JumpCloud Community

Key Takeaways

• Ricky Jordan from Primitive Skate discussed the company's growth and how they transitioned to using JumpCloud for IT management.
• Conditional Access and Multi-Factor Authentication (MFA) were implemented to enhance security, especially for remote access.
• Asset management for the company's devices is handled through Asset Tiger, aiding in tracking and finance.
• Both Ricky and Becky discuss the significance of having a robust Mobile Device Management (MDM) system, with Ricky noting the security benefits and the ability to monitor device updates and builds.
• Ricky mentions using tools like NOVA and KnowBe4 for policy distribution and phishing simulations, respectively, to enhance cybersecurity measures and user training.
• The "I Make Work Happen" giveaway is highlighted as a notable initiative, showcasing an appreciation for employees' efforts and fostering a positive work environment.
• Don’t forget to share how you make work happen, and enter the giveaway for your chance to win $1000.

Introduction

Ricky Jordan from Primitive Skate shares his journey with the company, which started as a retail shop and quickly expanded into a recognized name in the skate industry. Ricky emphasizes the challenges he faced as the sole IT person managing a mix of devices and systems, especially during the rapid growth phase right before the COVID-19 pandemic. 

He praises JumpCloud for its ease of use and its role in facilitating remote work during the pandemic. Ricky also discusses the implementation of Multi-Factor Authentication (MFA) and the challenges of getting employees onboarded. Asset management is touched upon, with Ricky mentioning the use of Asset Tiger for tracking devices and assets.

You can find the full video recording here: The IT Hour | JCU Advanced Cert & I Make Work Happen guest 10.6.23

Speakers

• Ricky Jordan, Senior Technology Manager, Primitive Skate
• Becky Scott, Head of Technical Community, JumpCloud
• Urvashi H.V., Technical Community Champion, JumpCloud

Transcript

Introduction

Becky Scott:

So Ricky, you're not new to the show, you're not new to the group, but it may be just for a refresher. Let's see. You're with Primitive Skate. Maybe you want to remind people a little bit about Primitive Skate and your role there. I think since the last time you were with us, I think you have had a title change. 

Ricky’s Background and Role at Primitive Skate

Ricky Jordan:

We've grown. Yeah, we keep growing. Obviously the economy is a little tight for everybody on sales, but we won't get into that. It's not a sales conversation. But Ricky Jordan from Primitive Skate, I also ran a company for about 20 years, not necessarily an MSP, but is a tech consultant residential and SMB, a little bit of SME side of it, probably 10 bread and butter customers. Half of those are on JumpCloud now. 

But Primitive is my larger customer that turned into a retainer that turned into a full-time W2 position. I've been with them for about 10 years now. 

Primitive Skate’s Growth

So I started out with about five employees for this business. It used to be a retail shop selling everybody else's clothes in the skate industry. And then we kind of got our first PO with, hey, we want Primitive, we like your logo, we want to sell it at Zoomies, Tillies, and the malls. All that good stuff.

And pretty much overnight, we blew up. We went from like five shop employees, to me getting a call maybe once every two weeks to fix their cheap wifi color printer inkjet. So I started being like, wow, this company's picking up. And yeah, it basically became a household name in the skate industry. We're making hard goods, skateboards, shirts, clothing, all the good stuff, wheels, trucks, all that thing. 

Primitive Skate & JumpCloud Relationship

But with that noted, we blew up right before COVID-19, and I had one IT guy with an unmanaged setup. We had no Active Directory server. We had pretty much a hybrid of iOS, Windows, and Mac devices, and as a single IT guy doing everything unmanaged I needed a solution. 

And right before COVID came, JumpCloud, whoever was doing the SEO marketing ads did a great job. The YouTube channel was cool. And here I am as a pretty big, I don't want to say fan, I'm a fan for one reason because I like the product, is a product perfect, no product's perfect, but we know that if you have the right tool in the toolbox that gets a job done, that's JumpCloud for me.

Why JumpCloud?

So basically, I made that move right before COVID, and it kept my job alive when we basically had 80 plus issued devices, end users go full remote minus our warehouse. So that was kind of my success story using JumpCloud. It's kind of waiting for the right time. I had a vanilla open kind of foundation at Primitive. I just didn't know what product I wanted to use. We were an MS 365 customer for a while, at that time. Did I want to go the Azure route or Intune? Which was still more in the earlier stages than it is now.

And, like I said, the JumpCloud ads are great, and the pricing was good. I love the 10 free to get it started, and here I am today and I'm deploying it to another company of 60 users starting next week. So this is a little bit of my JumpCloud backstory and Primitive.

Becky Scott:

Yeah, that's quite a story, and we love to hear that because it's a pretty great journey, and we love seeing our customers succeed. It's really neat to see how Primitive has grown and just exploded in all these different ways. I mean with the skating stuff, but also with the clothing. I mean, that was probably a little bit of a surprise in a good way to see how that took off with everything.

Ricky Jordan:

It's fine, it's fine.

Becky Scott:

We're still waiting on our care packages, by the way. No, I'm just kidding. Just kidding.

