fat kid sizes. So, the yellow color for me was gray, which is probably good. Gray is slimming, and I need that.
Marcus Ransom:
I was going to get another T-shirt made, that said that Marcus has a built-in screen reader called inner monologue.
Tom Bridge:
My always problem is that my inner monologue is often my exterior monologue. There’s not a lot that I keep hidden, so sometimes that gets me in trouble.
Marcus Ransom:
Good trouble though.
Tom Bridge:
Good trouble. Good trouble. Charles, fantastic to see you as ever. What is new in your world?
Charles Edge:
Nothing, luckily.
Tom Bridge:
Yay. That is good. I will take no news is good news.
Charles Edge:
The last couple of months there was too much news, so now-
Tom Bridge:
Too much news.
Charles Edge:
… I’m happy to just be chilling. Although, I finished my section of the Apple Device Management book.
Tom Bridge:
Marvelous.
Charles Edge:
So, whenever Rich gets around the finishing hit… No, I’m not going to shame Rich here.
Tom Bridge:
And Emily, welcome back to your new office.
Emily Kausalik-Whittle:
Thank you, welcoming back to the new office. Funnily enough, this was my office before we had the baby, and then I gave up the bigger room for the baby, and then we gave up our owner suite bedroom for the now toddler, because she has so much stuff that she needs the biggest room in the house, to contain all of it. So, now I’m back in my previous room, and it’s delightful. Thank you for the warm welcome.
Tom Bridge:
And today we’ve got a really special guest. Welcome back to the Mac Admins Podcast, Weldon Dodd. It’s great to hear from you, Weldon, how are you?
Weldon Dodd:
I’m doing great. I’m also in a former baby’s room, but our babies are a little bit older now, I think, than Emily’s. And I forgot to wear my purple T-shirt, to match Marcus’s yellow. But yeah, that was an awesome project too, with the Mac Admins Foundation. But things are great. Happy to be back.
Tom Bridge:
Wonderful. And we’re here to talk with you a little bit about this, about how Fall is going at Kandji, and I think that there’s a lot of really interesting new things that you guys have planned. I think that there’s a good opportunity for us to talk a little bit about your APAC expansion, and your Europe expansion, and maybe some stuff that’s coming up at Objective by the Sea. So, let’s get down to brass tax. What’s new?
Weldon Dodd:
Sure. Well it’s fall, so that means we’re all getting ready for fall releases. I think, Tom, you and I have had some offline conversations about getting ready for that. But yeah, things are going great here at Kandji. We’ve expanded into the Asia Pacific area. So, we’ve just made our first hires in Sydney. So Marcus, maybe I’ll be out your way sometime, [inaudible 00:03:48] together. And so, that’s exciting. Europe is grown even faster than we had planned. And so, the team out there is killing it. We’re going to be at Objective by the Sea, which is in Barcelona this year, in the week of October 3rd. And Matt Carmen from Kandji on our threat team, he’s presenting a talk on how to sandbox malware. So, if your job includes doing research on identifying malware, and how it works, and you want to do that in a safe sandbox, you should tune in for Matt’s talk, and learn more. But that sets up the-
Tom Bridge:
Wait, are you suggesting that we shouldn’t be doing that in production systems?
Weldon Dodd:
Yeah. I don’t know. I’m told maybe it’s okay, but I’m not sure. But that does set up these other announcements. We have a threat team, and so we’re working on some new stuff at Kandji.
Tom Bridge:
That’s amazing.
Emily Kausalik-Whittle:
That’s exciting.
Weldon Dodd:
Yeah, I wish I could have brought the whole team here to tell you about it, but unfortunately you just have me, so I’ll do my best to convey what we’re working on. But the big announcement is that the future of Kandji, really is including security features and security pillars, directly into our product. This is how we see the change in the world. Where there used to be some separation between security tools, and IT tools, and device management tools, the future looks like bringing those two things together. And so, specifically this week, we’re announcing the availability of a vulnerability management product, that’s going to be followed very closely by a threat product, or an endpoint detection and response EDR product. And in addition on the roadmap, are visibility and compliance tools, that will be integrated directly into Kandji.
Tom Bridge:
That’s awesome. So, I love what you said there at the beginning about better together, and I think that that better together approach is really interesting, because I think in a lot of ways security and device managers are often better than [inaudible 00:06:04]. There’s not a shared vocabulary sometimes. There’s sometimes a little bit of friction between these two professions. What strategies is Kandji taking to bring them closer together?
Weldon Dodd:
I like that word friction. I think that the two different sides of the house have been focused on achieving their goals, but sometimes there’s been a little bit of friction in figuring out how to do that together. And historically, they’ve had a little bit different mandates. InfoSec is responsible for securing the company, its users. And if we go back far enough, it used to be just about defending the perimeter, but that defensible frontier has changed over time. And the same thing with the IT. IT’s goal was to enable productivity for users, and to get them the tools, and the services, and the applications, and things that they need. But over time, what we’ve seen is, that all is converging around the endpoint. So, the endpoint is the new frontier to defend. The stakes around security for the endpoint can be existential. For a company, it could be literally life and death, figuratively life and death, for a company.
Tom Bridge:
I guess it depends on what the company does.
Weldon Dodd:
Yeah, it depends on [inaudible 00:07:17] life of the company. But yes, the stakes are high. And also now, the end point is the focus for productivity. So, if I go back far enough in my career, we were really worried about how to read nine-track data, and get that onto spinning desk. That’s not the problem that we’re working on now. The productivity gains are coming at being able to deliver really excellent device usability. That’s a driver. So, IT and InfoSec, they need to share data in order to win. And InfoSec needs visibility into what’s happening with IT systems. Closing the delay between the detection of an issue, and the remediation of that issue, needs to be tightened up. And from the IT side, they need to be able to focus on end user security as part of productivity, and make sure that we can… We used the word friction earlier. Reduce friction in the end users day, so they can continue to do their job while remaining secure.
