Episode 313: NanoMDM

The world of open source MDMs continues to evolve. We’ve had guests on to talk about open source mdm tools in the past but this is one of those episode topics that should come back up routinely. Especially when we see larger scale operations. Today we’ll talk about how NanoMDM could be  used to build a dynamic and flexible event-based mdm platform. This type of system is broadly useful to multiple different types of orgs and can have great security benefits.

Hosts:

Guests:

  • Ryan Diers, Security Engineer, Airbnb – @radsec
  • Brandon Kurtz, Client Engineering, Airbnb – @discentem

Links:

Click here to read the transcript

This week’s transcription is brought to you by Alectrona

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Kandji. You know where the biggest potholes are when switching device management solutions? It’s not the prep work or figuring out how to replicate your current configuration in the new system. It’s that moment when management is temporarily removed from a Mac, leaving you with no control. From there, you have to rely on users to follow your instructions and enroll their devices into the new solution. Multiply it by hundreds or thousands of devices, and support tickets and errors start cropping up at scale.
Kandji has changed the game with this migration assistant, a seamless tool with completely customizable logic that guides users through enrollment into Kandji’s device management solution, so your support team won’t have to. 100% free for all new customers, Kandji’s migration assistant is just one piece of an overall exceptional experience Mac Admins enjoy with the use of Kandji’s comprehensive solution.
To learn more, head on over to kandji.io/migration. That’s K-A-N-D-J-I.io/migration. Or join the Kandji channel on the MacAdmins Slack to say hi and see what they’re up to. Thanks again to Kandji for sponsoring this episode of the Mac Admins Podcast.

Tom Bridge:
Hello and welcome to the Mac Admins Podcast. I’m your host this week, Tom Bridge. And Marcus, how are you, friend?

Marcus Ransom:
I’m doing okay. I’m doing okay. My body is almost my own again.

Tom Bridge:
That is good.

Marcus Ransom:
So, I’m looking forward to that. I’ve got an appointment with an anesthetist after this to get all the bits out of my body that don’t belong in there, and I will no longer be some kind of cyborg. But aside from that, everything’s okay. It’s a bit of a shame because it’s actually a beautiful day outside here. It’s a long weekend. Well, a longer weekend. We’ve got a public holiday for Anzac Day, our Memorial Day here tomorrow on Tuesday. So, everybody takes the Monday off. And it’s a spectacular day, except I’m inside here talking to all of you on the podcast and then going down to the hospital, but it looks beautiful.

Tom Bridge:
I had the opportunity to visit the Shrine of Remembrance there in Melbourne when I was there a couple of weeks ago, and I actually was really touched by the memorial there. I thought it was really quite lovely, especially a couple of the exhibits that focused on the Aboriginal people who fought in the military, as well as folks of differing backgrounds. So, I thought that that was really a touching memorial.

Marcus Ransom:
Yeah, it’s very much gone from when I was growing up being a day. I don’t know if we really quite understood what it was about in those days, but now, it’s very much looking at, and we see this looking around the world at the moment, why this was all a really bad idea. And we should very much do everything we can to make sure it doesn’t happen again.

Tom Bridge:
And by all of this you mean world wars?

Marcus Ransom:
World wars, even localized conflicts, just not being nice. We can start there and work up, I think.

Charles Edge:
Yeah. I’m great. I happened to, one time, be on a bus. I was doing some work in Istanbul, and I decided to head down to Troy, and it happened to be Anzac Day, and there were about 15 drunk Australians. And that day, I decided I love Australians, present company excluded, but it was a very special moment. And I hadn’t planned on going to Gallipoli, if I said that properly?

Marcus Ransom:
Yeah.

Charles Edge:
But I ended up doing it that day because once you start drinking with Australians, it’s hard to stop.

Tom Bridge:
Or say no. Yeah, correct.

Charles Edge:
Yeah, yeah, there’s that. But yeah, how are you, Tom?

Tom Bridge:
I’m fantastic. It’s been a lovely spring weekend here in Washington. We had gorgeous weather on Friday and Saturday, and then it bucketed down rain. And now, it’s 45 degrees outside again. So, we’ve hit third spool spring or whatever we’re calling this. I, of course, did all of my planting on Saturday, so don’t I feel silly? I probably should have looked at a forecast a little bit better, but it is what it is and the plants will be fine. They’ll just be a little cold for a little bit, but it’s been tremendous. I thought of you today, Charles. I went and saw the Dungeons and Dragons movie with Charlie and Tiff today and we had a blast. That is a lot of fun.

Charles Edge:
I haven’t seen it yet, but I’m looking forward to getting a chance to see a movie again.

Tom Bridge:
Chris Pine is at his Chris Pine-iest.

Charles Edge:
That’s what I’ve heard.

Tom Bridge:
Yeah, spectacular. So, we’ve got a couple of guests today. Charles, you want to do the honors?

Charles Edge:
Yes, sir. So, the world of open-source MDMs continues to evolve, and we’ve had guests on to talk about open-source MDM tools in the past, but this is one of those episode topics that should come back up routinely, especially when we see larger scale operations that are going into production. And today, we’ll talk about how NanoMDM could be used to build a dynamic and flexible event-based MDM platform. This type of system is broadly useful to multiple different types of orgs and can have great security benefits.
So, Ryan and Brandon, thank you guys so much for joining us. We love, love, love, love a good origin story. Anyone who’s listened to more than one episode would know that probably. And so, we try to start our episodes with those. Do y’all mind taking us through how you found yourself in the spot where you were rolling open-source MDM out to a bunch of Apple devices?

Brandon Kurtz:
Sure, of course. I can go first. I’d started my career working at the IT help desk, my freshman year of college. Back then, I was still a theater major, and I can talk about that more if you like. Then during the summers, between semesters, I was able to get various IT support internships at places like Marvel. Yes, the comic book company. Consumer Reports, and finally, a financial tech company.
My first job out of college, I was working as a systems administrator, supporting Mac and Windows machines with “traditional tools” like Active Directory and Jamf. My brother who also works in tech was then a Linux administrator. He’s now a software engineer. He was starting to explore tools like Chef and Ansible for Linux management. It took me a while to realize that those tools could provide value on macOS as well, not just Linux.
Eventually, I was able to really see their potential and I got pretty obsessed with the help of a lot of folks in the Mac Admins channel. Back then, there was a lot of people from the Facebook CPE team and other companies who were using Chef in production, who were really helpful and happy to answer questions to a newb like me. And that’s really how I got started in my career with config management in Mac administration. So, I owe a lot to those folks.
With their help, I taught myself about Chef and Salt, which is another config management tool, and that led me to my current role as a client platform engineer at Airbnb. And when Apple finally started requiring MDM, at some point, there were certain things you couldn’t do unless you had MDM. My colleagues, before I joined, considered the commercial options and they chose MicroMDM instead because it was a DevOps friendly tool, and it really aligned with their values and their desire to continue using config management.
I didn’t have experience running Micro or open-source MDM or any MDM really in production until I joined. As I said, they rolled it out before I joined, but it was quite an adventure joining them and seeing what it took to run open-source MDM in production. And just a quick disclaimer, I’m going to talk about my experience with NanoMDM, but these opinions are all my own and don’t represent anything that I’m doing for Airbnb. And now, over to Ryan.