Ricky Jordan:

A Primitive JumpCloud collaboration shirt, maybe. Sounds good.

Discussing Security

Becky Scott:

There you go. Primitive JumpCloud. Well, this is Ricky's card from I Make Work Happen. So we talked to him about how he Makes Work Happen. He's like, well, let's talk security since it's Cybersecurity Awareness Month. And so Ricky, why don't you tell us about your Pro Tip?

Ricky Jordan:

One of my most favorite features, I say I sound like a little kid saying my most favorite feature, but I really love Conditional Access. It's crazy to talk to other peers in the industry who are either heavy MS 365 or something else. They're like, I'm finally dabbling in conditional access. I go, what are you waiting for? Just get into it, right? JumpCloud makes that easy. 

I love the easy interface of it, which is I basically deployed this in a couple of minutes when it was brought up in part of my account back in 2020, I think it was. But pretty much the reason why it's big for me, obviously security, we're talking about security this month. That's a big thing. But I will start off with almost 90% of our stack is full SSO, except for Adobe. We're calling you out on the pricing model for Enterprise needed for Adobe SSO.

But aside from that, because JumpCloud is our IdP, it is our portal. If you go to Gmail for Google for email, or you go to MS 365 or Zoom, you kind of get where I'm going is it's going to loop you back in auth through JumpCloud. So we have kind of a new jive for us. We've got about 80 internal full-time users who work for Primitive that have primitive company-owned devices, but we also have some VAss (virtual assistants), contractors that are on BYODs. 

Challenges of Security and Skateboarding

So for me, I would like to protect via MFA, but also, we're a skate company. I'm technologically advanced, but at the same time, I've got to speak skateboarding to everybody in a way. So nobody wants to download an Authenticator app on their phone and deal with that and have five MFAs for this, this, and this.

Ricky’s Solution: JumpCloud Go

So what I did is the biggest thing that sold me on conditional access was trusted devices. So if they're on their company's trusted device, they don't have to authorize with MFA. You can supercharge that with Scott, who was on the other week, and have JumpCloud Go and how that can streamline that too. 

But prior to JumpCloud Go, how can I make it so users are not blowing up my help ticket queue with frustration. I got a new cell phone, I lost my TOTP, I can't get in. So conditional access helped with that. 

Other ways we use it is we're kind of like a super big on zero trust. So if we get somebody new that we're onboarding, regardless of whatever department, unless their manager requests specific access, they're started out where they're blocked from any access to logging in via the IdP unless they're on their company-trusted device.

Strict Password Regulations

So that helps with, yeah, we have a very, when I say strict complexity for our passwords, it's like a 14 character, which might be excessive to some people who require certain characters. We have a 120-day expiration period for it. But aside from that, people still can get hacked today. They might share their password with somebody or something else. So why not block it if they're not on their actual machine?

Location-Based User Groups for Conditional Access

So that's kind of how we start off with conditional access. You can obviously supercharge that. We have people in Egypt, we have people in India, and stuff that work for us as contractors. So I have kind of location-based user groups for conditional access. 

Primitive, we're US-based out of Los Angeles. The majority of our crew is in the USA. So I do pretty much limit everybody to US Access only. So I'm trying to lock down wherever I can so I can fall asleep at night and not have nightmares of our stack waking up and in a messand I probably don't have a job the next day, one of those things, but that's my little push behind conditional access.

Extra Security Measures for Onboarding New Team Members

Becky Scott:

Yeah, we definitely like our IT admins to wake up and still have jobs, so definitely. Well, that's a really great story about how you all are using that. It's really interesting to see how you're limiting the geos just to where your people are located and keeping them to just to their work devices, especially as they are just starting with the company. 

And so that way you're like, look, they don't even know everything yet, and so they don't need all of that extra access until they kind of get acclimated and know where they should and shouldn't be going and what they should be doing and things like that. I think that one of the biggest risks is right when someone first starts, they don't know all the ins and outs of all the different systems. 

So, therefore, you really have to keep them really focused as to where they're supposed to be.

Hopes for Mobile Trusted Devices

Ricky Jordan:

Correct. It's helpful too. I think the one pain point I will say, and I know Scott and crew are working on it, is the other week when I saw the chat blew up, we want mobile trusted devices for BYOD or company-managed device type of thing for iOS and Android. I know that's down the pipeline. 

So that's kind of my missing piece of the puzzle a little bit is I can't wait till the day it's like, Hey, go to your JumpCloud portal, enroll your iOS device, do that with your managed Apple ID or however that ends up going. And now you don't have to worry about having JumpCloud push on your phone every time you want to log into something on a personal device or whatever. But the ecosystem's there, it's super close, and I got just to lock it down whichever way is possible. 

New Phone, New Problem

But my favorite time is fall when everybody gets a new iPhone, and I get a Help Ticket Queue full of, I got a new or iPhone 15, I can't log in with the MFA, can you reset my Protect and everything? So it's cool. It keeps me employed that way, too, though.

