-
Reddit SystemAdmin. Thanks @reddit2telegram and @r_channels.
Thickheaded Thursday - July 31, 2025
Howdy, /r/sysadmin!
It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!
https://redd.it/1mdxgpt
@r_systemadmin
Who is in charge of checking the terms and conditions of a new software?
Hello fellow redditors,
I am new to IT. We are a small company. We do not yet have established policies on things are done.
One of our architect teams is expanding their field and start getting new software. The local distributors of these software often say what they need to say to make the sale.
For example "you can install the same license on as many computers you like, but you can only have one session online with the credentials we will provide. So you need only one license for your entire team".
I e-mailed them asking for the above to be sent in written and of course they pretend they never said it.
So, I need your help to understand. Who is in charge of checking the terms and conditions of a new software before it is bought? To me it sounds like a legal issue, so it would be the legal team.
https://redd.it/1mdv2ld
@r_systemadmin
New Spoofing Method?
Hello fellow sysadmins, is anyone encountering a new spoofing method where your users are receiving an email to themselves with an html attachment? We have had a handful of users receiving a note/email to themselves that they do not recall sending. Even after changing their office 365 credentials as well as resetting their MFA they will still receive these spoof emails. We have email filtering through Sonic wall and it's done quite a great job protecting from spam/phishing however this spoof method is pretty wild since it's coming as a note directly from the affected user's email address. Wanted to see if anyone else was encountering this and possible feedback on how to counter this.
https://redd.it/1mdqn17
@r_systemadmin
Farm to table, artisanal only MacOS update consultant
I work for a small/medium sized shop: 1200ish endpoints, roughly 10 percent of those are servers, 10 MacOS workstations total out of all of our devices.
Up until recently, we've allowed our Macs to exist in a walled garden, managed by a consultant. However, after a serious security incident, we've decided to bring those machines back into the fold, and do some light monitoring/management.
What monitoring/management has meant for us is putting the Defender XDR client on our Macs, and putting intune policies on those macs to govern update cadence. We're requiring OS updates to be applied 21 days after patch issue if they're applicable for the machine.
The farm to table, artisanal upgrades only consultant is talking to the manager of the group with the most Macs (under 5) with gloom and doom FUD about Intune and Mac updates. His position is that he can only do updates after a long period of research, and that he then applies them individually, with sensitivity to the work the user performs.
I think this is bullshit. The "farm to table upgrade" thing came from me, as this all sounds like a bunch of hooey to protect this guy's revenue stream. I'm not a MacOS guy, but if it's truly the case that Macs need an individually crafted and researched OS upgrade strat, then those machines aren't suitable in an enterprise environment. Other orgs much larger than ours make Macs work, so again,I'm smelling BS
My consultant buddy also had a FUD filled email talking about remote data wipes if IT wants (um yeah, if we suspect compromise), website restriction (duh) and "data harvesting", whatever that means in an environment where the machines and data are all owned by my org.
Thoughts?
https://redd.it/1mdohpq
@r_systemadmin
How do you document access + tool workflows without repeating yourself 10x a week?
We’ve hit that stage where every new hire asks the same stuff:
* “How do I request access to XYZ?”
* “Where do I find API creds for staging?”
* “Which VPN config do I use again?”
We’ve got the answers in a wiki. No one reads it.
Slack threads? Get buried.
By week 2, we’re drowning in repeated hand-holding. And it's not like we're not busy with actual infra work.
Anyone found a good way to **scale onboarding around internal tools and access** without writing a 200-page PDF? Bonus points if it actually gets read.
Not trying to reinvent the wheel, just tired of being the wheel.
https://redd.it/1mdgdxo
@r_systemadmin
What’s a realistic cybersecurity starting point for a business under 20 staff?
We don’t have IT staff, but we’re handling sensitive customer data.
If you had to set up a minimal yet effective cybersecurity stack for a small team, what would be your top 3 priorities?
https://redd.it/1mdec5v
@r_systemadmin
Best Cloud security company for enterprise?