Charles Edge:
Thank you.

Ryan Diers:
Hi. No, I’m Ryan. Oh, boy, my origin story, probably quite different from a lot of folks on this podcast. But I started my journey, probably like a lot of other folks, IT help desk during college. I had this idea; I really wanted to do information security, but it’s just a huge world of careers and what you can do. So, I got started in securing Windows and Active Directory environments. At this point, I have never touched a Mac at this point in my life when that happened. So, later down the road, somehow, we end up here, but I’ll get to that in a moment.
Through that role out of college, I joined some consulting firms doing infrastructure and CI/CD security for customers of all sizes, Fortune 100, the Fortune 1000. So, you can imagine, you see a ton of different environments doing everything right and also doing everything completely wrong and being as scrappy as possible because they have limited budgets. That later led me to where I’m at now, here at Airbnb. And I think when I first came on, it was a few months right before COVID and they were like, “We really need some folks with Windows.”
And then COVID hit and then they’re like, “Well, this isn’t going to happen. We need you to get really good at Mac security now.” And I said, “Oh, well, I just started using Macs here.” And they’re like, “Well, that’s part of security, is pivoting quickly and learning on the fly.” So, I owe a lot to the client engineering team at Airbnb. A lot of the kudos to them for, number one, just training me as well, but also showing me, “Hey, a lot of the things you learned in Windows are actually quite similar in Mac security.”
So, I think, one day, randomly, Brandon’s like, “Hey.” He was talking about NanoMDM. I’m like, “Oh, that’s really cool.” I’ve learned a lot of how MDM is required to do a lot of security settings on Mac. And I said, “What not a better project to actually learn more of the in-depths of what MDM really is, is by taking an open-source project and just playing around with it, building the infrastructure?” Because that’s something like tuning to my background sort of thing was the Terraform behind it, how to tie all the pieces together.
So, that’s how we’re here at now. A few years later now. I love using my Mac, so just the story of being a true tinkerer is changing what you do all the time.

Charles Edge:
Truly. I think it’s interesting, that point of when you switch platforms or when you have to use open-source tools to roll your own, you learn a lot more. I was in MCSE with Exchange for years and having to use postfix and OS X Server and some of the other tools, then I really understood Mail. But with Exchange, it works, or it doesn’t. And if it doesn’t, you get on the phone with Microsoft usually, but with OS X Server, if it was like, well, if it doesn’t work, you just got to figure it out.
And the same with the Open Directory implementation. I knew Active Directory, but once I knew Open Directory, I really knew Active Directory. They can then ask, oh, what is this FSMO role or whatever on MCSE exams, and you can do it in production. But then once you’ve got to fix a Berkeley Database, you start really understanding what’s going on under the hood.

Marcus Ransom:
Or wishing you didn’t understand or never-

Tom Bridge:
Yeah. No, that was mostly my experience with wishing I didn’t know exactly what was about to happen, if only for my own sanity.

Charles Edge:
Yeah. And I think that all that’s really true today as well. If you roll out a ZTNA tool, rolling out your own WireGuard, like Joel Renick, I think, did a session on this at Objective by the Sea or one of those conferences last year, and when you roll out your own WireGuard implementation, even if it’s just for tinkering with in your lab, you understand so much more about what’s going on under the hood.

Marcus Ransom:
Well, I certainly found that with MicroMDM as well. I work for Jamf. My life is dealing with Jamf problems, but the process of spinning up a MicroMDM server and having a look at how it all works in there gave me a much better understanding of the bits that you don’t really see in a commercial product as well, and the pieces fell together.

Charles Edge:
To add to that, we used MicroMDM for a bunch of examples in the Apple deployment book because when you hit a button you really don’t know what’s happening under the hood. But then when you look at raw JSON, it’s super obvious.

Ryan Diers:
I think that was the moment I learned a lot about it, was the profile enrollment in MDM, is actually seeing how the communication between Apple servers and how it lands on your machine. That was my moment in this project where I was like, “Oh, wow.” That was the connecting pieces that I could never see just using a commercial tool. You just expect it to work but-

Brandon Kurtz:
Yeah. Back when I was, my first job in college and I was using commercial MDM, either enrollment worked, or it didn’t, and then I didn’t know why if it failed. Just call up the vendor. There’s no one to call, which we’ll get into later. There’s no one to call when you run open-source MDM yourself. So, you got to figure it out and understand what’s going on under the hood.

Tom Bridge:
Saves on the phone bill, I’m just saying.

Charles Edge:
Wait, do people actually pay by the minute anymore?

Tom Bridge:
Sorry. That’s just how old I am, Charles. I still remember.

Charles Edge:
Remember, when you had to pay for long distance?

Tom Bridge:
Oh, God. Man, in college, it would be great. You’d get your phone bill in your mailbox, and it would show you. They, of course, charged ludicrously usurious rates for long distance then. But yeah, it was brutal.

James Smith:
This week’s episode of the Mac Admins Podcast is also brought to you by Kolide. Our sponsor, Kolide, has some big news. If you’re an Okta user, they can get your entire fleet to a 100% compliance. How? If a device isn’t compliant, the user can’t log into your Kolide apps until they’ve fixed the problem. It’s that simple. Kolide patches one of the major holes in zero trust architecture device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone’s OS and browser up to date. Unsecured devices are logging into your company’s apps because there’s nothing to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it’s built to work seamlessly with Okta. The moment Kolide’s agent detects a problem, it alerts the user and gives them instructions to fix it. If they don’t fix the problem within a set time, they’re blocked. Kolide’s method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance.
Visit Kolide.com/macadminspodcast to learn more or book a demo. That’s K-O-L-I-D-E.com/macadminspodcast. Thanks to Kolide for sponsoring this episode of the Mac Admins Podcast.

Tom Bridge:
So, we’ve covered MicroMDM in previous episodes, but can you explain what NanoMDM is and why there are multiple projects in GitHub?

Brandon Kurtz:
Yeah, I can give that a shot. So, MicroMDM is a GitHub organization as well as a GitHub project.

Tom Bridge:
A lot like Munki or AutoPkg, yep.