Weldon Dodd:
I think another element of this is, security now has more dimensions, where remote work, work from home, just global work, being productive means security has to be there. You have to be able to access company resources wherever you are, in a secure way. What we want to do is, get past this world where the tools were built for separate teams and separate objectives, and where there’s a wall between them. And we’ve tried to work around that wall. We’re all familiar with the CSB shuffle between teams, where AI exported a list of vulnerabilities, and can you go look at that, and tell me what you’re doing, and sending CSBs back and forth. And what we want to do is, is just tear that well down. We want IT and InfoSec to have access to shared tools, to harmonize these two systems.
Weldon Dodd:
So, we’ve coined this term, device harmony, to explain what we do, and that’s going to fit into our strategy here. It’s unique, it’s a little bit different, but we think that our approach is somewhat unique and different. So, it’s blending these two things together, so users can be secure and productive, that IT and InfoSec can work hand-in-hand together, to make all of these things happen.
Emily Kausalik-Whittle:
That sets up really well what I wanted to ask you next which is, what’s the practical version? What’s the day-to-day of this, in terms of how you see security practitioners participating in with Kandji, with admins using Kandji, as a device manager?
Weldon Dodd:
The place where we’re starting, is with vulnerabilities and vulnerability management. And so, there’s a lot of great tools that are out there to help you identify vulnerabilities. Those that do include patching in order… Sometimes more focused on the Windows side of the house, but we see a lot of power in this area of bringing the two pieces together. So, it’s one thing to identify a vulnerability, and it’s another to connect that directly with the system that’s responsible for patching, or providing a remediation, or mitigation for that vulnerability. And that allows Kandji to become a platform for automating these common responses. So, you have an out to date version of software, and it needs to be updated. Well great, Kandji is the tool that provides the patch management, and keeps your systems up to date.
Weldon Dodd:
So, connecting those two things together, I think, has a real practical benefit, in comparison to a situation where maybe you use one tool to identify all of your vulnerabilities. You do that CSB shuffle right between the IT and InfoSec teams, to identify the systems that need to be managed. And now you go create new policies, or actions in your device management tool. We can blend those two things together to shorten the amount of time it takes to respond to an issue, and reduce the amount of time that these systems are exposed.
Tom Bridge:
Or use web hearts to eliminate it entirely?
Weldon Dodd:
Yeah.
Emily Kausalik-Whittle:
Is the idea here maybe that instead of having disparate tool sets that dump information into an SCIM event and incident management system, and having a comprehensive place where you can see the information and take action together? Is that the vision?
Weldon Dodd:
Yeah, for sure. Definitely for Apple platforms, the vision is to bring those two things together. There’s definitely still a role for SCIM tools, and log aggregation, or SCIM, or whatever, to do correlation across systems. And a lot of larger organizations, Apple’s not the only platform that they support. So, being able to have tools that plug into your enterprise infrastructure, so we can provide info into a SCIM for a company to look at. I think there’s a lot of value there.
Weldon Dodd:
If you’ll permit story time for a minute. Back in the 90s, when I was working in telecom, we spent a lot of time selling network management solutions to customers. I was in professional services, I worked with, I think just about every wireless carrier in the US, around network management. And one of the dreams they had was to provide end-to-end quality of service policies for their entire network for IP. And so, because telecom networks are built with disparate heterogeneous solutions, you have AT&T and Nortel in the core, and then you have HP, and Cisco, and Juniper, and everybody else, as you move out towards the edges. The idea was, we could provide a single pan of glass, to implement a QS policy, and it would translate down into the actual instruction set for each of those different platforms.
Weldon Dodd:
And through that experience, I found that we had a hard time delivering the value that was being promised, because the translation of the implementation to each of those platforms, was difficult to commoditize and aggregate together into a single tool. We were better off hiring people who knew the core switches for AT&T. Nortel, implementing policies there. Cisco people, Juniper people, whatever, and letting them implement the policy. The real value though, that we saw even back then, was aggregating alarms, and correlating them together.
Weldon Dodd:
So, if a backhoe goes through a fiber link, and you lose access to a part of your network, and all of a sudden you see latency delays, because all the traffic is routing around that broken connection, and things are slowing down, 500 alarms go off in the knock, because all of these nodes are further away, or slower to get to. But all you really want to know in that moment, is which link went down? What’s the one link that caused all of these other delays? So, when we talk about integrating in with the enterprise framework for IT and InfoSec, SCIM is still an important component, because you want to know, hey, what’s the one thing that’s causing these issues I’m seeing across systems? If someone’s Okta account is compromised, you might see alarms show up in a few different areas as they try to penetrate other systems, maybe including the endpoint, maybe including cloud services. Being able to correlate the information that we have about the endpoint, with all the other data is still really valuable.
Marcus Ransom:
I also like what you said there about using the expertise of the engineers that were familiar with the particular hardware or the particular platforms. And I guess that comes back to macOS these days as well. macOS is a target. The days of there being no viruses, and no malware for macOS, are gone. It’s not necessarily viruses or malware, but it’s definitely attacks. But I know my experience of security tools in the past, a lot of that was around a lack of understanding about often even how to get the tool onto the Mac, where some well documented examples of… The installation process of some of these tools actually exposing gaping holes in your security passwords in text files, and all of those things.
Weldon Dodd:
Or a CVE. A CVE for the tool itself.
Marcus Ransom:
Exactly. Using the knowledge of the Mac Admin, or the team and the tools they’re using to manage the devices, in order to get this intelligence, and get richer intelligence about what’s going on, on the device. And hopefully, find it even before the security team notifies the desktop support team or the device management team, that there’s a thing out there that we need to do something about.