What cloud security companies do you think are leading the way for enterprise environments in 2025?
We’re looking at options and would love input from anyone with real world experience. Looking for companies with strong capabilities across areas like CSPM, CWPP, CIEM, container/Kubernetes security and support for hybrid or multi cloud environments (AWS, Azure, GCP).
Established players are on our radar but I’m open to hearing about others that might be flying under the radar or offering great value. Would really appreciate your experiences, recommendations and any gotchas you’ve encountered during deployments.
https://redd.it/1mdd4zf
@r_systemadmin
Anyone tried SOC 2 with Delve?
Cross-post from r/cybersecurity:
I'm part of a lean (2-person) IT team at an early stage startup and SOC 2 has become non-negotiable. We can't invest too much time for this, since we're just two people and neither of us has a lot of experience with compliance, so our CEO wants to bring in a platform and is pretty much set on Delve, mostly for the AI selling point.
I'm a little apprehensive though since they're fairly new, so I wanted to know if there are any challenges or friction points I've got to look out for if we do end up getting Delve. Thanks!
https://redd.it/1md0g9t
@r_systemadmin
What infra certs are hot right now?
I'm currently a Sr. Systems Engineer managing almost every aspect of my company's infrastructure.
The networking, all of the Microsoft environment (users & groups, device management/Intune, security/defender, exchange, SharePoint). I manage our cloud environments, stuff in both AWS and Azure. Pretty much everything that isn't end user support of DevOps, AI or programming.
Years ago I was studying for my CCNA and Security+ but life kept getting happening and I would put them on the back burner.
I feel I now have the experience I was trying to get the CCNA for, maybe even the Security+ too, so perhaps the experience will speak more to those than the certs at this point.
I only have my A+ from like 2008. And the reason I'm asking is simply because I want leverage to hit the next level of income.
Is cloud all the rage now? DevOps? I'm not too particular about a certain direction in my career, I like working with technology in general, and so far I've been capable of learning anything out in front of me so I'm wide open to input.
Just looking to settle on a target, but one that's desirable and in demand.
https://redd.it/1mcx9bo
@r_systemadmin
W11 24H2 No taskbar/black desktop since latest update?
Hi all,
This summer we are imaging all new devices with Windows 11 24H2 OS Build 26100.4349 (Dell Pro devices) via SCCM with the driver packs from Dell Command.
They all work fine, but when running Windows Update (OS Build 26100.4652) and restarting it gets stuck on 'Preparing Windows' when you try to login, if you Ctrl + Alt + Del then it loads up but you can only see your mouse pointer and everything else is black.
There have been a few times it has 'fixed' but I'm not sure if it's just fluke or something else is happening, we use mandatory profiles, I've tried a local admin account also which sometimes work, but not always.
I've tried:
* running sfc /scannow
* dism /online /cleanup-image /restorehealth
* Deleting all of the packages in local appdata
* Deleting profiles
* Turning off applocker
* disabling Sophos
* Disabling Smoothwall
We have noticed some desktops have fixed when manually installing the latest update:
2025-07 Cumulative Update Preview for Windows 11 Version 24H2 for x64-based Systems (KB5062660) (26100.4770)
I'd love to know if anyone else has experienced this and what they did to resolve it, we have thousands of devices so it's a bit of a nightmare.