Brandon Kurtz:
Yes, exactly. And the MicroMDM project is under the MicroMDM GitHub org and NanoMDM is also under that org. The org is meant to be a place to collect various components that people who are looking to either run either of these open-source tools or build a platform on top of them, there’s various components under the org that they can use to connect things together and build an MDM platform.
And especially with NanoMDM, there’s swappable components. So, you can choose between certain components. Whereas with Micro, you just get everything in one shot and you’re running the Micro binary, which includes everything you need. Another reason that NanoMDM was chosen to be put under the MicroMDM org, from talking to Jesse Peterson who is the author of NanoMDM, he had ideas where, in the future, NanoMDM could be used as a library for Micro to contribute back improvements. But right now, it seems like those projects are getting developed in parallel. I haven’t seen any crossover yet, but that’s certainly a possibility in the future.

Charles Edge:
Same thing happens with commercial products all the time with best-laid plans, but not just that. I find sometimes everyone has different objectives, and when those don’t align or sometimes you get way too far off in a fork and merging the changes back together would just be too laborious, I guess. Right?

Marcus Ransom:
So, I’m trying to… Vicky’s going to kill me here. My wife’s a linguist, so trying to work out is pico smaller or larger than nano. But seriously, something that’s important is picking a tool that’s built with you in mind. So, who would you see using Nano over MicroMDM? What are the things that would make people want to lean towards one rather than the other? Or what are the benefits of what’s happening in Nano?

Brandon Kurtz:
First of all, the people that I see using Micro or Nano, just open-source MDM in general, are people who want to use the MDM protocol directly. In my experience, not all commercial MDMs let you use the protocol directly. They give you an interface on top of it that can come with limitations. As I was talking about earlier, it’s hard to understand what’s going on because vendors maybe try to help you but don’t give you direct access. So, that can sometimes lead to confusion. I don’t know if this situation has improved in the last few years as I haven’t personally used commercial MDM in a long time. So, yeah, people who want to use the protocol directly.
Also, a reason to use NanoMDM over Micro is that it has a more scalable database. I think Jesse took lessons learned from MicroMDM. MicroMDM used BoltDB, which is an on-disk database and it’s really hard to do high availability if you have on-disk database. And so, Nano lets you plug in more scalable databases. In our project, which inspired us to come on the podcast, in our project that we presented last year at Mac DevOps, we showed how you can use off-the-shelf database from Amazon and plug that into Nano and that makes it easier to scale.

Charles Edge:
Like Redis or…

Brandon Kurtz:
I think out of the box NanoMDM supports MySQL, but it also was designed with a neat framework where you can code support for another database pretty easily and still benefit from most of the code base. All you have to do is write a few methods which teach Nano to connect to a different database.

Charles Edge:
And since it’s already doing JSON, something like Mongo, as an example, wouldn’t be that big a stretch.

Brandon Kurtz:
I actually think, speaking of Mongo, that someone had submitted a [inaudible 00:21:44] to add support for Mongo. I’m not totally sure but-

Charles Edge:
Nice.

Marcus Ransom:
But I know that’s something with the commercial MDM, is back from the days of being a customer working in large organizations, certain areas of those organizations would have opinions and preferences about, for example, what database they wanted to use. And if that wasn’t the one that your commercial MDM was happy to support, that was always fun being in that unsupported territory. Whereas if there is no support anyway because it’s open source, that gives you a lot more flexibility and freedom to be able to align with those organizational requirements as to what you’re wanting to use.

Ryan Diers:
Yeah, I’d love to actually expand on that requirement area. From security, a lot of times, we get projects, and we have to analyze the requirements, the functionality, and also the security needs of tools. And I think one of the things I’ve learned with NanoMDM is not only just the flexibility that you get because it’s such a decoupled version if you think about it from the MicroMDM. It’s all of its components starting to start to be split apart, if that makes sense.
So, for certain components, you can scale them quickly as a lot of industries have now adopted the Kubernetes style infrastructure buildouts. It’s a movement, I think, the progression from the monolithic stack to this whole everything scales for a reason sort of infrastructure. I know in our own testing we noticed that some of the components, you honestly didn’t need a whole lot of resources. But other components like the push notification services, you actually needed a lot of bandwidth. And I don’t mean network bandwidth, but compute bandwidth to handle this kind of load if we were to scale it up.
But yeah, I think that’s one of the biggest things we saw, why pick NanoMDM, is just that flexibility to build upon it, whether it’s… I think, Charles, you brought up the MongoDB or something like that. I think we actually went down a rabbit hole one night trying to do the PostgreSQL and then we’re like, “Nah, let’s not do this tonight.”

Brandon Kurtz:
Yeah, that might have been much like in the weeks leading up to our talk.

Ryan Diers:
Yeah. We’re like, “Oh, this should be easy.” Four hours later, “Okay, let’s not do that. We’ll just leave it as an issue for someone else.”

Charles Edge:
I mean that is some of the nice pieces there. You get to decide what goes in and out when you’re building your own project. I do have to say MicroMDM does a bunch of things on the half of the admin, I guess. You get a lot of things for free, I think. Do you mind telling us what an admin needs to bring to the table for Nano and maybe some of the options people use for some of those? I mean, we’ve talked about some of the Amazon services, but does Amazon have a SCEP-as-a-service or SCEP as code type of instance?

Brandon Kurtz:
Nano itself doesn’t ship directly with SCEP, where MicroMDM includes a SCEP server embedded in the binary. But NanoMDM in its Readme has a really good section where they say X is not included and it covers all the components that you have to bring yourself. So, for SCEP, which you mentioned, there’s various options. You can use MicroMDM SCEP server, only that component, and you can utilize that in Nano.
Jesse also wrote his own MySQL SCEP server. I keep mentioning MySQL. I think the reason he went with MySQL is related to something you were saying before where companies have opinions about what database to use, and Facebook has always been a huge proponent of MySQL. So, it helped him to be able to utilize the database server that production engineers that these companies like. And there’s various other options for SCEP. SCEP is a general protocol that exists for reasons outside of MDM. So, there’s probably a lot of servers out there that you can integrate.

Marcus Ransom:
And I suppose it would also then make it easier in the future to swap SCEP for ACME or something like that when we discover next month what Apple are going to be changing everything for and we see how quickly that’s all manifesting.

Brandon Kurtz:
Yeah, I definitely expect to see ACME support in Nano. Maybe it’ll be easier to swap to ACME from SCEP in Nano because the components are decoupled from each other.

Marcus Ransom:
But you’ll know that when you’ve done it, whether it was easy or whether it was hard.

Brandon Kurtz:
Yes.