Weldon Dodd:
Yeah, I absolutely agree. There is a lot of value in building tools specifically for macOS, and for Apple platforms. Kandji was built for Mac Admins, and we’re trying to empower them and help them be better at their job, and to have more impact on their organization. macOS is definitely a target. I think this is maybe a little bit of a hyperbole, but look, Apple has won the desktop battle. There’s still tons of Windows out there. I’m not saying they’re not selling lots of PCs and Windows.
Weldon Dodd:
But if you look at any modern progressive company, they are adopting Apple to one degree or another. That battle, that argument or whatever, is over. Apple is the platform of choice for most new companies. If they’re starting up today, that’s what they’re going to pick. And having tools that are built to address that, and work with that platform natively, are really valuable and important.
Weldon Dodd:
When we pick tools that try to provide that lowest common denominator, you’re going to give something up. So, it might be on the admin side, but it might be on the end user experience side. And we want to make sure that we’re balancing those, so that we’re creating a great experience for our customers, which are admins, but we want them to look good within their company to their users, to the people that they support. They should think, “Hey, our IT team is killing it, because my stuff works. It was easy to set up. I have the apps I need. If there’s an issue, it’s taken care of. It doesn’t bother me.” That’s important as well. And we think we can do that on macOS, better than any company that’s trying to do both.
James Smith:
This week’s episode of the Mac Admins podcast is brought to you by Black Glove. Black Glove is about to be your new favorite IT partner. They provide ongoing expert support and rapid deployment services for your current, new, or refreshed Apple fleets. But what they’re really providing is complete peace of mind that your technology is safe, secure, and operating at its full potential. So, no more quick and expensive calls to the Geek Squad or Apple support. Black gloves’ strategies and fixes are from the hands and minds of former Apple engineers. So, not only is the expertise of this team unmatched, but their services are affordable and easy to get started to.
James Smith:
Fortune 500 companies and small budding businesses alike, are working with Black Glove to ensure their Apple technology is doing exactly what they need it to. Whether it’s helping manage your remote teams’ devices, transitioning your device management system, onboarding new employees, or casing, tagging and tracking your devices, Black Glove can handle it all. They’re also just really great people to work with. In fact, mention this podcast when you reach out to them, and the Black glove team will sponsor the next generation of Mac Admins through our Mac Admins Foundation. You can learn more and get started at blackglove.com. That’s B-L-A-C-K-G-L-O-V-E .com. And while you’re at it, ask them why they’re called Black Glove. It’s a clever nod to how white glove services just don’t cut it for IT.
Charles Edge:
So, I guess you mentioned vulnerability specifically, and you can’t have CVE without vulnerability. But what is a CVE, for the people who maybe haven’t heard of that, and what do those threats represent?
Weldon Dodd:
Yeah. So CVE, common vulnerabilities exposure, and these are essentially reports from the field or from companies, about a vulnerability that exists in software, that there’s some defect, or so there’s some issue that allows it to be exploited, and used to do a variety of things. So these CVEs, they’re collected by MIDER, then we have NIST, who publishes and maintains the national vulnerability database, which synced from MIDER’s list. And then they add additional information. So, you can go to that NVD, see the CVEs listed out. They all have a unique identifier and a number, and they’re attached to this piece of software. So, if you go look at those websites, you can take a look, and see a list of CVEs that are available today, and then the affected software.
Weldon Dodd:
The other piece that’s important is that there’s a framework for scoring these CVEs, the Common Vulnerability Scoring System, CVSS. It’s a framework that was developed by first… I always forget what F… Forum. Forum for incident response and security teams, and that CVSS score gives you an idea of what the severity of that-
Marcus Ransom:
It’s like the Richter scale for things going down in your environment.
Tom Bridge:
Yeah, it is. In a lot of ways too, because the Richter scale is logarithmic. And so, each integer goes up in order of magnitude. And it definitely starts to feel that way as you start to look at the CVSS scoring that’s out there and it’s really similar. I was going to say, I don’t see things… There are maybe things that are a little less worrying, like four and below, four and seven gets to be a little bit dicey. Eight and above is considered to be fairly serious, and urgent to resolve.
Weldon Dodd:
There’s three components to that base score. One is exploitability, what can you do with this? What’s the vector to get in? How complex is it? Is it easy? Anybody could do it? Is it difficult? What privileges are required? Those things go into the exploitability component. The impact component is how broadly compatible is it? How broad is this vulnerability, the integrity? Are you able to change data on the system? That tells you a bit about the impact. And then, the third component is scope. Is it contained to a local system? Does it allow you to jump off and attack other systems from there? Things like that.
Weldon Dodd:
That’s generally what we talk about with CVSS scores. There’s also a time based component or score temporal metric. There’s environmental metrics which really relate to your environment. If you don’t use flash in your environment, then your environment’s not vulnerable. The vulnerability exists, but it’s not in your environment.
Emily Kausalik-Whittle:
Fingers crossed.
Weldon Dodd:
So, what we’re reporting is that base metric group. So, the scores are zero to 10, like you mentioned, Tom. And most of the time, admins are going to be concerned about scores that are seven and up. And anything above 9.0 is going to get immediate attention. Your 10.0s are going to be all hands on deck moments.
Tom Bridge:
I was going to say, my wife works for a web hosting company that does a lot of WordPress hosting. And so, they start to get a little bit touchy when there’s a plugin vulnerability that’s over a seven. And then, at nine or above, they’re doing auto patch executions on those systems to make sure that they get patched immediately, with or without the user’s consent.
Weldon Dodd:
So, what we’re doing with Kandji, our vulnerability management tool here, what it’ll do is, we’re collecting the application inventory from all the devices. We know what’s installed. The CVEs that we’re looking for, generally are related to software that you wanted to be on the system, but you’re looking for vulnerabilities there, that you can either address and keep using them, or remove in some way. So, we’re identifying all those third party applications that are installed in the system, that map to a known vulnerability. And if you’ve looked through the CVE data that’s in NVD, some of the reporting is a little bit inconsistent, and some of the ways that the specific software or executables are identified, can be a little inconsistent.