Opening up task manager and trying to run explorer.exe OR pressing the windows does nothing, checking event viewer shows:
**Problem Details**
**Problem:** Windows Start Experience Host **Description:** Stopped working **Date:** 25/07/2025 10:03 **Status:** Report sent
**Faulting Application Path:** `C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe`
**Problem signature** Problem Event Name: MoBEX Package Full Name: Microsoft.Windows.StartMenuExperienceHost\_10.0.26100.4768\_neutral\_neutral\_cw5n1h2txyewy Application Name: praid:App Application Version: 10.0.26100.4768 Application Timestamp: 61de637a Fault Module Name: StartMenuHost.dll Fault Module Version: 10.0.26100.4768 Fault Module Timestamp: 919e7523 Exception Offset: 00000000000ffe6d Exception Code: c0000409 Exception Data: 0000000000000007 OS Version: 10.0.26100.2.0.0.256.121 Locale ID: 2057 Additional Information 1: 23f4 Additional Information 2: 23f433b5363112671f353cae94b59b8a Additional Information 3: 7937 Additional Information 4: 79378fb4fd0bb45ddfed06ea4f0ca029da
**Extra information about the problem** Bucket ID: 67e12a638bc7cf8f5a3b6c2a39f28019 (0)
\-----------------------------------------------------------
**Problem Details**
**Problem:** Windows Logon User Interface Host **Description:** Stopped working **Date:** 25/07/2025 08:30
**Faulting Application Path:** `C:\Windows\System32\LogonUI.exe`
**Problem signature** Problem Event Name: BEX64 Application Name: LogonUI.exe Application Version: 10.0.26100.4202 Application Timestamp: 8ed3eebb Fault Module Name: Windows.UI.XamlHost.dll Fault Module Version: 10.0.26100.4202 Fault Module Timestamp: e941334f Exception Offset: 0000000000007922 Exception Code: c0000409 Exception Data: 0000000000000007 OS Version: 10.0.26100.2.0.0.256.121 Locale ID: 2057 Additional Information 1: cba7 Additional Information 2: cba7c3f99593f456a2fd946d7ba108447 Additional Information 3: 1900 Additional Information 4: 190095246be723a043309671f53bdece
**Extra information about the problem** Bucket ID: 81087e5e778acd4ad346a3da6adffa3c (0)
\-----------------------------------------------------------
**Problem Details**
**Problem:** Windows Explorer **Description:** Stopped working **Date:** 25/07/2025 09:28 **Status:** Report sent
**Faulting Application Path:** `C:\Windows\explorer.exe`
**Problem signature** Problem Event Name: BEX64 Application Name: explorer.exe Application Version: 10.0.26100.4768 Application Timestamp: 6e2489c5 Fault Module Name: explorer.exe Fault Module Version: 10.0.26100.4768 Fault Module Timestamp: 6e2489c5 Exception Offset: 00000000000bd964 Exception Code: c0000409 Exception Data: 0000000000000007 OS Version: 10.0.26100.2.0.0.256.121 Locale ID: 2057 Additional Information 1: 3e45
How to Go Serverless Ten Remote Sites
Hi Admins,
We like to go serverless on-sites while still supporting Active Directory, DHCP, and File Services across 10 SD-WAN-connected site. Each site runs:
Single AD Forest
Exchange Online (Office 365/OneDrive) -All the users
SD-WAN between all sites
Each site got 50- 200 Users
Cisco network gears
Domain Joined Workstations
We are looking to reduce the burden of maintaining and managing legacy hardware. Our goal is to move away from traditional infrastructure and adopt a more cloud-centric model. Can we transition to a serverless architecture, or what would be the best approach to modernize over the next 2–3 years? Let me know if you need more info.
https://redd.it/1maeplb
@r_systemadmin
What is the efficacy of tools that claim to be able to bypass MDM on IOS and Android devices.
I actually came across this in a parenting group talking about kids bypassing screen time restriction but the tools referenced claim to bypass even corporate MDM. I have no desire to drop $50+ to see if it works It's a random piece of software that seems to be an exact copy of dozens of other pieces of software with the same description but I'm curious if anyone has ran into these and if they actually "work" in that we should be worried about their ability to bypass restrictions on corporate devices.
I know kids and teens are uniquely motivated to find bypasses for this kind of stuff so it wouldn't surprise me if they were sharing something that worked on some level.