Charles Edge:
Yeah. I guess, more and more, I’m leaning if… My history with MySQL goes back 30 something years, but when we’re writing code that’s natively JSON, unpacking that and putting it into tables in SQL as opposed to just throwing a JSON document in a Mongo or whatever, it saves so much compute time. It’s cheaper resource-wise, not cost-wise. Although I guess there’s always a cost, but when we’re all rolling on Amazon credits, sometimes we don’t know what the true cost of anything is anymore. But yeah, that’s an interesting one. How about the MDM push cert?

Brandon Kurtz:
Just like MicroMDM, NanoMDM doesn’t really give you any magic for the push cert. The process is completely controlled by Apple. For our talk last year, we showed that you can use… There was a free service that Jesse was able to provide from a previous job of his where you can generate push certs that are signed by that company, which we do not recommend to do in production and that-

Charles Edge:
Right. That’s a reference implementation phase.

Tom Bridge:
That’s right.

Brandon Kurtz:
Yeah. I think Nano even references MicroMDM’s extended documentation on this is what the process looks like for getting up with cert. And Apple also has a page of requirements and how to apply for one, though different people have had different levels of difficulty obtaining that from Apple. It could be an adventure trying to figure out whether you meet the requirements.

Charles Edge:
It might be good to start that before you start the rest.

Brandon Kurtz:
Sure.

Charles Edge:
Because it can also be time-consuming. It’s not like, oh, I hit the button and I… It’s not renewing a developer cert where you hit a button and the next day it’s done. It can take a while.

Brandon Kurtz:
Especially the first time. If you’re trying to find out if you’re eligible, I’ve seen it take weeks or months for certain orgs.

Charles Edge:
Yeah. They like those enterprise contracts to release those. That helps a lot. So, we mentioned scalability. Any thoughts on load balancing as an example?

Ryan Diers:
Yeah. I think, in contrast to MicroMDM, a lot of this in their guide is somewhat recommended that if you’re going to deploy this, it’s known that it would be deployed on some VM or EC2 instance, and then you still have to build this part out. In our case, I come from this from a security fork that you still want to control your own load balancing, whether that’s you spending up your own ALBs or your own network load balancers for this.
I think that’s the beauty that when you decouple some of these components, is that you’re not tied to per se a particular service or tool like an NGINX proxy or something like that. You can do whatever environment fits for you, whether that’s AWS, GCP or something like that. Or if you’re already in a Kubernetes environment, NanoMDM definitely will fit that environment way better because you can start to point just the individual components themselves and then networking them together is already done in your own environment.

Brandon Kurtz:
It is more work though than Micro. Micro gives you the option to terminate directly in the Micro server. And here it’s like, okay, you have to go figure out how TLS works by yourself. So, this is either a benefit or a curse depending on what you’re trying to accomplish.

Tom Bridge:
Hopefully, you’ve got some good understandings there of TLS, mTLS and all of those connective tissue pieces that you’re going to need to run an MDM at this point. If you’re taking this on your own and you don’t, just stop, go read the books and maybe go learn a little bit before you dive in here because I do think that that’s really important.

Charles Edge:
And how about automated enrollment or DEP, I guess, however you want to phrase it?

Ryan Diers:
This is one of those, another great magical components provided by MicroMDM as it’s just the jack of all traits of all tools. But this is definitely something we actually had to build an enrollment profile handler for this in our own implementation, a very simple going server which could be refactored to whatever you want, whether it’s Python or whatever you’re used to working with in your day-to-day coding life. But there’s also a newer project called the NanoDEP, which can help provide this for you as well.
Again, we took our own route in essence of speed to just generate our own profiles on the fly. So, we have that in our little project but probably wouldn’t recommend the NanoDEP at this point.

Charles Edge:
And we’ll include links for all these projects that we’re talking about in the show notes. So, nobody has to go pause and then using a voice recorder while they’re driving to try to go find all these little bits because safety first.

Brandon Kurtz:
Also, just to clarify quickly, NanoDEP, I think, provides API access for creating DEP profiles, but this is actually separate from enrollment profiles. I don’t know if, at this point, Jesse has written a server that he recommends for generating enrollment profiles, which is why we had to write our own. Again, Micro just gives you that and then it was like, please go figure it out yourself.

Marcus Ransom:
And I think that’s something that I’ve found really fascinating compared to, as you were saying, with the commercial MDMs where you literally just you press a button or turn on a machine. There is no step three. That enrollment happens straight away. But the reality is there is a whole bunch of stuff going on there. And every single one of those things, there’s something that can go wrong. And if proxies are involved, it will go wrong.
And realizing how they’ve got to be linked together, having to do all of this yourself and set it all up yourself is a really, really fascinating insight to that magic that’s going on there and what’s involved. And then gives you the opportunity, as you were saying, with being able to run your own MDM commands to be able to actually customize it to the way you want that process to work rather than the decisions that another developer’s made.

Charles Edge:
So, I guess reading through the verbs, or the verbs of the commands to be more specific, NanoMDM sandbox feels a bit more infrastructure-as-code that sits on top of the NanoMDM Go binary. And it’s worth mentioning all the steps written in Go. Anyone who listened to the MicroMDM episodes would probably follow along with that as well, but would you guys call this infrastructure-as-code?

Ryan Diers:
Yeah. I think, to Marcus’s point, it’s all of the wiring these components together. In our case, the IaC here is what joins all of this together, if that makes sense. In our case, we took a very opinionated route here to set up NanoMDM, which was the constraint that I want to go from, I don’t know, I don’t know when we came up with this term “zero to hero” in a few minutes. As in, I have no infrastructure. I have no accounts. I just want to see how all of this works.
And the idea was that’s how we were going to design this repo, is for someone that wants to take a weekend and say, “Oh, I want to learn the differences between Micro and Nano.” Here we go. Here’s a repo. Spins it all up. It’s definitely not prod ready. I’m definitely going to throw out a disclaimer out there. It needs a little bit of some changes. I would not inherently just start using this out the door, but that’s some of the assumptions that we made trying to build this out, was can you get something going in an hour, so you can see how the MDM commands work, how the push cert works, how the enrollment actually works, seeing all that work out.
So, I think to that point, we… Oh, sorry, go ahead, Brandon.

Brandon Kurtz:
Yeah, I just wanted to say that we wanted to make it easier for people to get started with Nano. We were just talking about how there’s so many components that you have to go figure out yourself. And so, this might be a reference implementation for people to get started much, much faster than it took us. It took us weeks to write all the Terraform that’s in the project, but people can see how it works and use it as a reference within a few hours maybe.

Charles Edge:
Especially if they already know how to use Terraform, I guess.

Brandon Kurtz:
Yes.

Charles Edge:
That helps. Because if you have to also set up the AWS instant from start to finish, all that stuff. Although sometimes, it’s easier if none of it exists because then you don’t end up in permission hell.

