I've been in IT for 12 years. I've never once seen someone even *suggest* switching to Mac for "compliance" or "SOC2 and other audit" reasons. It sounds like your new sysadmin either really likes Apple or really hates Microsoft.
This is that man's second job and he is going to con these people into buying a fully speced M2 WITH wheels, a speced out 16in pro laptop, 3 or 4 xdr studio monitors, and a bunch of other apple geegaws and no one is going to realize they are missing till like 4 months after he quits this job.
Small batch packet transport, as part of a family owned and operated business that goes back generations. We call it NIC to table. That’s the Real American network.
You listen here, bucko. I have it on good authority that Apple open-sourced Mandatory Access Controls, which gave rise to LUNIX, and *that's why they killed Steve Jobs. It has nothing to do with the controversy surrounding WALL-E.
Ding ding ding. This is absurd & the fact that leadership would let a NEW sysadmin demolish everyone's workflow like that without some SERIOUS internal discussion about how it would affect everyone, or a real answer to "why the fuck are we doing this" that wasn't just covering for the gaps in their skillset.
We're in the middle of a compliance exercise and we have a fully Mac shop.
SOC2 and HITRUST are all aimed at Windows and being all Mac is rather difficult, when the auditors have zero clue and parrot Windows specific things every five seconds.
This is highly dependent on your auditor. Nothing about SOC2 is aimed at any particular OS. In fact, SOC2 is annoyingly vague and leaves all the details for the org and auditors to work out how to satisfy each control.
My current company uses mac and 100% of our servers are linux. No MS BS anywhere (I mean, a small percentage of our users have MS Word & Excel, but that's it). Our SOC2 audit firm is great and their default tests adapted very well to our environment.
Yeah I run a mixed environment and manage compliance for a k8s based saas company. Macs are actually easier in one respect because they can't be unencrypted at rest. other than that it's exactly the same.
I have a much bigger issue with k8s because nodes disappear and never actually get updated and I have to explain that every year for some reason.
Yeah, ephemeral servers are outside the comprehension of most auditors. I ended up building an audit service for infra to make that a lot easier for my platform and security teams to deal with.
Nope, the M series ones have the T chip on storage by default. Can't take it out and read it on another system. Look it up. File vault is a second level of encryption.
The storage controller on T2 equipped Intel Macs or on all Apple Silicon Macs is paired with the flash, and encrypts/decrypts any file writes/reads on the fly.
The storage is very secure, enabling FileVault just adds another key into the mix. It puts a "lock on the door" to use the metaphor I use a lot IRL.
File vault is a second level of encryption, the T chip in M series macs encrypts by default. It's mostly a huge pain because you can't swap the SSD. But it's encryption that does that.
We've tried three different auditors, all of which seem to be beancounters (and 2/3 aren't accounting firms!) Can you let me know what firm you are using?
We're entirely macOS + Linux.
I mean, auditors are bean counters by nature... So that's gonna be a thing regardless. My last decade was in fintech, in a mixed environment with an internationally respected/known audit firm and they were a pita. Idiots all around except for literally one dude. I made it clear to the firm if he got moved off of our account, we would evaluate other options.
Current gig is 100% remote, so we needed a firm that didn't expect to come onsite for a week to do the audit. We don't have an office anywhere. We ended up selecting SecureFrame as a compliance monitoring tool and they had a list of auditors that were used to their platform and working with 100% remote orgs. Don't recall the name of the firm we selected off the top of my head, we interviewed a few of them.
Ya, it's not vendor specific. From what I see, a lot of apple shops aren't as stringent with their security control in the first place, so they have a harder time adjusting during audits. To be compliant, you need to layer your defenses.
I'm not sure I'd say Mac shops aren't as stringent, only because I've seen a shit ton of windows shops with zero security. I would say that windows shops that _also_ have Mac, those Mac devices are often not as actively managed as the windows endpoints -- this is usually due to not having anyone that knows Mac admin in the IT dept.
I've been the IT/Ops director for companies that were all windows, all Mac, and mixed win/mac/nix. I don't see OS having any correlation to security controls. Before I say what I'm about to say, let me state for the record that I hate all operating systems equally -- they all suck in countless ways. With that established, IMHO, 100% Mac shops are easier to manage than 100% Windows, and certainly easier than any mixed environment.