First-Time MFA-Users

Becky Scott:

That's one good way to look at it. But let's talk about that a little bit about implementing MFA (Multi-Factor Authentication) because this is one of the topics we had queued up about. It could be most of your users' first time using MFA. 

So how do you deal with that? You've got a lot of non-tech users who are brand new to all of this. So it can be a learning curve when they don't want to deal with that. They just want to go do their work. So, oh, I don't want to mess with that, man. I just want to go do my thing and go do my work.

Ricky Jordan:

So it started off with a quick audit of how many people are accessing on a personal device. Sales departments are probably on their personal phone for email. We're a Slack-based company, so that's Slack or Teams. So Slack, Google Workspace, that's kind of our email stack and our communication. We use Ignite for our cloud drive, which I definitely want to lock down. So some people do use that on mobile devices. 

Auditing Devices

So what I ended up doing for MFA was, okay, first of all, audit how many people are not on a trusted device. Because where I'm going for this is, do we need an MFA? If everybody's on a trusted device, technically, you still want them to enroll if they're going to go on a non-trusted device. So I was like, how am I going to present this to a skateboard company that, as you'd mentioned, some of our employees have never had a company-issued laptop before.

Their personal setup probably doesn't have MFA turned on or might have a 2FA where it's texting them. So that's their vision of MFA. So when I launched it, Protect, I believe  was being talked about, but it wasn't live yet. So I was like, do I want people to have authenticators on their phones? What can I do? Lo and behold, Protect launched right before I was going make the company wide announcement about doing MFA. 

I made it pretty easy for everybody that I didn't force an enrollment but if they were going to access it and they were permitted access to do it on a non-trusted device, it would force them to set up MFA on that non-trusted device right away. It would not let them get into the JC portal until they set that up.

So I don't know if it's still like this to this day, but at that time, you needed two devices to register Protect. You couldn't just go, I had one of our execs in Hawaii at the time, and I remember that was the only pushback I got like “I'm sitting here ready for a pina colada or something, and I can't log into my email on my new phone.” So basically, they logged into the JumpCloud portal. Their MFA has not been set up yet, but they're allowed to access it. 

Setting Up MFA Remotely

So it's asking them to set up MFA, but on their phone, they have to scan the QR code to set up Protect. You couldn't just save that image and upload it or have a manual code or something like that, which I'm sure there's a security reason for it. So I go, hey, you go back to your hotel room, grab your laptop, scan the QR code, or somehow take a picture of it, send it to your wife, scan it, and then set it up so it blocks the access unless somebody set up MFA.

But at the same time, let's say somebody just never set up their MFA, and somebody had their password in another country or somebody that shouldn't have it; they technically could have probably enrolled somehow some way. So I had to get a little creative and force it after that. Doing that, everybody was on Protect. So any new employee moving forward was easier to audit. 

Setting Up Existing Users

But getting existing users was a little bit of a challenge, but I didn't get much pushback other than that Hawaii example from one of our execs. Everybody goes, this is really easy. We love the push notifications. Obviously, that's gotten better with biometrics, which helps me sleep at night a little bit better. Some of the push-bombing protections, which is cool. But yeah, we were up and running. 

Password Resets

I think the first time I talked and worked with JumpCloud on a webinar, I shared that story. I literally had launched it, I think, the week before that. And my whole selling point was the fact that I wasn't getting bothered by help tickets when I was doing the webinar with it. And we actually pushed our first password reset for the company, which I know a lot of people frown upon, but I was just trying to figure out what the right variables were to secure us. 

So fun times, we did MFA and password complexity and password reset rotation in the same week.

Becky Scott:

That's ambition.

Ricky Jordan:

Urvashi, I like that checking email in Hawaii should be illegal. I agree with that one.

Urvashi H.V.:

I mean, enjoy your vacation, but I guess you don't get to the exec level without checking your email all the time everywhere.

Ricky Jordan:

My execs keep me busy. 

Becky Scott:

Yeah, I know the feeling, John, that says you can't check email if you have two drinks. I mean, you're too busy for that or too out of commission.

Ricky Jordan:

We won't talk about that side on this, I'm just kidding. Yeah,

Asset Management with Asset Tiger

Becky Scott:

That's for the after-hours IT HourSo let's talk a little bit about what you do for asset management. It sounds like you've got quite a few employees and a lot of different devices. So what do you do to track everything?

Ricky Jordan:

So I'm not a one-man show anymore. I brought Jeff Stewart on board, who is my co-admin. I've worked with him for almost 20 years. So he does some subcontracting for me on my MSP contractor side. So I kind of was picking his brain when I brought him on board about three years ago, and I go, Jeff, what do you guys, he works for a large charter school. So he manages about 10 crew underneath him or beside him, I should say. 

And how do you keep track of, I don't know, 4,500 laptops or Chromebooks and all that good stuff? How do you make the finance department happy? Right? They want depreciated value, they want all that stuff. So he linked me over to Asset Tiger. That's what we use. It's actually pretty economical, and if you do need to get stickers or physical tags, you pretty much save money if you buy tags every year.think we have a $300 or $400 spend every year on tags, we probably buy them, but we don't use them because it's cheaper than buying the software subscription outright. But we do physically use the tags. We just don't have 400, 500 devices coming on board every year or whatever. 