The software in question was "Tenorshare 4U" but it seems to be a copy of dozens of other similar pieces with seemingly randomly generated names and nearly identical websites.
https://redd.it/1maafmy
@r_systemadmin
Netplan YAML Generator & Validator
Hey everyone,
If you’re working with Linux, you know that Netplan YAML configs can suck, especially when it comes to indentation and syntax. I wanted to share a couple of free web tools I’ve found super helpful for managing Netplan configs:
Netplan Generator: [https://blueternalsolutions.com/netplan-builder](https://blueternalsolutions.com/netplan-builder) Quickly build Netplan YAML configs using a web form. Great for generating both simple and complex network setups without worrying about YAML formatting.
Netplan Validator: https://blueternalsolutions.com/netplan-validator Paste your Netplan YAML to check for syntax errors or formatting issues before deploying. Saves a ton of time troubleshooting broken configs.
I created these tools because it seems every time I setup netplan I need to look up the syntax. Especially on the terminal it's much easier to just paste in the config.
Also, don't forget about the /etc/cloud/cloud-init.disabled file so your config doesn't get wiped.
Would love to hear if anyone else has tips or tools to make Netplan easier.
https://redd.it/1ma02t9
@r_systemadmin
Apparently a mail my server sent was stalled for 22 years?!?
Have an email in maildir format: https://digitalkingdom.org/\~rlpowell/media/public/22\_year\_email.txt
It is, in fact, the case that in 2003 I was running an email server named chain.digitalkingdom.org ; stodi.digitalkingdom.org is the current incarnation of that same setup. I was, in fact, running ecartis, and I was, in fact, sending out the mailing list in question.
EVERYTHING ELSE IS QUESTIONS!
How was the email stuck for 22 years?
Why was EmailCoverageSystem@paanalyticstestlab.onmicrosoft.com subscribed to that mailing list?
Why, for the love of shub-internet, did mail.analzegran.com receive mail destined for paanalyticstestlab.onmicrosoft.com ? *HOW*?
EDIT: mail.analzegran.com appears to be running on AWS and has no obvious connection to microsoft.
I'll try emailing the obvious places, but I expect this will remain a mystery forever. :)
https://redd.it/1ma2nlk
@r_systemadmin
Holy F up.
I had a summer intern working in DNS yesterday, local domain was redacted.com and was connected to azure.
Went in today to do some weekend updates to the systems, and my DC has been renamed and is now connected to redacted.local
It seems they have demoted the DC from the regular domain.
How the bloody heck do I reconnect the DC to the old domain? It was a solo DC
https://redd.it/1m9z2tk
@r_systemadmin
Silent deployment of employee monitoring for hundreds of remote PCs?
I'm really wrestling with a directive from HR. They want to implement employee monitoring software for our hundreds of remote employees. The biggest headache is doing this without a massive backlash. I'm thinking about solutions that allow for silent, automated install. It's not only solid activity monitoring software and app and website tracking we need but also something easy to manage at scale for remote team management. Any thoughts on how to pull this off without causing a panic? Or pitfalls to avoid for workforce analytics at this scale? Thanks.
https://redd.it/1mdshqp
@r_systemadmin
Everything I do feels utterly pointless. So much paperwork. It's a total waste of time. It pays my bills, but I hate it.
I'm so, so burnt out.
Every little thin annoys me and feels inefficient and unnecessary.
For example, I have to fill out daily timesheets with a breakdown about how I spent my work day, not once - but TWICE, one on a system meant for payroll people, and the other for our managers. They are very different and I can't copy stuff from one system to another easily.
I have to enter the same 18 new DNS records on Azure, AWS and internal ActiveDirectory, because this specific department is worried about a doomsday scenario in which both clouds completely go down and their DNS would be affected. It's absurd, each cloud gives you like 4 nameservers in different locations already.