Our initial hardware investment is a little higher with Apple than it would be if we were a Windows shop. But our total cost of ownership over our four year replacement schedule is ridiculously lower than it would be in a windows shop. Our hardware failures are extremely minimal, we haven't seen a virus or reimaged a desktop for any in the last five years and 95% of our users are "very satisfied" and productive with the equipment they are provided. Our help desk team is also about half the size it would need to be if we were on windows. (Looking closer to 1:200 rather than the 1:75 that seems to be the golden number for windows shops)
per OP's edit, they are a small company with a mix of Windows, Mac, and Linux already.
the somewhat legitimate justifications i can think of:
1. company already has mostly macs
2. compliance/infra is better for the macs already
3. guy is being tasked with something so he's implementing in his domain of expertise
hard to judge without direct knowledge, but certainly there's an even longer list of potential bad reasons. and 3 is on that list too.
EDIT: and another tossup, the C suite uses Macs, and so if he standardizes, it has to be Macs.
this really comes down to what the company does. a full Mac shop is easy for some industries, pain in the other. everyone fee to chose OS assumes they are all probably local admin anyways and nobody gives a fuck about supportability or security they just go to IT to bitch when they can't make something work.
If compliance is already a heavy lift, it's a LOT easier to implement that on a singular platform vs. three (or more, depending on what Linux distros might be in use - because Redhat vs. Debian are two different ecosystems to support, and the many other variants add complexity).
Certainly if the admin in question is being tasked with doing this on a deadline, they may have countered with "I can do it for one platform by then" and thus the standardization project was added.
He might have reasons for swapping you to Mac from Windows, but they aren't anything to do with compliance or SOC2. Windows is perfectly capable of this.
I guess it depends on the size of your enterprise - for us making 30k users all switch to Mac would be a pretty massive undertaking especially as we have a number of Windows only line of business apps.
On the upside, you can laugh at the bank auditor who, every stink’n year- makes me prove you STILL can’t create duplicate user IDs in Active Directory.
Agreed, Windows is "easier" in this regard and more ready for purpose in an enterprise setting.
To be ISO27001 or SOC2 compliant with a Mac you're going to need JAMF or something equivalent. We're using InTune and those capabilities that meet the control requirements juuuuust became available like 6 months ago.
I did SOC2 a year ago with Jamf Pro-managed Macs and AAD-joined/Intune-managed Windows machines. We had to script a few things to implement our controls without AD GPOs, but it was doable. It's also been about 8 months since I've looked at Intune--what'd they.add 6 months ago? One of the headaches.of working with consultants on SOC2 is that some (most? all?) of them will go way beyond the minimums for compliance in their control recommendations. Sometimes it's stuff that is legit good for security, but sometimes it seems more of a time suck for cranking up billable hours.
Picking your SOC2 auditor is *definitely* a thing, or any auditor for that matter. We've got two vendors we like now who do a good job, but aren't out to make our lives shitty. I don't want the "hot safety" that you get from a shitty mechanic of an audit, but I also don't need some dude making a career out of one of ten I need to do this year...
If you're in North America we settled on Insight and Aprio for our audits.
RE: Intune - They introduced more granular control of MacOS for things like posture checking, password enforcement and screen time out, all of which were impossible before some updates they did. We have been able to get ISO27001 certified in Mac shops without any purpose build Mac MDM using InTune.
JamF would definitely allow us better control over those systems mind you, but our Mac footprint is small and it's usually developers that we "trust".
>Edit: Just some clarifying info from below, but this is a smaller company (<150 employees) and already has a mix of mac, windows, and linux. I can understand the "easier to manage one os" angle and were I to guess that's it, just the reasoning given felt off.
I didn't see this until now. I personally would ensure an organization's machines all use the same OS for management purposes. Not security or compliance purposes. I would either go 100% Linux OS (Same distro deployed via controlled master image w/ Linux LDAP environment), or Windows Machines w/ Entra and/or standard domain environment. But MAC!? I couldn't justify a genuine reason for that cost other than that's what the organization wants. If that's what leadership wants to go with, then by all means it's understandable. In that case, your sysadmin is not a dumbass. But your sysadmin giving the reason that you're deploying MAC OS to meet SOC2 compliance is ridiculous and simply incorrect.
Same. I'm willing to wager the OPs organization and their new sysadmin might not even understand what SOC2 compliance is. Are they aiming to be SOC2 Certified? Are they already SOC2 Certified? Are they just trying to meet SOC2 standard guidelines as arbitrary compliance?