Benefits of Asset Tiger

So we are on Asset Tiger. I love it because you have the check-in check-out system. I'm strict on notes. You got events, the whole history on the device, if you have repair notes, spec notes, depreciation for finance, multi-user, login with Google, which works good for us because it's technically not full SSO, but at least you can link it to sign in with Google, it links back to the IdP of JumpCloud. 

But that's what we do for that. Everything is in there. I spent a good amount of time bringing it over. My original process, which some people might kind of laugh at, I had a process, which is number one, I am glad I had a process, I kept track of everything in our one-password company account for our admin department. That was my original way of keeping track of everything, including receipts, B and H, Apple business, and all that type of stuff. 

Area of Opportunity for JumpCloud: Asset Management

So I was able to migrate. It wasn't the easiest thing. So it took some time, but I was able to bring it over. Now the one thing that's probably lacking is some type of API to work with JumpCloud or JumpCloud Asset Management would be great because everything is kind of pre-populated there. But yeah, that's our take on asset management.

Losing Devices

Becky Scott:

What do you do if you lose a device? Or do you have much of that?

Ricky Jordan:

That actually happened last weekend. I've had this happen a little bit. So some of our staff, we got a pro skateboarding team of, I think we've got 10 heavy hitters right now on the team. And then we have our skate manager, a couple of videographers, and photographers. We've got probably a good 15-20 of them are out. 

Not all skaters have assigned computers, but they'll probably have an iPad or a company phone or something like that. Our video guys have pretty supercharged MacBook Pros, you are looking at  $7000 - $8,000 plus buildouts, right? You got four terabytes, whatever. You get where I'm going with that. So we're talking about the after-parties. 

Yeah, I know this is a professional cast, but there was a nice after-party for one of the movie launches, and I got a call at three in the morning. This was on New York time, by the way, but it was three o'clock LA time in the morning. So it must've been a great after-party. 

He goes, I think I left my laptop in the taxi or Uber. I go, okay, no problem. He ended up getting it back. So easy thing we are, I don't want to make any assumptions, but we use MDM for Windows, Android, iOS, and Mac. Everything's zero-touch and rolled for our Mac. Everything's on Apple Business Manager. 

When Wiping a Device is a Last Resort

So there's a couple of ways you can kind of go about that. We do use FileVault. We push FileVault on it. I used to be a firmware password guy prior to that for all of our MacBooks. But now that they're in Apple Business Manager, JumpCloud MDM, you can obviously lock the device. There's a couple of things you can do. Erase the device, and lock the device. 

My worry for him is he's got content, I think it is an eight-terabyte deployment for the storage disc on that. And I go, well, he's probably got a lot of video footage on there from this trip. It was an after-party ending the trip, but there was a lot of filming going on for two weeks around the US. 

Urvashi H.V.:

The video guy lost his laptop? 

Ricky Jordan:

Yes. 

Becky Scott:

So wiping it…Would be a last resort. Right?

Ricky Jordan:

Exactly. So a couple of things on it. Manual notes never go wrong. I'm a calendar guy. So I got to alerts like, hey, does this thing, is this thing going to come back online? The cool thing about until Scott's login screen comes on board is a lot of people know that on Macs, you boot it up, if you're not on the wifi network, good luck trying to join that wifi network. Even if you get past that filevault screen, right? 

Let's say you have the password you get on the regular login screen, but you're not online, so somebody's got to have an ethernet adapter, or they're not going to be able to join wifi right now. So I'm like, is this thing going to come back online? Am I going to see if it gets pinged? 

So basically, I just wanted to lock it down, and if it ever did come online, which I've mocked up before, you've got your four-digit code if you want to unlock it. It's kind of like a firmware lock with it.

I could talk and consult with my video guy, is it okay if I erase it? I did see it come back online with a couple of things on it, but luckily he got the laptop back. But I already had a whole kind of a game plan setting reminders to see if it ever comes back online, but I do trust it because the recovery partition is going to be an interesting way to get to it. 

With MDM and ABM enrollment, especially now with Sonoma, you can't really do the bypass if it's not online, that type of thing. So, you are a little bit more trustworthy with things, but you can never be too secure with it. But that was my case scenario of a lost or stolen laptop.

Becky Scott:

Really recent use case too. Wow.

Ricky Jordan:

It was stressful. It's comfortable stress, but I'm just like, okay, you just got to go in the mode. I had just gotten woken up in the morning.

Becky Scott:

Yeah.

Urvashi H.V.:

I mean, that's because you've been doing this for, what, 20 years, you said? But hearing the story for the first time, I'm like, “ahh.”

Ricky Jordan:

Yes.

I do good when you're in the boiling pot. I feel like I'm just in that matrix zone. So I do better under stress if not, the mind wanders too much any other way. So I don't try to be the dog in the fire all the time. I'm trying to not have the fire situation. But obviously, when the game’s on, put your game face on basically.