Weldon Dodd:
And so, a lot of the work that we’ve put in is actually mapping the NVD entries to the application inventory that we collect from the endpoints. It’s just pretty standard. But then, creating some mapping between those so that we can say, yes, this specific piece of software, this title, has this known vulnerability in it. So, it’s adding some intelligence or some curation from our standpoint, to make that more efficient for admins to understand what vulnerabilities currently exist. The thing that’s nice about our implementation, is it’s directly integrated in with the existing product.
Weldon Dodd:
So, if you’re looking at a list of devices that are being managed by Kandji, you’ll be able to see directly in that same list which of these systems have vulnerabilities and what the highest scored vulnerability is on that system. And from there, you can click into the device. And on the device details page, you can see a list of all the identified vulnerabilities on that system, again, by CVE identifier and by score. And if you click into those, you’ll see the details from NVD, that link out to other resources. Sometimes the publisher will provide documentation on how to remediate the issue, or mitigate that issue. And that’s an area too, where we think that Kandji can add value. We’re a bunch of Mac Admins over here. We understand the problem space really well. And so, we’ll be able to add some additional value for our customers there over time.
Weldon Dodd:
I’ve been focusing on third party applications, and talking about those. There are a number of vulnerabilities within macOS as well, from time to time. But because of the nature of macOS, where you now have a signed, sealed system volume that’s read only, that you can’t modify. You have system integrity protection, other things that protect, even above having admin privileges on the endpoint. It’s not super useful to identify that, hey, like bash three has a vulnerability. Because one, you can’t do anything about that. And two, you can’t change it. So, that’s another place where having platform specific knowledge is really helpful, so that you can attach the right criticality to a vulnerability, even though it might show up in your list.
Charles Edge:
So, that’s really interesting. I happen to have written something, and it was only six or seven lines of code, so nothing nearly as mature as what you guys have done, obviously. But a few years ago, I took a stab at this. And I had it where I could pull down the JSON of all of the vulnerabilities, so I could check it. I could check it for Mac, and then use Spotlight, to check it for all the apps in SlashApps. But then, I got in the weeds of where you’re talking about, where I’m like, well, open SSL’s out of date, and there’s a CVE for it.
Charles Edge:
Now, I can update open SSL, but then in the next rev of macOS, am I going to break open SSL by updating it manually, to then circumvent that open CVE. And I think that’s where it broke down for me. But there were some architectural issues as well, where I just wrote a hacky script to run on our local machine. So, is this one running server side, since you already have that application inventory coming back from MDM or an agent? Or is this running on the hosts?
Weldon Dodd:
Yeah, so a lot of the evaluation is done on the server side. So, it gives us the ability to collect the information about the inventory that’s useful to admins anyways. And in order to generate reports and look at lists of items that are installed on their computers. But then, we can do that server side mapping and say, “Okay, here’s the CVEs we know about. From NVD, we can map that to what you have installed and present it directly on the server side.” There’s obviously, the client side components are really important. And this is, again, I think where the focus on macOS really shines, is because we’re able to use some of the native platform APIs, like endpoint security framework to look for certain files, to get hashes. And our own agent written natively for macOS using SWIFT, and all the latest tools from Apple, to be really performant. So, that has an impact as well.
Charles Edge:
Interesting. And just in general, would you say that… I guess Ruby’s still on the Mac, so would you say that my version of Ruby, which might or might not happen to have a SVE right this second. It does. That came by default with my machine. Would you say that that’s problematic, even though I shouldn’t probably update it or I might break something, just out of curiosity?
Weldon Dodd:
Yeah. I think this is part of the problem that we wanted to solve. We didn’t want to have a brain dead tool that would just tell you about every known CVE, without any intelligence around what the impact could be for your environment. So for instance, if something requires a privilege escalation in order to make a change to a config file, in order to realize an exploit, but that file is protected by SIP, it’s going to be less of an impact for macOS. So, just having that context of what’s going on within the Apple platform, we think adds a lot of value for our customers.
Charles Edge:
That’s a wonderful answer. Really, it gets to relevance, I think, is what you’re saying. Well, yeah, there might be a version of Ruby that’s janky on your machine, but you’re not a web server, I hope, so meh.
Marcus Ransom:
And this is where the correlation of other data points is really important in assessing the platform, is as you were saying, if a particular vulnerability is only an issue if SIP is disabled on a machine, and you know that SIP isn’t disabled on a machine, is the vulnerability really a vulnerability anymore on that machine, the second [inaudible 00:31:52]-
Weldon Dodd:
So, tree falling in the forest?
Marcus Ransom:
Yeah, exactly. The idea of security tools not running entirely on the device, and slowing everything down. So, this sounds fascinating. [inaudible 00:32:09]-
Weldon Dodd:
[inaudible 00:32:09], what would that be like?
Charles Edge:
Architecturally, the awesome thing is, if you’re used on Mongo, or however you’re architecting the back end, if these are just JSON documents and it’s like, oh, there’s a quick pattern match on the back end. To your point, Marcus, you never touched the end user client machine, and slowed it down. It’s just nice and zippy still.
Marcus Ransom:
Also enterprise deployments where they stack security agents 15 high, to cover all of the different gaps. And you think about what the Venn diagram must look like of all of the different tools that are trying to generate the same information. Whereas, if that information already exists, capture the information once, and then have at it off device to decide what you’re going to do with it.
Weldon Dodd:
Yeah, agent fatigue is a real problem. We hear that from customers all the time, that they’ve got 10, 15, 20 different agents running on their systems, and there’s a price to pay for that. I want to approach this with some humility. So, this is our first entry into this area. There’s a lot of other competitors out there that have been around for a long time, and are quite mature in their feature set and capabilities. We still think there’s something really important about building these tools specifically for the Mac platform, and using them or developing them in ways that get the most performance. We’re not interested, or it’s not one of our goals, I should say, to share code across different platforms, and optimize for our own developer experience. Our priorities are very clearly on optimizing for that end user experience, minimizing the impact to their day to day, what happens on their endpoint, and optimizing for our customer experience at admin.