Marcus Ransom:
Or breaking things that actually are in production.

Brandon Kurtz:
Something we mentioned-

Marcus Ransom:
Or it’s somebody else’s sandbox they were just using.

Brandon Kurtz:
Something we mentioned in our talk is that when we wrote this reference implementation for Nano, we assumed you have nothing in your AWS account. And that made it easier for us to go from nothing to a working project. But that comes with a disclaimer to go talk to your security team about AWS policies. This might not meet their requirements, but still, it’s hopefully useful as a reference.

Ryan Diers:
And I think, to this point, it is a standup example environment to get started with. There’s a ton of components that aren’t all there yet. With time, with great contributions, it will get better. But I think some of the containers that we have, and it’s not just Go code binary, we put these all in containers, so it fits our… And that was another assumption we wanted to play with, was the serverless infrastructure first. The whole how do we keep this as cheap, but also very operationally not burden to teams because especially a lot of folks that want to spin this up, they don’t want to worry about, do I have to scale EC2? How much RAM does it need?
In our environment, we were like, we’ve already did some of that heavy lifting for you. But yeah, there’s a ton of little translation layers as I called it, like how do you convert the old MicroMDM to the whole new NanoMDM API structure? So, we have a few containers that do that translation for you, but there’s still a lot that depending on your environment where you’re deploying, this needs to be worked out still but…

James Smith:
This week’s episode of the Mac Admins Podcast is brought to you by Alectrona Patch. What would you do with your time if you no longer have to spend so much of it on packaging and deploying updates for third-party app? With Alectrona Patch, you can install or update over 300 Mac applications automatically to keep your users protected with the latest security update.
Alectrona Patch works with your existing MDM solution by simply deploying a package and a configuration profile for ongoing management. It’s cloud native, so no server or package hosting is required, and the latest updates are delivered directly from the software vendor. You control which apps are installed or updated, so you deploy only what you need.
Alectrona Patch is customizable to ensure your users can update without interruption, so you can keep your security team and your end users happy. Alectrona is a proud charter sponsor of the Mac Admins Foundation. Check out Alectrona Patch at alectrona.com/patch. That’s A-L-E-C-T-R-O-N-A.com/patch to learn more and to book a demo with our team. Thanks to Alectrona Patch for sponsoring this episode of the Mac Admins Podcast.

Tom Bridge:
So, I do feel like at this point the world is just a bunch of maybe not quite yet interconnected API endpoints. And using tools like Postman, we can connect those endpoints at least in reference implementations, and then figure out how to best get them into production implementation. So, I guess, how is it working with the NanoMDM API? Because once you’ve got this Terraform environment set up and you’ve got it bootstrapped and you’ve interconnected all this stuff, now you need a way to actually trigger the things. And I’m guessing you don’t want everybody to have SSH access into the things. So, then we’re building endpoints in front of that, right?

Brandon Kurtz:
Yeah, all of that’s right. I haven’t done a ton of work with the NanoMDM API. But from what I’ve read from the documentation and the code base, it seems straightforward. Something we were talking about earlier is a lot of commercial MDMs have you provide the inputs for MDM commands, not in the way that Apple documents. And in Micro, it’s the same. Micro tried to help you out by having you provide it in JSON, and it would translate that for you to the PLIST format that Apple documents. Whereas Nano took the position that you can provide us exactly what Apple asked for and we’ll just send that along.
So, yeah, it’s easier to follow Apple’s documentation directly. You don’t have to go look up what does Nano expect for this command. And you also mentioned protecting the API. I think the way it is today, Nano just has basic auth, the same as Micro. But if you wanted to protect and make sure that people don’t send commands without getting code review in all of this, you would hook it up to a CI/CD system with code review and then only give the API key to your CI runner. I’ve heard about a lot of orgs doing that, the orgs that are running open-source MDM systems. And this is a huge benefit over some commercial MDMs that don’t provide code review as a feature.

Charles Edge:
And I guess, it’s worth mentioning this isn’t a public API. You would only have other servers communicating with it, not probably open it up for me or any of your end users to write a little Python script to try to talk to that because it’s not… Or at least, I didn’t see anything in the code that was rate throttling or any of the things that you’d put on a public-facing endpoint. So, I guess that does bring up scripting. So, we get everything up and running. We’ve got this environment. Can you explain the structure of the API a little bit?

Brandon Kurtz:
Yeah. So, NanoMDM ships with a Python script called Commander, Cmdr.Pi. For our project and our talk, we didn’t write a lot of our own code to interact with the API. This Python script is a reference, just like the format that it expects you to give commands in the PLIST one. That’s directly documented by Apple. The API seems pretty straightforward. You can just provide a list of the UUIDs that you want to send commands to, and then the PLIST describing the command you’re sending, and you’ll be on your way.
For our talk, we just use that script directly in our demo, but I wouldn’t use that in production, if you were going to run Nano in production. I think people who are going to use it in production want something more event based. So, if a device enrolls, that’s an event. And then you should have an automated system that reacts to that enrollment by sending profile commands and installing packages. In reality, I’m not sitting in my computer and typing in a command and using the API key directly. The entire system is just event-based, and the events don’t just-

Tom Bridge:
For compliance purposes, you probably shouldn’t have the key anyways.

Brandon Kurtz:
Right, exactly.

Tom Bridge:
No offense.

Brandon Kurtz:
And the events don’t just have to be enrollment. They can be anything because we control the API. They can be security signals, all sorts of things.

Tom Bridge:
So, using the Cmdr.Pi script, we can create commands for a whole fleet of devices? Or how would you actually use the API in a production scenario?

Ryan Diers:
I think, to your point, Brandon, where you talked about an event-based system, coming from the security side, there’s a ton of webhooks that we can take advantage of in NanoMDM, which aren’t always exposed in commercial tools. Some of the big areas on this is the security signals. We can get the security telemetry, and these tools might include osquery, whatever EDR, XDR tool that you might be running in on your fleet.
And having response to these sorts of events, whether devices are getting unenrolled, re-enrolled, whether the state of it is changing based on the environment like a firewall getting removed, we might want to use and invoke MDM commands in this case, like reinstall certain security settings via profiles or something like that. Some of the ways we might monitor this is like osquery says our tool gets removed, but we want to send a command to go ahead and reinstall or prompt the user on how to fix this, creating a self-service workflow for them.
I think, additionally, if your security model includes things like mTLS, which I highly recommend or this whole zero trust phase sort of thing where we want to move the identity of verifying your device but also your user where it’s coming from the context, we want to incorporate all these signals together via our tools like osquery to maybe trigger NanoMDM to do something whether it’s at a client cert or regenerate the client cert on the end time if we think the machine’s no longer healthy.
So, yeah, there’s just a ton of things we could invoke based on how the world is changing. And what I mean world, I mean the endpoint sort of thing.