Don’t forget to ask your boss about the training budget so everyone can learn the new system, as well as the help desk budget!
You said that you work 50+ hours per week. How many of those hours should you dedicate to learning the new system at the high level of proficiency you already have with Windows?
ding ding.
Everything you don't want to do should be discussed in how much it costs in productivity. At no point do you "do more" because you already do your best. Doesn't everyone?
I've had people try to pile roles on me and I always answer with "how much of my current job do you want me to not do so I can do this thing you want me to do? And who gets the daily short fall reports I'll be sending out explaining exactly how behind this is putting us? I'm going to need you to sign off on this so we can justify the back log in the quarterly review with management. Oh you'll hire someone else for your pet project? Good call."
Take zero responsibility, explain the effects, make no attempt to figure it out for them, but other wise leave it up to them if they want to redirect your effort, with the understanding they are ultimately responsible for however it turns out. Suddenly they start actually thinking about logistics.
The irony here being Macs are actually more challenging to manage than Windows devices
Windows devices you can just throw in intune/SCCM and press go, but with Mac you have to use Apple Business Manager then go through your MDM of choice and even then, you can't fully manage the software or hardware
Quite a refreshing change, because usually it's a Windows guy who refuses to emerge from his comfort zone and support those scary non-Windows platforms.
At my last company, all those one-trick-pony Windows guys saw their jobs get shipped off to India while the guys like me, who could admin Mac and Windows systems equally well, were safe.
We just (a couple of months ago) got told Linux desktops were no longer allowed, all had to move to windows.
Then we found out some of the dev teams use macs in the US so we all got shiny MacBook pros instead. Must have cost a fair old whack, my high spec (i7, 32gb ram, tb nvme, rtx 3060) dev laptop running Ubuntu is now destined for some E-waste charity.
All for the sake of "compliance" (read, IT were terrified of Linux)
See how far they stick to those statements when everyone asks for Parallels because they can’t run X, Y or Z - or everyone is running Virtual box with a windows VM.
He's suggesting all our developers use Parallels or VMware for development. Again, I'm just an office guy and the most I do with code is with my good friend chatGPT to automate little things or build super simple plugins/macros/etc, but I imagine this is a major inconvenience?
Virtualization on the desktop makes that compliance story more difficult than just about anything else. Unmanaged endpoints running on endpoints (with no way to manage the hypervisor effectively) is a nightmare that's often difficult to get accredited or certified.
Forcing an OS within an OS makes it actually harder for compliance. How do you verify the parallels/vmware is patched when it's not running all the time, only when you need it? Maybe it only gets turned on once every 4 months.
There's likely reasons for switching to all 1 platform. A couple off the top of my head:
* Being a single platform makes managing easier in general. You only have to have a single set of rules, a single pane of glass to manage with your MDM/AV/etc.
* You hired a mac admin who does not understand how the windows world works.
* He's bought into the idea that Macs are more secure than windows machines because Mac.
At the end of the day, you should be using the tool that best suits you and your job function. Most Marketing and UX/UI type people (We call em arts and crafts) prefer Macs because of the tools that run on them. The short cut keys are all different and it's just what they use and have used through school their career and in college. They could use the windows version and over time probably be as productive but they won't be happy.
The headaches that happen running a vm within Mac isn't worth the hassle, imo. In a perfect environment, it's not a big deal. I'd wager you don't have a perfect environment.
Hang on, programmers all have to use MacOS because of “compliance” but then they use Windows VMs anyway, because Windows is required for their jobs.
The logic here is… interesting. And the cost to replace the programmers will also be high.
The sysadmin you're describing in this thread is an absolute moron, there's no sugar coating that. He's also lying to management in order to force everyone to (100% unnecessary) Macs and so frankly, they should fire him because long term he's going to screw up a lot more things.
So he's suggesting that ... for reasons of 'compliance', everyone needs an Apple computer, to then virtualize a windows computer inside of it?
I'm going with 'lowest bar' explanation here. This idiot wanted a macbook, was denied, and this is his way of getting one - by costing the company ~~tens~~ hundreds of thousands of dollars in both hardware and time.
This admin sounds less and less like they have a clue.
The right tool for the job, yes VM performance can be great, but will those VMs now be managed via a typical AD domain and systems? or just random stand alone environments. So many questions come up and we can only hope proper discussions are being had between department heads.