Emily Kausalik-Whittle:
And having things digestible in a way, and a platform that’s being written out by Mac Admin first mindset. So that, as we’re trying to reduce that friction between information technology and information security, that the way the information is being presented, the SIP… Like Marcus mentioned before, be able to show because of built in functionality and the platform, some of this risk is already mitigated. And making that clear for security teams who don’t always come into an environment, even if it’s a Mac heavy one, really being experts in the Mac platform, and having the Kandji detection stuff, fill in a little bit of that information gap, to take the burden off of the Mac Admins, having to train up or explain the nuances of Apple’s operating systems, to show if something is really as big of vulnerability as a CVE score might show for an environment. That’s interesting stuff there, for sure.
Weldon Dodd:
Yeah. I definitely want to come back around to what you mentioned there, Emily, about helping the Mac Admin. But just to tie off something that Marcus said about context. Well, you touched on this too, Emily, you’re like SIP. That device context is really important. Is SIP enabled or disabled? Device context is really important to understanding what action to take. But user context is also really important. So, if I have a CVE in the nines, that is on a system that my CEO is using, or the CTO is using, or my chief architect, or researcher, or whatever, that’s a very different feeling that I have as an admin, than if it’s a junior or a salesperson… Or not to denigrate sales. We love sales people.
Tom Bridge:
Sales people are incredible. They’re people too.
Weldon Dodd:
Absolutely. But that’s a very different response from my team, if I see that 9.3 or whatever, 10.0, on my CEO’s computer, versus if I see it on someone else’s. And so, context I think is really valuable. This is one of the ways that we want to bring IT and InfoSec together, so that we have the full picture, all in one place, in a way that can be shared.
Weldon Dodd:
I’ll come back around to Emily, what you’re saying about Mac Admins. So, we realize that some of our customers today, that are Mac Admins, security may not be part of their mandate. They may not be responsible for running the vulnerability tool within their organization today. And we’re not here necessarily to change that. I’m not here to disrupt your org chart, or rewrite your job description, or whatever. But I do feel really strongly that every Mac Admin can be better at their job, if they have a better understanding of vulnerabilities, CVE, threat. And it’s a way for everyone in our industry, to continue to level up and to grow. You will be better at your job if you have a better understanding of what CVEs are out there, what the vulnerability score and impact looks like for your organization. And that will allow you to partner better with other people maybe across the aisle, in InfoSec, if you’re in separate teams today.
Tom Bridge:
So, we’ve talked a lot about how this affects macOS. Are you guys looking at something similar for the iOS space, especially with all the logic being done server side?
Weldon Dodd:
Yeah, we’re looking at a lot of things, Tom, but yeah, the-
Tom Bridge:
Hey, I wanted to give you the perfect product meatball for that one, because you can always say future related things. We’re thinking about that. Yeah.
Weldon Dodd:
Absolutely. Our customers know, we’ve been a little protective or tightlipped about our roadmap, and what’s coming for Kandji, just because we’re a startup. We’re trying to establish our place here in the industry, alongside some of the more established players. But yeah, we are pronouncing some additional capabilities to come. With vulnerability, we’ll continue to build on it. We do have a lot of information about iOS devices as well. So, there’s some obvious enhancements that you could figure out, coming. But we’re also looking ahead at some of these other pillars, that we want to add to our device harmony story.
Weldon Dodd:
So, the next piece that you’ll see from us is, endpoint detection and response, threat. It’s fundamentally different from vulnerabilities, in the sense that here we’re really targeting software that you do not want to be on your devices, that you had no intention of it ever being there. You want to shut it down. And so, that’s what’s coming next. We are going to be working on visibility and compliance tools as well, to round out this vision here, the four pillars for device harmony. For vulnerabilities, you’ll definitely see a progression of releases, that will quickly follow what we’re announcing this week, what you’ll be able to see in the product this week. Look for more soon.
Tom Bridge:
So, you said something interesting there, and I want to come back to that. Device Harmony, as one of two music majors on this podcast. Sorry, I should even step out the way, I’ve only got the little degree. Emily has the doctorate. But the harmony that you’re talking about there, what are the four pillars that you just mentioned?
Weldon Dodd:
Yeah, so vulnerability management, we just talked about. Threat or EDR, is the ability to identify malicious files, or potentially unwanted programs on your devices, and shut those down. And there’s two components to that. So, in the initial release, you’ll see file based response, that’s both pre-execution. So, we can match to a known hash or a known signature, and the variance that come from that piece of malware. We can apply what we know, to identify variants that might show up in the wild.
Weldon Dodd:
And then, the other component is, post execution. So, we’re watching what that new executable is doing when it launches. What files is it accessing? What is it writing to disk? There’s some patterns that show suspicious behavior, and that allows us to identify, this looks like malware, this looks like something that is bad on your system. And again, we can hook into the native platform tools, the ESF framework, the endpoint security framework, and other places to be able to shut those processes down, and prevent them from doing any harm. That whole security space around EDR, XDR is growing. There’s lots of room to grow there as well.
Weldon Dodd:
The other two components are visibility. So, just being able to not only collect information about your managed endpoints, but the ability to do real time queries across your fleet, for questions that are difficult to answer from traditional inventory collection. So for example, if you’re threat hunting, I want to know if a process that looks like this, or has this string in its name or whatever, is running on any of my computers right now, that ability to do a real time query across your fleet, that’s what we have in mind for visibility, along with the ability to report and collect information there. Same integration, there’s other directions, that that whole pillar goes. And then, the last one is compliance. We have a lot of compliance tools in Kandji today. There’s templates for things like CIS, a lot of our library items and pre-built automations are already tagged with security controls, and what frameworks that they apply to. But just being able to give customers better tools to identify their compliance, maintain their compliance, and automatically remediate any drift in their fleet, to get back into compliance.