Having a Plan In Place with SOPs

Becky Scott:

It sounds like in previous conversations we've talked that you have a lot of policies already in place ahead of time to deal with things like this so that there's maybe not as much stress when things like this happen because you're like, oh yeah, I've already got a plan for this. And I know that a lot of people don't necessarily have that. So this wasn't on our list of questions, but since we're talking about this, I want to dig into it a little bit more because how do you approach that? Because I think it's, we've had previous conversations on other IT Hours about this, about having a plan, having policies in place, and then testing them can actually be really important because you need to have your plan. There's all kinds of scenarios you need to plan for, but then you need to actually test it and make sure it works. So what has been your approach to that, and is there any particular reason why you decided to do that and make it work for you?

Ricky Jordan:

Sure, sure. One thing. So the Mac process for that is so straightforward. Yeah, we do have it written up. So we do have an actual master document Jeff (my co-admin) and I put together. That's basically your security backup recovery plan. Just like our good old emergency alerts we just got this week on our cell phones. You want to test them every once in a while and see if they work right. Process of change, maybe we're using a different cloud provider for our data; JumpCloud, maybe the features have changed, or Apple changed the way MDM works or Windows, that type of thing. So we will roll through that. But we do have a master document that I actually had Jeff put together because he is a little bit more, even though he is in the education system on tech, he's more corporate than I am on things.

So I'm like, Hey, Jeff, write up something. I wanted to see what he thought of our processes too. So it was kind of a test for me to see if he's paying attention to what we've been developing. They put that together, a super formal document looks industry standard, and he was spot on with it. I did some adjustments, but we have that as our master blueprint. I built out this IT department as if I'm going to hire four or five more heads. So even if it's just me, I still write SOPs, I still write things. I'm that nice guy that if I ever did have to part with Primitive for some reason, here's the keys, here's this. I don't like to play that hard-struck game where you got to chase after me or whatever. So I do have that plan, but on this laptop incident, for example, it's so easy where I just know that I need to log into JumpCloud, go ahead, and perform the lock.

The hardest part was taking note of the code you're going to use for the lock, right? What if you lose the code? But that was literally pretty much it kind of natural instinct came on because that process was so simple. Now, if you asked me what the hard part for that was, I couldn't go into my JC admin iOS app without leaving bed and locking that device up. I had to get up, walk downstairs, grab my laptop, hit lock. I know JC admin's coming with  better features for devices. But aside from that, that was kind of it. I do have a master plan. Apple process is pretty easy. If this was a data recovery for our cloud drive, we have certain backups, I won't disclose here because it's got a security, but we do use Ignites snapshot and recovery, which is amazing. If we have any Apple fans here that have used Snapshot, whether it's in Disk Utility, Carbon Copy Cloner, Time Machine, whatever you want to call everything Snapshot's kind of the way, right lately. So imagine that in a cloud drive, I could spin up a 20-terabyte mount pretty quickly. So if we had ransomware or somebody else like that. So we've got plans for all these little sectors, even iOS devices and all that good stuff.

Endpoint Detection and Response (EDR)

Becky Scott:

Well, that leads into another question about EDR. So let's talk about, I think you mentioned you have EDR with CrowdStrike, and they're a partner of ours. But let's talk a little bit about that because that plays well into all these different scenarios and things. So do you want to talk a little bit about that?

Ricky Jordan:

Yeah, I love it. So I know we didn't get into BYODs, but the thing that kind of came up for that, our other provider we were moving away from, I'll mention, I was using Bitdefender and another remote desktop provider, and then JumpCloud Remote Assist came up and I'm like, well, how can I save a little bit of money but supercharge something else? And that was going to be? Bitdefender, nothing against it, but I was limited on what type of BitDefender setup I could have, and it was mainly on Windows devices. So I wanted to protect our Mac devices and I want to look at our mobile side of things. What can I do for preventative instead of after the fact maintenance or, yeah, security. So EDR obviously is talk of the town next gen antivirus, getting some Mac protected. BYOD devices are a big thing.

Patch management, I'm going to sneak a little thing in for that. It's really nice because we get somebody coming in on BYOD, they're required to be part of the MDM now, so I can see what operating system they have and the specs of their computer. We had somebody join recently that was on Windows 10. So they met the requirements, but they were on 15, 3, 11, or something. I think it was like a five year old build. And I knew that instantly because they couldn't join the MDM, that feature was not in Windows 10. So once they're on board with that, you still don't know what they're doing with their personal BYOD computer. What type of stuff do they download? What is their endpoint security? Do they even have that? Are they Microsoft Defenders? So basically, when they enroll in our MDM, CrowdStrike sneaks in via command line to install and activate Mac or PC.

So that helps me feel a little bit more at ease. And then I also supercharge that, keep using that word. I'm a car guy by the way. JumpCloud password manager added that onto, so do not store any passwords in your browser and that. So browser policies, I can go down the rabbit hole, but I know we're talking CrowdStrike, so forgive me. But the simple thing was I got CrowdStrike, installed it via command, and activation, and it works. I love it. Dashboard, I love the features. I haven't had any fires with it or any red flags lately at all, actually. So it's doing its job, but it seems like our systems are locked enough where I haven't had to get one of those scary pings where, okay, I got to go into kind of security mode and deal with that user or the endpoint or something like that.