Every time I have to update a minor thing on some software, I have to put in a "change management request" form with 86 different fields to fill out, with pointless information. Every field requires selecting some menu option that takes 30 seconds to load, and is seldom ever relevant (for example, I have to enter the name of the data centre - despite the fact we don't have data centres anymore. So I just choose a random one to proceed). Then I have to chase up approvals for this request, from at least 5 different teams. Most of them aren't technical and have no idea what I'm doing, it's a rubberstamp at best. But it adds a lot of overhead and Slack messages, to what would have otherwise been a 5 min task.
I had some project manager asking me to check for the sizes of their software's directories on multiple servers. Same software, diff servers. Took quite a while. I still have no idea what that data was for, and I get the feeling that neither did he.
I used to get these daily tasks from one of our department, automated-looking requests to give some new recruits access to something. Every time someone joined I had to spend time on granting them access. I got suspicious - why am I even doing this, this person doesn't have a technical role so why would he need admin privileges on a linux machine. I started marking these tickets as completed and closing them, without actually doing anything. It's been 4 months and nobody had noticed yet. I wonder what percentage of the work I do produces nothing that's used by anyone, like this.
***
I'm in a public sector role. So working harder/more doesn't really reward you with anything. Everyone gets paid the same. No performance bonuses. I get the feeling everyone else here isn't working too hard, and is pushing back against a lot of stuff, which is why these people always get to me somehow. There are also a lot of people around who just aren't very good at their job or knowledgeable.
Some of my friends are like "why don't you automate the boring stuff". I'm not a dev and usually don't have access to APIs, and the bureaucratic obstacles to get that are impossible here. I'm tired. I don't even want to see a keyboard. I mostly want to be outside and lie down on the grass.
I'm less than decade away from early retirement, based on my calculations. So all I can do is rant. Not changing into other fields or roles or companies. I'm done. I'm cooked.
https://redd.it/1mdrl14
@r_systemadmin
Why I like working for a large enterprise
In the past there has been back and forth about this with people in smaller shops having one opinion and people in the large shops having another, and we definitely have our share of issues in the large enterprise, but I can say we do not have the following problems I see popping up here all the time.
Secretary storing stuff in the network closed?
Nope. Only authorized IT contacts have keys and policy forbids storage in network closets.
Boss demands to have a list of everyone's passwords.
Nope. Nobody can have anyone else's password by policy. Doing so would result in termination. No boss can override this
Random desktop on a shelf in the data center
Nope. Desktop computers are not allowed in the data center. Period.
25 year old desktop with NT4 running the voicemail system in a closet
Nope. This would be a massive violation of the information security policy.
Boss doesn't like MFA and forces you to turn it off for his account
Nope. Information security policy requires everyone have MFA no matter who they are.
A manager wants access to a former employee's email account and then starts sending email as them for months on end
Nope. If an employee leaves it requires multiple approvals including HR to get access to their email account, and only for long enough to copy the mail out and then it is closed down again. Old accounts can not be kept open indefinitely. Business process needs to be built around this because when people leave their accounts are absolutely deleted after a grace period.
The finance lady insists she must have her own personal printer and the boss says to give it to her
Nope. There is no "finance lady" because finance is an entire department staffed by employees who have to operate as employees like everyone else and use the same equipment as everyone else. They can use secure release on the same printers as everyone else.
It isn't all sunshine and roses by any means but we don't do a bunch of stupid nonsense that is just blatantly awful. There are no hubs under desks and servers in the bathroom. The microwave is not an IT responsibility. IT does not assemble furniture. We have a standard replacement cycle for our laptops every 3-4 years. Nobody has a gaming PC on their desk because they think they're special. Random non-technical executives do not have domain admin access just because they want it.
We have a whole host of other issues, but at least we have none of these problems.
https://redd.it/1mdqf01
@r_systemadmin
How good are you at programming, not scripting?