James Smith:
Deploying, managing and protecting Apple devices at work, shouldn’t be difficult to require several solutions. Mosyle is the only Apple unified platform for business. By combining enhanced device management, endpoint security, internet privacy and security, single sign-on, and enhanced apps management, into a single Apple only platform, businesses can now easily and automatically deploy, manage, and protect, their Apple devices with one solution, and at an affordable price. With a solution for every business size, and the best support in the market, request your free account today, and see firsthand why Mosyle is more than an Apple MDM. Mosyle is everything you need to work with Apple. To learn more, visit business.mosyle.com. That’s business dot, M-O-S-Y-L-E, dot com.
Tom Bridge:
So, what reporting does the scanner have for admins?
Weldon Dodd:
On the EDR side, or the vulnerability side?
Tom Bridge:
No, the vulnerability side.
Weldon Dodd:
So the capabilities, they are to identify, any piece of software that’s installed on the device, does it map to a known vulnerability? What you’ll see in the console, is a little bit of what I described earlier, that by device, how many vulnerabilities are there, and what’s the highest score. So that you can really focus in on, hey, these are the devices that either seem to have a lot of exposure, and the sum. There may be more than the total of the parts, in terms of, hey, there’s lots of vulnerabilities that might stack up on this system.
Weldon Dodd:
But then, there’s also just the quick identification of, here’s the highest scored vulnerability on a specific device. So that you can try to use that information to plan your time wisely, address your plan of attack with your team, about how you want to address these. Context, we mentioned before, super important. A higher vulnerability score doesn’t necessarily mean that it’s the most impactful issue within your organization. And so, being able to see the full picture, here’s everything I know about the device, alongside of the vulnerabilities, we think will help admins to identify what’s the most important thing for them to work on next.
Tom Bridge:
It’s great that we can see lists of vulnerabilities, and then we have a good understanding of what’s on a device that is problematic. What guidance do you guys offer on terms of remediation with the tool?
Weldon Dodd:
Yeah, so this I think is one of the strengths of Kandji. We have a pretty well developed library of application installers, we call auto apps, that our customers can use right out of the box. And it’s literally a single toggle switch to turn it on, and enable that auto app for your devices. One of the things that is nice about the way it works, is that we will look for that application on the managed devices, regardless of whether we installed it or not. So, if you need to patch Adobe Reader or Zoom, and it’s already been previously installed, maybe by the end user, maybe by a different tool or method. Kandji doesn’t discriminate. If you set one of these auto apps on, and apply it to your devices, and you have your option set so it’s automatically updated, we will update Zoom when we find it on those computers.
Weldon Dodd:
So, if you see a CVE in your list, like Zoom is affected and you need… I’m not trying to pick on any vendor here, but it’s just patching Zoom is, I think, a reality for everyone in our industry. So, we love Zoom-
Emily Kausalik-Whittle:
It’s used by a lot of organizations.
Weldon Dodd:
Yes. We use it. Zoom’s great. But there are a lot of updates to manage. So, this automation of being able to completely give this over to Kandji to do for you, creates a bunch of leverage for our customers. So, you turn this on, anytime there’s a new update available for Zoom, it automatically is applied to your devices, and you can not worry about finding the next enterprise installer, and uploading it, and identifying it, and targeting it to the right computers, or whatever. We do all of that automatically. So, one of the benefits that we see here is, okay, you’ve identified a bunch of vulnerabilities. Where we have an auto app in our library, you can enable that, turn that on. It’ll be automatically patched, and brought up to date. And you’ll be able to see that list, or the count of vulnerabilities go down over time, as they get patched.
Weldon Dodd:
That’s where we see, again, this is the device harmony story, is that it’s IT and InfoSec coming together, bringing these tools, combining them, collaborating so that an issue is identified, vulnerability is identified on the machine. You already have the tools in place to remediate that, to patch that software title, and move on. We think what we’re adding from our side, is value that all of our customers can take advantage of, and we’re really interested in creating that leverage for the community. So, if you’re a Mac admin, you have a small team, maybe you have two, three people, and you’re supporting maybe a thousand users, Kandji is a tool that’s going to help you to do more with your team, get it done faster, get to the resolution, or get to the outcome that you want.
Emily Kausalik-Whittle:
And building off of that thought, I think all of us have been in that role at some point in our careers. When you are a small team or a big team at a big organization, what you want to know is how you get alerted or notified, when trends are detected, when a device has a very particular severe CVE detected on it. Maybe there’s a trend across a lot of devices that do… Know that, that’s going to be available for device, it sounds like, in the console. But does it currently have, or are you hoping to have maybe at some point, some reporting that comes out? Maybe it’s like an app for Slack, or a webhooks that you can post somewhere or something, so that information, it can be quickly gathered, even if you’re not currently in a Kandji console, looking at device information?
Weldon Dodd:
There’s a couple things there. So, one of my goals, leading product over here at Kandji is, I don’t want to create a tool that is used to generate a list of tasks for admins to accomplish. That’s not the end goal that I have in mind. I don’t want to be just another system that generates tickets, that you have to go look at and act on. Our first priority, our first goal, is to create a tool, to create a platform that will solve the problem for you. And so, that’s what we have in mind with AutoApps as an example. Is that, hey, there’s a vulnerability. We already took care of it. It’s not on your list of things to accomplish. Now, the reality is that there’s still work to do, to make that a reality in all aspects of the Mac Admin job. So, there are places where you do need to get an alert, or you need to have a report that tells you, here’s some important things that you need to know right now.