Mobile Device Management (MDM)

Becky Scott:

Very cool. Let's also jump into a little bit about mobile device management and password policies. And you can speak to either one of those you want to first, and I won't go into the other one.

Ricky Jordan:

So just speaking like MDM at all, just general?

Becky Scott:

Yeah, sure. Yeah, that was one of our topics, so if you want to talk a little bit about that.

Ricky Jordan:

Being an MSP and contractor on the site, I get a lot of phone calls, whether it's Okta, Jamf, which I do dabble on. I'm a Jamf supporter, also. No hate. I love JumpCloud, but I'll get pings all the time for the number one thing is mainly they're an Apple computer company, or they use Apple devices, and they go, we've grown,and it's all about onboarding. They want a good seamless onboarding experience. They're looking at the automation side of everything, but they're not looking at the security side of it. One thing that stands out if your device is in Apple Business Manager, technically, your device kind of has an activation lock, at least now with Sonoma, it's a little bit better with it where you can't bypass the remote management and that type of thing. But it's nice.

You kind of have that security with it a little bit, which is not a hundred percent good. And then you still have to force people to go through your setup, your first-time setup with MDM, remote management, JumpCloud sign-in, and then you can marry policies, you can marry things. Our thing is we don't have any admin accounts other than the service accounts. So once they get in, you can have all the scripting to do everything you want to do, which is your automation. But in reality, for me, it's all the security side of it. It's just every laptop is not a clone, but it follows our process and setup where you don't have any worry, like manual checklist. Like, oh my gosh, did I install this? Did I turn this setup off? Did I push this policy manually or something with it?

The MDM for me, great for automation, but my selling point to my customers is, what are you doing for security? And they're number one, well, we use a Mac, it's secure. I'm like, but all your users are admins, or they might also have an unmanaged admin account on there, that they use the same password on every computer, or it's different because they set 'em up manually at different times. So that's the strong points of MDM for me. PC pretty much follows that same thing. Obviously, it's a little bit different on enrollment and that type of thing. But yeah, MDM makes my life easy, but it also gives you a little bit more security commonality, something in common on security.

Password Policies

Becky Scott:

And on passwords. You said you had 14 character enforcement and 120 days and things like that. Do you get any pushback from the users that aren't really IT people and stuff like that? Do you get any pushback on, oh, it's so long.

Ricky Jordan:

I didn't get much. I got pushback. We first did it two or three years ago, and you'll get it every once in a while. The one thing that I think is more troublesome for me is if somebody forgets a character they use, and then you'll, oh, I typed it in, right, my new password's, right. We don't allow users to self-serve forgot password. They have to contact us. Slack does not sign out. So normally somebody's not totally locked out of something. And if it is, I've had maybe three use case scenarios in the last three years where somebody's totally locked out and can't find somebody at Primitive. They're like, I have nobody's phone number. What do I do? That has happened,they can't self-serve. But I'd rather be more secure than less secure in that area. But I haven't gotten much pushback other than the forget character, it's your system.

It's not remembering anything. I've kind of taught people to use phrases or sentences a little bit, that's helped them quite a bit. And I've actually gotten a lot of praise by people saying, “Hey, I've gone and actually worked on all my personal passwords, thanks to Primitive’s motto here,” which I'll take that as a win. But yeah, I'm sure there's a lot of talk behind the scenes of people grunting that I just don't see. My wife works for a very large bank on the corporate side, and I get to listen to her. They have to reset, I think, every 30 days, and every morning that happens, I just hear her complaining, and they won't let you change it from 2022 to 2023. It's very smart how it does that. Unfortunately. I wish JumpCloud had that feature. I'm sure more people would despise the password reset if they couldn't just change a thing on things.

Patch Management

Becky Scott:

What about, we talked about patch management and management use of that. So what do you all do there?

Ricky Jordan:

Set it and forget it. I'm just kidding. So the manual process for me, what's good with the MDM or even if you just had an agent with a device group that bound to it. We use a pretty general policy. I'm not super strict on it, but at the same time, I'm secure with it. Macs different for the major OS kind of pushed that out a little bit for us. We try to do the 90 days and do the sign of the cross and hope the 90 days everything's working real good with it. But aside from that, it's helpful. I mentioned BYOD. I'm actually kind of found out a new favorite use for patch management. Now I can see really easily kind of a scope of all the different builds for Windows or Mac. iOS, Android, I'm looking for you one of these days in patch management would be pretty cool, but you can kind of see the builds.

I can see, like, oh, somebody's still on a 21H2 for Windows. I've got 10 devices sitting in there. Four of those are BYODS. Lemme go ahead and just manually reach out to the user. Not every BYOD has a forced policy necessarily for patch management for us, but at least we have the visibility on the dashboard. Depending on what type of user, I don't try to take over too much via GPO or policy on their machines if it's a BYOD. So I have a little bit of manual work to do there, but we also have some strict legal documentation. And also, we use KnowBe4 before for policy distribution, assign every quarter of changes of BYOD requirements. You're using a device that's four or five years old, you're getting close to the end of life for it.