I was just wondering whether you think that SysAdmins can be decent programmers. For example, in addition to scripting, I write small helper programs like mailers and backups(and some not so small that use SQL databases) in C# and Assembler, as well as some SQL. And some web programming, when edits are needed.
https://redd.it/1mdl62k
@r_systemadmin
Palo Alto buying CyberArk out: An Exciting New Chapter for CyberArk and Our Customers
https://www.cyberark.com/press/palo-alto-networks-announces-agreement-to-acquire-cyberark/?mkt\_tok=MzE2LUNaUC0yNzUAAAGb-3uDVtY7tl2Ujk2K\_iqf7QROCXXzw6n8wWpGZYe32J3ojjq6X2AH\_Q1NrwrrP3b-DN6i8sMPW1EhGdPrM9vk7r82k9USDlsw6rHAfQoHmaYuCiXSrw
I feel sorry for my old workplace who is facing a budget crunch without having to deal with this.
https://redd.it/1mdimqv
@r_systemadmin
Virtualbox Extension Pack license terms quietly tweaked, says licensing consultant
Larry needs another yacht:
https://www.theregister.com/2025/07/30/licensing_change_oracle_virtualbox/
https://redd.it/1mddlpx
@r_systemadmin
Using Old Firewalls with Custom Firmware
Hi,
Today we cleaned out our storage and found some old firewalls (Palo Alto, FortiGates, and similar devices). We were offered the chance to take them for personal use and "dispose" of them that way.
It got me wondering: isn’t it possible to just flash custom firmware (like OPNsense, for example) onto such hardware appliances to make them "better" and more up-to-date?
Has anyone here had experience with that or even done something like this themselves?
Thanks and best regards :)
https://redd.it/1md9qmg
@r_systemadmin
CEO wants to track all the laptops to ensure no one works out of our Province/State. Any recommendations for a tracking software?
Basically the CEO and senior leadership wants to have some sort of tracking software ensuring no remote workers are working out of Province or out of country.
We are a small organization that uses Google Workspace with some users that have access to the Microsoft world (Teams, Excel and the whole suite)
We are currently using Intune, Sentinel one and GoTo resolve. All these systems feed us the IPs and other information to track the users but it's passive and we would have to check individual records.
Any software in the market that will help us achieve this tracking request?
Thanks in advance fellow sysadmins
https://redd.it/1mcykb2
@r_systemadmin
Additional Information 2: 3e45509b1f7017d6893bda024500b63e Additional Information 3: baef Additional Information 4: baef64f9367fd2555742acc0fd8e0754
**Extra information about the problem** Bucket ID: 2875555545634ce4ae24a3e52b3bd323 (0)
https://redd.it/1mairuo
@r_systemadmin
[Help Needed] MFA Recommendation for Hybrid Environment (AD, RDP, O365, Citrix, VPN)
Hi all,
We're looking for a solid MFA solution that can cover multiple systems in a hybrid environment (on-prem and cloud). Would appreciate any recommendations based on your experience.
Requirements:
* Windows Active Directory logon protection (with offline login support)
* Remote Desktop (RDP) MFA
* Office 365 integration (SAML or Azure/Entra-based)
* Citrix (Virtual Apps & Desktops, RDS Gateway, etc.)
* VPN support (Fortinet and/or Sophos via RADIUS)
* Push-based MFA with mobile app support
* Offline fallback (TOTP, hardware key, or code)
* Cloud and/or self-hosted deployment options (EU hosting or data residency is a plus)
* Reasonable pricing (up to 5 €/user/month with full feature set included)
This will be deployed and maintained by a single person, so we’re looking for something with a high level of automation and operational maturity — no solutions that still ship simple bugs into production. Ease of deployment, daily administration, and user experience are all highly important.
If you've worked with any tools that meet most of these needs, I'd love to hear about your experience.
Thanks in advance!
https://redd.it/1maeodc
@r_systemadmin
Why did you want to become a sysadmin?
Im curious as to the reason. That said let's break it down % wise.
What % was it for more money?
For me id say 40% was for more money so I can live finally without needing to work a side gig 7 days a week to make ends meet.