Tom Bridge:
And being able to mutate a given system’s profile set or posture or what it’s actually got access to based on time of delivery commands is really exciting.

Charles Edge:
Yeah, and having a bespoke solution that allows you to do that kind of thing is really unique. I know a bunch of, to use your example of mTLS, a bunch of commercial tools do support that, but then you also have to use their PKI proxy. And then now, you’re opening up a whole other thing. Whereas you might have a PKI proxy for three other tools that you’re already using and why open up a whole other thing? It is really interesting to be able to craft your own daisy-chained, event-driven webhooks flying around kind of environment like that.

Ryan Diers:
Yeah, like a device lifecycle almost. You think of how devices are always changing. They’re ephemeral sort of thing. And also, I love your point about the, I call it the hashtag, yet another PKI solution, where it’s like, “Oh, we have mTLS just for this.” And then, “Oh, yeah, we were on this other agent to speak to this sort of infrastructure, yet another mTLS product.” And I’m like, “Boy, it’s like yet another agent, but yet another cert to pass around.” And then just get lost down the road but-

Tom Bridge:
And they’re all exportable at the end of the day.

Ryan Diers:
Oh, yeah. Oh, yeah.

Tom Bridge:
There’s that.

Marcus Ransom:
I thought you were going to say they’re all expired. They’re probably that as well. Expired.

Charles Edge:
Long expiration time always.

Tom Bridge:
Right. Yeah, at least five years.

Marcus Ransom:
So, all the pieces are there in NanoMDM sandbox at least to have a beautiful gooey built on top of them maybe. But that’s not what people who build back in infrastructure-as-code are probably interested in doing maybe. So, what do you see as the next steps for the project?

Brandon Kurtz:
I personally don’t have the skills or interest, to be honest, to build a GUI, but it’s certainly possible. It’s been a feature request of users of MicroMDM for years, especially CIS admins at schools who have low budgets who try to use MicroMDM as an easier way to get MDM, which they need to do their job but a weak point for them is not having the GUI. But I think in general, people who are running NanoMDM and wanting to build these internal event-driven MDM platforms aren’t the people who need a GUI. And so, the reason-

Tom Bridge:
Or want.

Brandon Kurtz:
Yeah, yeah, yeah. The reason why the people I know run the open-source MDM is because they can integrate it with source control and continuous integration and get code review. Integrate it with other DevOps tools that their org is already using. And as far as I’ve seen, no commercial MDM platform lets you be so flexible to integrate it with all of the software engineering tools your org already uses.
If I were to continue developing NanoMDM sandbox, I would potentially work on integrating it with MDMDirector. MDMDirector is a project written by one of my colleagues, Graham Gilbert, who I think a lot of people know. And it’s a tool that lets you respond to events from MicroMDM. So, I was talking about before, there’s an event for an enrollment, you want your system to do something automatically. In response to that, MDMDirector helps you do that.
Currently, as far as I know, there isn’t an open-source tool that provides the same service for NanoMDM. And so, that’s the next obvious step for Nano to make it easier for more people to get involved is to add MDMDirector support or write a new system that can consume and act on events.
Also, another really cool thing that Jesse Peterson, the author of NanoMDM, is always talking about is the fact that you don’t have to run the NanoMDM like main dot Go binary as it’s written. You can write your own and just import all of the code that’s written as a library. So, you can go even further than just stick Nano in a container. You could write your own separate MDM and benefit from all of the stuff that he’s written.

Ryan Diers:
This is the way.

Tom Bridge:
From you guys getting involved with what Jesse was doing, and like you mentioned, there’s so much that gets shared. And this is probably the most important question for any open-source project, but how would you say people can help?

Ryan Diers:
I think it starts as little as just taking a weekend and starting some sort of solving an issue. I think, for me, this was such a very awesome learning experience, is to learn MDM by looking at its components. So, always trying to solve it the way you want, in your opinion, whether that’s moving it to MongoDB someday. There’s a quick way you can contribute back, is that you solve it in the way you want and honestly, share that out because that’s what we did.
We shared our opinion, was how do you start this up quickly so you can play around with it? That’s the best way to help keep these open-source projects going, is that we all contribute to it and make it our own version of what we want sort of thing. You can also find us on the MacAdmins Slack. There’s always a ton of support out there, folks that are also doing the same thing and just sharing what we’re learning and doing.

Brandon Kurtz:
Also, I want to give a shoutout to the MicroMDM office hours. I think [inaudible 00:53:25] and Jesse started this a few years back. When they first open sourced it, I think they realized that this is a really hard thing to get started, even though they shared a lot of code. And so, people who are out there building on Micro and Nano for their own companies might show up to talk about what they’re doing. I’ve just learned a bunch of cool ideas about what people are building from those sessions. So, if you’re interested in open-source MDM and you want to understand what other people have done before you build on the shoulders of giants, that’s a great place to go.

Tom Bridge:
That’s awesome. And it’s another great place where the power of the community really shows through. And it’s one of the reasons I love this community, writ large, is that folks are always willing to share their code, share their knowledge, share their knowledge to help you make your own code that you can share, which is probably my favorite implementation of that particular solution. So, that’s really, really awesome. Do you know when MicroMDM office hours are during the week? Is that…

Brandon Kurtz:
I don’t remember offhand. It’s monthly. I can definitely get you the schedule for the show notes.

Tom Bridge:
Yeah, we’ll make sure that that ends up in the show notes so that folks know when to show up, if you’ve got questions about those kind of things.
Here at the Mac Admins Podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. Stubacca, thank you. Adam Selby, thank you. Nate Walk, thank you. Michael Tsai, thank you. Rick Goody, thank you. Mike Boylan, you know it, thank you. Melvin Vives, thank you. Bill Stites, thank you. Anoush d’Orville, thank you. Jeffrey Compton, M. Marsh, Stu McDonald, Hamlin Krewson, Adam Burg, thank you.
AJ Potrebka, thank you. James Stracey, Tim Perfitt of Twocanoes, thank you. Nate Cinal, Will O’Neal, Seb Nash, the folks at Command-Control-Power, Steven Weinstein, Chad Swarthout, Daniel McLaughlin, Justin Holt, Bill Smith and Weldon Dodd, thank you all so much. And remember that you can back us if you just head on to patreon.com/macadminspodcast. Thanks everybody.
So, one of the things we love to do here on the Mac Admins Podcast is ask the bonus question. And this week’s comes from Charles and it’s pretty good. It says, if you were to build one random infrastructure-as-code project for home, what would it be?