So I can kind of use some little tidbits of it to either auto-update our regular fleet or some BYOD or at least have transparency into things. And I could, if I wanted to send a policy real quickly to force it, maybe backtrack it a little bit if needed, but at least there's visibility and transparency there. If not, you'd be kind of rolling dirty, and you send 'em a DM, can I log in to your machine remotely? Why? You're viewing everything manually, right. Okay. You're on Windows 10, but like I mentioned, your last update was five years ago.

Becky Scott:

Kick them off the network if they're that old, oh yeah, you're too vulnerable, so get out of here.

Ricky Jordan:

That is probably the most vulnerable area. When I heard that we're going to do more external contractor side, I already, what was cool is I pretty much had all the MDM stuff in place. Patch management- I think I was one of the first on the EA side of things on it. So I actually was using that in a live public environment actually, at the time. I didn't have any quirks or bugs with it, but it was helpful. I already had that on the shelf, ready to go. So when we had more BYODs, it's like, here's my process. Let's rock and roll and let's keep going.

Securing Your Environment

Becky Scott:

Wow. One last thing we were going to talk about since it's cybersecurity month is some of the ways that you're trying to secure your environment. And I think you had talked about how you're trying to prevent phishing and things like that.

Ricky Jordan:

That. So we go, not really old school, it's old school with some new school ways. I had a reminder to push my phish simulation out today, but I don't think that was a wise idea while I'm here chatting with everybody, but I'm sure KnowBe4 is kind of a household name for everybody. So we do a lot of user training now. Urvashi I saw that - “How happy or unhappy are your end users about their BYOD?” We've got a pretty cool staff that's hyped to work with us. The hard part for me was when I didn't have a BYOD through registering MDM for Windows because that wasn't available for some of our legacy BYOD. Getting them to enroll was a little bit like, why do we have to do that? But a lot of these users work for a company we hire out that hires them.

And so any new users, we got worked for that same umbrella company. So that was our thing. Okay, after May, any new system that comes on board has to follow this new policy. What's pretty cool, this company issues new computers every year, but this company goes, “Hey, do you want us to get all of our users logged into that for you?” I go, perfect. So my selling point was the fact that we can set them up in 5-10 plus minutes depending on their internet connection, which can be a challenge sometimes, and it auto downloads all of our apps and has everything ready to go. So using that automation was my selling point for that. Data - I presented it like, Hey, Primitives data is separate. And a lot of our stuff, it's all cloud, so it's not really a lot of local file storage. So it wasn't, it's not owning your device. You can leave anytime you want when you leave the company. So I was just very transparent about how that went. So Becky, let's revisit what we were touching on. 

KnowBe4 Security Awareness Training and Simulated Phishing Platform

Becky Scott:

It was on KnowBe4, and yeah, security.

Ricky Jordan:

Oh, KnowBe4, yes.

So it gets kind of cool. So with the KnowBe4 side of things, the pushback I get actually is more on the external side of it, not because of our BYOD policy and MDM. It's more about why do I need to take this? I don't work full-time for you. Why do I have to accept the company handbook tech policy? I'm like, well, you are touching our data. You're on your device, but you're also in our environment, and you're a risk to the company. So using KnowBe4, it's not just used strictly for the training of what is phishing, what is scanning QR codes, the usual type of end user training, stuff like that. It's also we push out new policies, new bring-your-own, depending if they're external or internal users. We have different training campaigns that push out, but we try to do that quarterly.

I'm more of a semi-annual guy because I like to spread things out a little bit. And our users like to self-educate. I actually have people reach out to us, which is really interesting. None of my other customers have this, but at Primitive, it's almost like there's a sense of pride. Ricky, we haven't seen any new training lately, but I've noticed that there's a new trend for AI. What do we need to do with AI? What do we need to do with this? So it's really interesting that people approach me before I even push out a campaign. So I'm like, am I doing it too infrequent or something like that? But anyway, KnowBe4 is our product for doing that. Phish Submissions. We do use it, I'm kind of a little bit old school with the way I have it presented. We do use a lot of Mac mail.

We have MS 365, it's not for Outlook or Exchange, it's for desktop app licensing. So we still have a lot of users that really like to use an office app. So if they are an Outlook user, you can put that Phish button or report Phish, MacMail, not so much, Gmail, you can have it if they're webmail users. But old-school being, have a banner on top of the email, kind of like 365 does, saying, “Hey, this is an external mail. If you think it's phishy or whatever, forward it to spam at [X].” And then basically you have KnowBe4’s phish software go through it, classify it, ping me and my partner and stuff kind of through it. So it is kind of an extra tool in the toolbox for security. Starting at the user point, I think, is the biggest thing. You can have all these bells and whistles, but we've seen so much social engineering attacks.