Weldon Dodd:
Like you said, you can see that in the console. We have an existing Slack integration. So, you can post those messages into a channel, or multiple channels, and you can divide up which alerts you want to go into, which channel if you have different teams, or if you want some to go to help desk, and some to go to endpoint architecture, or whatever it is. We also, we’re adding that for Microsoft Teams as well. It should be live close to the time this podcast is available to the world. So, it’ll be similar functionality there, if you’re on that side of the fence. And then, we talked about SCIM and other tools. So, we have a lot of things planned for the future as well, where we want to be able to make this information widely available, accessible within the larger enterprise IT tool stack, that people use.
Emily Kausalik-Whittle:
And I admit, I almost selfishly asked that question, be coming out of organizations that have very… Even that were very small, had very strict change management requirements. So, as much as a CVE might be severe, I still need to get approval to deploy a new version of something out to everybody, and have it go through leadership. So, that’s where I just selfishly… Where alerting becomes important at an organization like that, as much as you want to be fast.
Marcus Ransom:
I really like the idea of automation and remediation, whereas if that automation can go through change management, and the idea of a closed loop where security is best when the response is fast. I was at a security talk the other week, where it was mentioned that if the response in your EDR was creating a Service Now ticket, that maybe might get looked at in seven days, then that’s really not a response. And having the time that you’ve got when there is a serious vulnerability, stuff is going down, isn’t going to wait for someone to clear the rest of their queue. And if there’s something that needs to get you to log into the console, and have a look on a weekend, or a public holiday, because something’s really bad, then having ways of notifying someone that things are happening, malware doesn’t work business hours.
Weldon Dodd:
That’s what’s so great about these conversations in this whole podcast, is everyone’s… The host included, background and perspective as practitioners. These are the conversations that we’re having with our customers as well. How do you strike the right balance between complete automation without it becoming a black box where you don’t have visibility into what’s happening, and why it’s happening? How can we integrate this in with other workflows, and base that on policies that we want to create for our organization? So, it’s forward looking a little bit, but you can see it.
Weldon Dodd:
If you would want to differentiate based on CVSS score, how you respond to a problem, that a 10, maybe you can’t patch it right now, but maybe you don’t want that software to run, while it’s still a 10. And sevens and below, they’re not as urgent. You could have a manual approval process, or some delay in remediation, to check it over, and make sure that that’s going to work for everybody. It’s going to fit within your policies.
Weldon Dodd:
I think, again, it opens up a lot of opportunity for us in the future where Kandji is introducing these new features, but there’s so much power, we think, in connecting these two sides of identifying an issue, and acting on that issue, and using the power of intelligence about our platform, and using these automations in a thoughtful way that helps our customers to achieve their goal, whatever that might be.
James Smith:
Here at the Mac Admins podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stubacca, hank you. Adam Selby, thank you. Nate Walk, thank you. Michael Tsy, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Steitz, thank you. A New Store Bill, thank you. Jeffrey Compton, MDOT Marsh, Stu McDonald, Hamlin Crusin, Adam Berg, thank you. A.J. Petrepka, thank you. James Tracy, Tim Perfitt of Twocanoes, thank you. Nate Sinal, Will O’Neal, Seb Nash, the folks at Command-Control-Power, Steven Weinstein, Chad Swarthout, Daniel McLaughlin, Justin Hold, Bill Smith, and Weldon Dodd, thank you all so much. And remember that you can back us, if you just head on out to patreon.com/macadmpodcast. Thanks everybody.
Tom Bridge:
So, I don’t want to let EDR go by unaddressed, because you’ve used my acronyms that caused my spidey senses to go up. Because EDR has endpoint defense and response, certainly is a very fascinating topic for a lot of Mac Admins. So, how is EDR different than something like antivirus, or are they synonymous?
Weldon Dodd:
They’re definitely related, and I think the industry has gone through a whole period of trying to define these terms in a way that expands their scope, and reach, and impact. And there’s a little bit of an acronym soup in this area. But the-
Marcus Ransom:
It’s like metal bands. Every metal band’s got their own genre of metal, that they’re sometimes the only practitioner of. And security tools can often be the same. First thing you need is a three letter acronym to describe your tool, and then off you go.
Weldon Dodd:
I think, just to try to keep it straightforward for the conversation here. If you look at some of the legacy AV products, there’s been a bunch of issues around support for the latest versions of macOS, and switching from kernel extensions to system extensions, and whatnot. The more modern vendors have done better in that area. But still, we’ve seen even within the last year or so, some major vendors stumble over new releases in macOS, and being ready on release day to continue to support their customers. And so, if we ask 10 different security professionals about what the definition of EDR, XDR, NextGen AV was, we’d probably get 12 different opinions about it.
Weldon Dodd:
So, what we’re trying to do is, we definitely are headed towards that EDR XDR space, where we can identify a threat, we can shut it down, prevent it from running. We can use both file based matching and hashing, as well as machine learning, to identify those threats and prevent them from executing, or getting access to sensitive materials or resources, on a device. We’re looking to protect our customers from common malware that would collect PI, that personally identifiable information, and ship that off to some other country. Those kinds of problems.
Weldon Dodd:
The big thing that we think we can contribute to this space, is being focused on the Mac platform, and being ready on release day, to support the latest versions of macOS. Keeping up with the changes in the endpoint security framework tooling that Apple provides, so that we can take advantage of every last possible advantage we can gain as a defense mechanism, and staying focused on what our customers want. As a new entrant into the area, if you put up a feature checklist side by side, that’s going to be a difficult conversation for us to have. But I really firmly believe that what we’re doing is special, that this is something that will bring a lot of value to the Mac Admin community, that will solve problems in a way that’s a little bit different, but create some of these streamlined efficiencies that our customers will be able to take advantage of.
Marcus Ransom:
So. We’ve mentioned the endpoint security framework a few times. So, what made you want to start with that as the basis for these tools?
Weldon Dodd:
A lot of it’s performance. One of the biggest complaints we heard from customers, was the impact of installing these additional agents on their endpoints, and what it did to the end user experience. And there’s a lot of built in tooling, that if you take advantage of, drastically improves the performance. So file monitoring, being able to see what’s happening on the file system. Using the built-in tooling is the most performant way to do that.