But alas laidoff and likely back to shit pay help desk with no benefits in my region.
https://redd.it/1macr6f
@r_systemadmin
AWS Workspaces as office worker replacement?
Alright, I have a POC in a couple weeks for AWS Workspaces. Possibly BYOL, but doesn't matter if not. We currently have our servers in the AWS EC2 cloud and they're all behind a SonicWall on AWS. That works fine. All of our users across the country are WFH since Covid. We closed all of our brick and mortar. Likewise, all of our users are on laptops, which are reaching EOL. We're at a situation where we either have to buy new laptops because W10 is retiring (but W12 has no release date) or we look at DaaS. To start, it's probably 50ish Office/Sales/Marketing users... no technical high-end users. So is AWS Workspaces a feasible solution at this time? Either way we're shelling out some money for either that or replacement laptops. So I'm just putting out feelers.
Most of our services are in the cloud, like O365, our CRM, VoIP, IM, etc. At this point we don't really have anything in-house so really as long as folks have an internet connection, they can work.
Just wondering from those who have the experience, if it's something I should legit consider or just bite the bullet on new hardware?
https://redd.it/1ma8djb
@r_systemadmin
How many IT admins/Helpdesk staff is normal ?
Been at the same company for 24 years (yeah I know 🙄)
Long story short….. now looking after 11 sites based the length and breadth of the UK (x2 large manufacturing, x4 large distribution warehouses and 5 office) …. Originally only looked after 2 sites.
Total number of IT users is circa 400 (sales reps,office staff, factory/distribution staff)
On call 24/6 as our manufacturing and manufacturing sites run min-sat.
I look after 35 servers in total, 20x VMware virtual, rest physical at each other sites.
I deal with all infrastructure/security/project work etc etc…. Basically everything bar the software development side.
Was allowed to employ a single trainee 2 years ago, because I said I’d leave if I didn’t have someone to help me out as the stress was becoming too much.
Now my question is…… how many IT admins/ Helpdesk would a company of this size usually employ ?
I’m paid £55k a year btw……which I don’t think is enough!
I joke that if you actually work out the number of things I look after, I’m actually paid less than an India call centre 🫣
https://redd.it/1ma29iv
@r_systemadmin
Why does no one talk about how hard it is to actually operationalize security policies?
Writing the policy is the easy part.
Seriously. You can sit down and crank out a 5-page Access Control Policy in a couple of hours if you’ve got the framework in front of you.
The real problem starts the minute you try to make that thing real in an actual environment:
Who’s supposed to “review access rights monthly”?
What tool are you using to track that?
What happens if no one does it?
What if the MSP doesn’t even have that visibility?
Half the time, the person who owns the tool (Intune, Defender, whatever) doesn’t even know what’s in the policy. And the person writing the policy has no say in the tools being used.
So what happens?
You get the illusion of compliance
The policies age out quietly
Auditors find the gap later
Then people scramble to fix it during a mad rush
Why don’t more people build policies backward from what’s actually being done? Or better yet, start with who owns the process, and write with them instead of dumping it on them later?
Curious how others handle this. Do you all map policy owners to tools/processes? Or is this just a common silent failure we all deal with?
https://redd.it/1ma0ddq
@r_systemadmin
Mac, InTune, ABM and the first login experience..
Looking to setup a bunch of MacBooks. Devices are already in ABM and users setup with federation via Entra.
InTune setup with basic configuration profiles to install Office, Company Portal, Edge, Defender, Onedrive and the SSO extension but I’d like to improve/streamline the first login experience as much as possible by having things like the Company Portal pinned rather than having to go to Spotlight.. and it’s also unclear to me whether it’s now possible to sign into a Mac as your Entra identity or not?
Don’t suppose anyone has been in a similar situation and come across any good guides for this sort of thing recently?
Im fine with Autopilot and Windows but out of my comfort zone on the Mac side.
https://redd.it/1m9x4hd
@r_systemadmin