It's like they come in, and one thing that I'm sure a lot of other companies are struggling with is LinkedIn. People are kind of going through LinkedIn and finding your execs, finding your HR manager, your AP department, something like that, and they're going to take a gamble. Is it first, last name, first initials, what is their email address? And they'll send that right out. And I'll get somebody, HR comes at me because they've seen the training and they actually got that sense of pride. Ricky, somebody wants to direct deposit information change. It's like, okay, somebody wants something internally changed, ping them on Slack. I know you could check the email address or look for flags, but that's going to go through the spam and the Phish filter. Why not ping so-and-so in Slack that they asked for a direct deposit? Oh no, I didn't ask for a direct deposit. You try to give 'em different ways to do their own little recon, but everybody actually likes to bring it to our attention, which I never get stressed. If we do a phish test and I get a hundred help tickets on it, I'm totally cool with that. So we've just got to be supportive. We can't frown on it like, oh, this guy again, or something.

Becky Scott:

At least they're checking, right?

Ricky Jordan:

Yes.

Becky Scott:

So it's better than just running for it and going with it. So that's good. That's good. Even if it creates a little bit more work, it's better than the work it would create if they did it incorrectly.

Shadow IT

Ricky Jordan:

Yes. Becky, one thing I was going to bring up if we got a few minutes is shadow IT. I know we didn't talk much about that, but I'd say that's probably the one thing that you're always chasing the tail on. So my tactic of that is giving, we have a pretty healthy tech budget. With current times, you got to keep it pretty strict and lean. But luckily, I report directly to the CFO. So talking with the money guy on the finance side doesn't mean you got infinite spending. But he supports tech, which is really big, and it's allowed me to flourish in my department and provide these resources. But so, with that note, we moved over to Ignite for our cloud drive turned off Google Drive, which is what everybody was kind of using. And everybody likes Sheets. They like Docs, but then we have some of our Microsoft users.

So I try to give 'em a good cloud solution that still allows 'em to do that, but it's all under this protective, more enterprise-grade type of cloud solution with more robust permissions for sub-folders and all that. So I gave 'em a solution they love, but the problem there is, are they still going to use a WeTransfer link that's sending licensed material or something else like that? I really, really educate as much as possible. I do have a shadow IT thing they sign every campaign for KnowBe4. Does that mean that's going to cancel out them from uploading a file to a free website? No. But I can also see audits of frequent users that use shared links with Ignite, and I'll just do a little old school due diligence, and follow up with their manager like, how's Ignite working for sharing external files? Did you know we have watermarking?You can watermark that PDF catalog that goes out. 

Making that look more shinier than going to WeTransfer and making it easy to use so they're not like, oh yeah, we know Ignites great, but I could just go to WeTransfer and upload it real quick, and I can go get my lunch with my friend real quickly, or something like that. So I'm just trying to give them these really good tools with shadow IT. But it's tough. I guess if they download an app, they can't because they're a standard user, but at the same time, you're not a hundred percent protected. So that was just something I wanted to touch on. Shadow IT is always a fun one.

Becky Scott:

Yeah, it's kind of like playing a game of Whack-a-Mole, right? Yes. You're always trying to get rid of those little bits. 

Urvashi H.V.:

In Asia, everybody's favorite shortcut is WhatsApp. When they get hold of your WhatsApp number, suddenly WhatsApp is your new Slack, and you can't turn it off.

Ricky Jordan:

Yes. I get it every once in a while because obviously, we have some production and manufacturing around the world and stuff, but some in China, see, obviously, you have certain apps that only China uses, and so sometimes I'll make an exception here and there for things, but the majority of things is like, Hey, I get that you really like this app from another company. I might even listen to somebody and be like, maybe I'm not the right one. Maybe I didn't have the right solution for the company. I listen to my team too. I'm not a hard bleep, bleep, bleep type of person, but I'm pretty fair. I think people have somebody to talk to if they need it, need something we don't have in the toolbox too, which is cool. 

Becky Scott:

Yeah, Stephen's evaluating KnowBe4, and so it seems like it's a great product.

Sweetening the Deal in Terms of IT Budgets

Ricky Jordan:

Stephen, one thing I'll give you, I don't know if what you use for payroll with HR, but we actually pushed our sexual harassment training through KnowBe4. Because they’re added automatically from JumpCloud via SCIM and SSO, and they're in there and they can, depending on their user group with SCIM, if they're an external or internal user, you can push the sexual harassment training for an internal user, and HR loves it. They're like, “oh my gosh, we like the content, we like the automation of it.” So that was another sell that I was able to use with the board of directors. Why do we need to make this spend? I'm like, well, you can use it for this and HR can use it. So it's just another thing that might hopefully sweeten the deal if the budget's a little tight.

Becky Scott:

That's a good extra little point there.

Ricky Jordan:

Got to find a way to get it approved.

Becky Scott:

Yeah, absolutely. Well, we're a little bit over, but good stuff. So thank you, everyone, for hanging with us. Good to know. Thanks, Ricky. So Ricky, thank you so much for sharing all the stuff you're doing. I mean, my goodness, you're doing so much and so many great things, and thank you for being such a great partner with JumpCloud.