Weldon Dodd:
There’s some interesting things we can learn from. Apple’s been using XProtect and Gatekeeper as a model for protecting endpoints for a while. There’s some good strategies that they employ. But for most of our customers, they are looking for something more. So, the Yara rules that XProtect uses, cover a lot, but it doesn’t cover everything. And so, we think with our threat team, and the talent that we’ve collected, we’ll be able to extend that, and do more, provide a better tool than what’s built-in.
Marcus Ransom:
So, you mentioned XProtect and Gatekeeper. Does it enhance and work alongside those tools, or is it trying to eliminate the requirement for those tools?
Weldon Dodd:
Our attitude here is to compliment what Apple does, and extend the functionality, is really at the root of who we are and how we approach these problems. We want to be running with the grain, not rubbing against the grain as we try to solve these problems. And there’s a bunch of reasons for that. One is, look, we’re here to… I mentioned this before, I’m going to say it again. We’re here to help level up Mac Admins. If your job, if your profession is to be a Mac Admin, then we want to help you get better at your job. We want to elevate your role within the organization.
Weldon Dodd:
And so, a better understanding of how the platform works, and how the Native tools work, and what Apple’s approach is, we think helps our customers. It helps them to be better at their job. And why do we want you to be better at your job? Because we want you to contribute to the mission of your organization. I’m convinced that no one has a poster on their wall that says, “My mission is to make sure Chrome is patched today.” That’s not what’s on the wall. I don’t know what is.
Marcus Ransom:
I’ve got that on my wall. You just can’t see it. It’s out of [inaudible 01:01:12].
Tom Bridge:
I’m the Chrome patcher-in-chief. I don’t know about you all [inaudible 01:01:18]-
Weldon Dodd:
Your job is so much bigger than that. Your role should be so much bigger than that. What is it that your organization wants to do? What are your users that you’re supporting, trying to accomplish? What tools do they need? Let’s get that done. Let’s get those into their hands. Let’s figure that out, so you can think about how do I continue to enhance productivity at my company? How do I make my org, whether it could be an NGO, it could be a nonprofit, it could be a government agency, healthcare, retail, hospitality. I don’t care. But you have a mission that you’re trying to accomplish, and that’s at the root of what I want to do at Kandji, and I think what my whole team wants to do, is say, how do we help you get better? So, I’m coming back full circle around to the original question was, how do we align with what Apple’s doing? Well, we think the best way to help our customers, is to align very closely with what Apple’s doing.
Tom Bridge:
I think that’s where we should leave it for this week. I think this has been an amazing trip through some major updates, the Kandji platform as a whole. And for that, I say thank you. Well done. This has been an incredible tour through, not just a new set of features, but a whole new way of thinking, that seems to be coming out of Kandji on this platform side of the house.
Tom Bridge:
So, it’s always exciting to see organizations start to architect their future, and start to telegraph the story that they’re going to tell over the next six, eight, 12, 18 months. If you don’t have a great story there, that’s always a challenge for your organization, I think. Well then, thank you so much for joining us this week. It’s been a pleasure to see you as always. We hope you’ll come back and visit again in the future. And I look forward to seeing… I am seeing you at Objective by the Sea?
Weldon Dodd:
Yeah, I will be there, along with a couple of other people from the team.
Tom Bridge:
We will find some very excellent [inaudible 01:03:11] to go and eat in Barcelona.
Marcus Ransom:
I do not want to see pictures of that.
Emily Kausalik-Whittle:
Jelly.
Tom Bridge:
Pictures will be posted on the internets, I promise.
Weldon Dodd:
Thank you so much for having me here, and inviting me to be on. It’s always a pleasure to speak with you, and really appreciate it. Thank you.
Tom Bridge:
Awesome. Well, thanks so much to our awesome sponsors this week. That’s Kandji, Black Glove, Mosyle, and MEDER. Thank you to MEDER for the transcription of this episode, which I’m sure you will all find edifying, and certainly not use as a method to put yourself to sleep later. And of course, thanks so much to all of the people who back us on Patreon, and who make this podcast possible every week. So, thanks everybody, and we’ll see you next time.
Marcus Ransom:
See you later.
James Smith:
The Mac Admins podcast is a production of Mac Admin’s podcast LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer, is James Smith. Our theme music was produced by Adam Kudiga, the first time he opened Garage Band. Sponsorship for the Mac Admins podcast is provided by the macadmins.orgslack, where you can join thousands of Mac Admins in a free Slack instance. Visit macadmins.org. And also, by Technolutionary LLC. Technically, we can help. For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFs, the funny metadata joke is at the end.
Links
- CVE
- NVD
- Common Vulnerability Scoring System SIG
- GitHub – krypted/maccvecheck: Checks the CVE database for any macOS Vulnerabilities
- #security-alerts channel on Slack
Listen
Sponsors:
Patreon Sponsors:
The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:
Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd
Event Name | Location | Dates | Format | Cost |
---|---|---|---|---|
XWorld | Melbourne, AUS | 30-31 March 2023 | TBA | TBA |
Event Name | Location | Dates | Cost |
---|---|---|---|
Houston Apple Admins | Saint Arnold Brewing Company | 5:30pm 4th March 2024 | Free |
Event Name | Location | Dates | Cost |
---|---|---|---|
London Apple Admins Pub | Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person | Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person | Free |
#ANZMac Channel Happy Hour | Online (see #anzmac in MacAdmins Slack for connection details) | Thursdays 5 p.m. AEST | Free |
#cascadia Channel Happy Hour | Online (see #cascadia channel in Mac Admins Slack) | Thursdays 4 p.m. PT (US) | Free |
Sponsor the Mac Admins Podcast:
If you’re interested in sponsoring the Mac Admins Podcast, please email podcast@macadmins.org for more information.
Social Media:
Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!