Brandon Kurtz:
A problem I’m having at home that bothers me, but in the grand scheme of things it’s not a big problem but it’s a small bother, is I get ads on my smart TV. When I just turn it on, on the home screen, there are ads from, you should go watch the show on whatever service that I probably don’t subscribe to.

Tom Bridge:
Oh, burn it all down. No.

Brandon Kurtz:
I heard about this product called Firewalla, which is a device that’s made to plug into your router. And to be clear, this is not a sponsorship, and I don’t recommend them, I haven’t used them, but it seems like a cool product. It lets you add a firewall to your local home network, but it lets you do it with a Docker container, which means you can run whatever software that you want to control DNS or whatever. So, my idea in theory is run that container, which black holes the DNS for the ad servers for my smart TV.

Tom Bridge:
I love that. I think that’s spectacular. Ryan, how about you?

Ryan Diers:
Oh, I think, for me, I think it all started last year when I was adamant on the, “I will not automate my home because I do not want mics, cameras and et cetera in my home.” One year later now, I say, “Hey, Siri, set the mood. Hey, Google, open my front door.” And recently, through the adoption of an EV, I said, “Oh, hey, Google, go pre-heat the car, pre-condition it for charging.” And it’s like, wow, all of these things are so great separately, but they work terribly together.
So, I think I’ve been playing around with a tool called Homebridge. And I do have to throw a disclaimer. I’m not advertising and/or endorsing any of these tools, but yet another open-source project that could always use another hand, but it’s tying all these things together. So, how does Google Home speak with Siri and Apple Home? Because those are two really different home automation components.
And I think that’s been something I’ve been playing around with how they get the doorknob to work with the camera, if that makes sense, because they’re two different providers. I have an Apple Lock for the home, but everything else I have in the home is Google powered, except the Apple TV, which is the home base. So, it’s just all this disparity of components, oh, it’s a bit of a mess sometimes. But if I were to build something, it would, how do you run all of these home integration things together without having to run this Docker container that does it all for you? It’d be really great if, I don’t know, maybe a new product called One Home, I don’t know, that works with all of these providers.

Marcus Ransom:
Meta’s going to fix everything; isn’t it?

Ryan Diers:
Oh, yeah.

Tom Bridge:
Well, I mean, it’s supposed to, right? I mean-

Charles Edge:
It’s a protocol, but not as a…

Tom Bridge:
Yeah, I was going to say, I have definitely hacked the way. I now have Homebridge on my local network. I have Starling on my local network to deal with my Nest stuff. And putting it all together is just such a fustercluck. All of that goes against my Raspberry Pi. It was really funny. We had a great friend over for dinner tonight, and she was on the Wi-Fi. She was like, “Oh, right. I realized I can’t click Google search ads from your domain,” because that’s the piehole doing its job, black holing that particular web service, and it just drives everybody nuts. But I’m like, “Eh, I can live with it.”

Ryan Diers:
Oh, yeah. To that point, yeah, I also deployed the firewall as Brandon said. And it is so interesting to see what traffic goes out on these IoT gears. And I’m like, “What is this us.webcam.org?” I’m like, “What is this?”

Tom Bridge:
Oh, no. Oh.

Ryan Diers:
I’m like, “Oh, wait, that’s my Nest.” I’m like, “That’s weird. Why are they obscuring the domain though, hide under the wire?” But I’m like, “Oh, it’s just the camera sort of thing but…”

Marcus Ransom:
So, Tom, what would you do for infrastructure-as-code for home?

Tom Bridge:
I was thinking about this a lot because I’ve done some things here. It’s funny, I have not left the CIS admin life. I still run Munki for the house out of an AWS bucket with Cloud Run.

Brandon Kurtz:
That’s awesome.

Tom Bridge:
And the whole nine yards. I still am using my powers for good out there. And so, I appreciate that I can keep that up to date. What I need to figure out, and this is the thing that I want to start try and do, I want to take a week at some point and go dive deep, because JumpCloud’s got a pretty solid management API, and I can touch a bunch of things behind the scenes. And so, part of me is thinking, “How do I build good code shortcuts for iOS, like the shortcuts language, based on all of that to do important things? How can I make sure that Charlie’s updates get done on a regular basis?”
Well, I could probably do those things and… Because I don’t think I’ve been set up for automatic operating system updates because it’s an older Mac. I don’t trust it as well. We all know how reliable software update is, but at least I can repeatedly send the commands to go and do the job. So, maybe what I want to do is figure out a good, solid shortcuts implementation of our patch management solution, just to keep the systems in the house running the latest version of the operating system. So, that’s my challenge. By the end of the summer, I want to try and have that done.

Charles Edge:
That’s interesting. I mean in terms of design patterns, you could have the JavaScript underlying shortcuts be automatically generated. You just couldn’t deploy it automatically because you have to-

Tom Bridge:
Correct.

Charles Edge:
… manually opt-in to each one of those shortcuts. So, yeah, I’ve always wanted an MDM command to be able to send shortcuts. To me, it just makes sense.

Tom Bridge:
Yes. Oh, man.

Charles Edge:
Like, oh, here’s a JavaScript inside of some JSON that I wrapped up to do a thing. That’s not my answer for this bonus question, but I’ve always wanted that.

Marcus Ransom:
So, what is your answer then, Charles?

Charles Edge:
Oh, geez. How about the kids’ homework in Google Classroom? I would love to be able to talk to the Google Classroom API, because I have to manually open the thing and click the button. Arguably, I should do that because I should be involved in my child’s life and et cetera, et cetera, but they don’t want me in there anyways. But it would be great to be able to shut down the smart TV, the Apple TV, all smart devices in their room where they hide a pretty decent amount of the time if they’re not up to date on… If they have any missing assignments in Google Classroom. Because we have these smart homes; we should be able to use them for good and evil. And to me, good is doing your homework. To the kid, that chaotic evil.

Tom Bridge:
Chaotic evil. Right. Laughable evil, whatever.

Charles Edge:
Yeah, yeah.

Tom Bridge:
How about you, Marcus?

Marcus Ransom:
See, I was going to go the idea, I’ve always wanted this idea of it’s really just using Splunk for good rather than evil and aggregate all the various calendars and notifications and everything like that, so we can have a dashboard somewhere that lets us know that, all right, it’s actually guitar lessons tonight and you’ve actually booked something else on the same night. But then yesterday, I had an experience that goes back more towards the home automation.
So, we’ve got all these various gateways and things to link all the various different kinds of home automation that some work better than others. But I purchased some Dyson heaters, which are internet available. James Dyson is a phenomenal industrial designer and what they do from an engineering perspective is amazing. Trying to get these things onto the Wi-Fi, whole other story. Nerd. It was awful. I needed to spin up a 2.4 gigahertz isolated network-

Tom Bridge:
Oh, no.

Marcus Ransom:
… to be able to get these connected. And of course, they’re controlled by shortcuts. Not able to be implemented into HomeKit or a Homebridge or anything like that. But I never even got as far as configuring the automation because it was, I think, three hours to get two of these devices onto the network. And you’d think the first one, once I’d sort it out all of the problems, the second one’s just rinse and repeat. No, no, it was just dreadful from a workflow-

Tom Bridge:
That reminds me of something I’ve been meaning to do, which is try to write an Alexa skill that will, if device not found, go ask HomeBridge if the device exists and report back. That, to me, getting… If you run two or three different voice assistants in the home, which I think Ryan mentioned he’s doing as well, to me, that’s one of the big problems. I have probably half a dozen devices for each one that doesn’t work on the other ones.
So, I try to put all the ones that can live on everyone, on all of them. And then the ones that don’t, it would be great, since Apple doesn’t have an API, to let me go talk to other things than go in the other direction. I guess, I could actually have something that literally says the words. If I say the wrong words, it then says the right words to the other system or something, but that feels like cheating.

Marcus Ransom:
And that all relies on actually being on the network in the first place. The instructions that came with them were there for old legacy app and method of doing it. And so, it was like anything shrink-wrapped and in paper, throw that out, jump on the web. All I can think is if this is what the new improved workflow was like, I’d hate to have seen how awful the other one was. But it’s like, just let me scan a QR code and make it work. Other people have managed to get that working, but it was like having to turn on the Wi-Fi, so it’s broadcasting Wi-Fi and connect to that, and then do the flip backwards and forwards, and firewalls and pieholes and all sorts of things getting in the ways. So, having to work out which ones are those things I needed to turn off to get it to actually work, it was…
And I’m thinking I’m an IT professional and I’m struggling with this. Maybe other people’s home networks aren’t anywhere near as complicated as they’re not using 802 NX at home. But I’m just thinking how many people just give up, or is it only people like us who actually bother setting these things up? I don’t know.

Tom Bridge:
That’s a fantastic question but…

Marcus Ransom:
All I want to do is have the heaters turn on in the morning before everyone wakes up, so we’d get up and it’s all nice and toasty warm.

Tom Bridge:
Famous last words, man. Yeah, I was going to say, we’ve been down this. We’ve talked a little bit about my dream of the electric mattress pad and the thermostat talking to each other. I mean, the future will come when those devices can talk without too much trouble between them but-

Marcus Ransom:
And then they’ll collaborate and gang up on us and…

Tom Bridge:
And that’s next week’s episode of Picard. I mean the Mac Admins Podcast.

Charles Edge:
My cat and dog have been ganging up. The cat knocks things off the counter. The dog goes and tears it open and then they both enjoy it. I hate them. I hate pets. Why do we have pets?

Tom Bridge:
Yeah, yeah, I was going to say. The trick is only having one and then they can’t collaborate. I’m just saying. Well, Brandon, Ryan, thank you so much for joining us this week. It’s been a great pleasure to talk with you about NanoMDM and all of the great work that you guys have done on this. If folks want to find you on the internet, where should they go looking?

Brandon Kurtz:
You can find me on MacAdmins Slack. My username is BK, and I also have a GitHub and Twitter and blog, which maybe I can get in the show notes.

Tom Bridge:
Oh, yeah, we’ll take care of that for you. And Ryan?

Ryan Diers:
Yeah, likewise on MacAdmins Slack, few other security forums. Do love giving a lot of other talks on just endpoint security and infrastructure security. So, can find those on my blog or my GitHub. That’s usually where I’m fairly active.

Tom Bridge:
Awesome. Well, it’s been a huge, great pleasure to have you both on. We hope you’ll come back and see us another time in the future to talk a little bit more about this project as we go on towards new features, and maybe we can talk a little bit about nano and declarative at some point. Thanks so much for our wonderful sponsors this week. That’s Kandji, Kolide and Alectrona. And thanks everybody. We’ll see you next time.

Charles Edge:
See you next time.

Tom Bridge:
Right-o.

Ryan Diers:
See ya.

Tom Bridge:
The Mac Admins Podcast is a production of Mac Admins Podcast LLC. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Kudiga, the first time he opened GarageBand. Sponsorship for the Mac Admins Podcast is provided by the macadmins.org Slack, where you can join thousands of Mac Admins in a free Slack instance. Visit macadmins.org. And also, by Technolutionary LLC. Technically, we can help.
For more information about this podcast and other broadcasts like it, please visit podcast.macadmins.org. Since we’ve converted this podcast to APFS, the funny metadata joke is at the end.

Listen

Sponsors:

With Alectrona Patch you can install and update over 300 Mac applications automatically to keep your users protected with the latest security updates. Alectrona is a proud Sponsor of the MacAdmins Podcast and MacAdmins Foundation. Check out Alectrona Patch at alectrona.com/patch to learn more and to book a demo with our team.

Patreon Sponsors:

The Mac Admins Podcast has launched a Patreon Campaign! Our named patrons this month include:

Rick Goody, Mike Boylan, Melvin Vives, William (Bill) Stites, Anoush d’Orville, Jeffrey Compton, M.Marsh, Hamlin Krewson, Adam Burg, A.J. Potrebka, James Stracey, Timothy Perfitt, Nate Cinal, William O’Neal, Sebastian Nash, Command Control Power, Stephen Weinstein, Chad Swarthout, Daniel MacLaughlin, Justin Holt, William Smith, and Weldon Dodd

Mac Admins Podcast Community Calendar, Sponsored by Watchman Monitoring

Conferences
Event Name Location Dates Format Cost
XWorld Melbourne, AUS 30-31 March 2023 TBA TBA
Upcoming Meetups
Event Name Location Dates Cost
Houston Apple Admins Saint Arnold Brewing Company 5:30pm 4th March 2024 Free
Recurring Meetups
Event Name Location Dates Cost
London Apple Admins Pub Online weekly (see #laa-pub in MacAdmins Slack for connection details), sometimes in-person Most Thursdays at 17:00 BST (UTC+1), 19:00 BST when in-person Free
#ANZMac Channel Happy Hour Online (see #anzmac in MacAdmins Slack for connection details) Thursdays 5 p.m. AEST Free
#cascadia Channel Happy Hour Online (see #cascadia channel in Mac Admins Slack) Thursdays 4 p.m. PT (US) Free

If you’re interested in sponsoring the Mac Admins Podcast, please email sponsor@macadminspodcast.com for more information.

Social Media:

Get the latest about the Mac Admins Podcast, follow us on Twitter! We’re @MacAdmPodcast!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back MAP on Patreon



Support the podcast by becoming a backer on Patreon. All backer levels get access to exclusive content!

Subscribe

Archives