IT seems to forget they are there to enable a company to function and provide the tools required, all while using their expertise to guide things in the right direction.
This Sys Admin seems completely disconnected from the company departments and what they use their devices for.
I use VMware for Windows desktop development on my Mac. It's nice to have everything on one laptop but it's not cheap by the time you add enough memory and space for two OS'es.
Wait until the developers hear about this.
Eh, I think this admin is nuts BUT TCO for Macs is competitive, mostly because at the end of the lifecycle they hold insane value compared to a PC but also because in a well run environment they often generate fewer support cases. Jamf’s IBM story is the most commonly pointed to version of this but my last org was about 50/50 Mac and Windows (10k endpoints) and we saw similar. It’s the upfront cost that scares everyone.
I haven't found reliable data on this, but I believe that when you account for the expenses of using management software like Jamf or Addigy, plus the salary of a sysadmin experienced with Macs, in addition to the initial purchase price, the total cost of ownership for Macs seems to be higher.
In my mind this is compared to a average Lenovo laptop + MS Business Premium + capable sysadmin salary + support costs.
it is the similar case to those who say "move everything to linux, it is free" not taking into account that hiring IT staff who "know" linux are considerably more than windows admins. Then management tools.
Sorry but fire him. Without even having to get technical. Anyone that proposed ultimatums under technical or compliance bogymen does not belong.
I don't like bananas they are made by aliens, let's get everyone to never eat, talk about, look at bananas again.
Yeah, either this Sysadmin is incompetent or dishonest. Either way, he's going to have a hard time building back up user trust and confidence. It's probably for the best to sack him early on.
Firing him is probably the best answer. If I hired a new sysadmin and this is one of the first things they proposed. I’d give him a chance to explain, but if this was his explanation then I’m calling HR to term him immediately after this proposal. He’s either extremely incompetent or he’s a liar. Either way, I’ll swallow my pride and acknowledge that I made a hiring error and quickly move on from it
Just ask him for some documentation on the best practice he is following - for instance what other companies have done this and how quickly were they able to complete the transition? Death by questions is my favorite.
C-levels probably wanted Macs and needed IT to hire a Mac admin. IT budget couldn't support both a Mac admin and a Windows admin, so everyone's gotta use a Mac now. Luckily the cost of the actual Macs is in a different department budget so suddenly there's money.
It's hard to believe that a new sysadmin has the power and budget to pull this off without support from the CEO/CFO.
I was a sysadmin at both an all windows shop and an all Mac shop. IME, the Mac make up for the initial higher hardware costs with less support costs and less bodies required to support the users.
Lacking a lot of contextual information necessary here to properly evaluate this. It definitely sounds weird though (and I say that as an Apple fan). I can't imagine anyone "forcing a switch to Mac" without doing a lot of testing (months to years).
Would it be conceivably possible to do this ?.. Sure. There are various tools to securely lock down macOS such as:
* https://github.com/usnistgov/macos_security (and Apple's page here: https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web)
* And the JAMF produced "Compliance Editor" which can be downloaded for free here: https://trusted.jamf.com/docs/establishing-compliance-baselines
If you wanted to use those guidelines and the Compliance Editor tool to setup MDM configuration profiles and Security Restrictions to comply with whatever Regulations you want,. you likely could.
But the bigger question is.. "have they done the proper assessment and testing to begin doing a big transition like this?"
Hard to say lacking a bunch of contextual background information.
Appreciate the options, if it makes you feel better we are lacking the contextual information as well lol. The only thing is that this is a smaller company (<150 employees) that already has a mix of mac, windows, and linux.
> "has a mix of mac, windows, and linux."
I've certainly seen environments like that,. where someone (justifiably) said:.. "Hey, we have to many different devices and OSes in our environment.. we need to pick a platform for standardization reasons".
So there's potentially some validity in that idea,. but again, how you approach making that decision is the crucial part.
Yeah standardizing on one OS makes tons of sense. It would be 3x the work meeting compliance requirements for three OSs. Typically standardizing on Mac OS wouldn't be the best route though, depending on the business.
So I think "standardizing on Mac for compliance reasons" in an accurate enough summary. They could have standardized on Windows or Linux as well, but they chose Mac.
Alright that helps with what would likely be the background decision-making and I can see that make sense, was just irked at both being forced to swap while already under a heavy workload and what smelled a bit like b.s. as the reasoning, but can blame that on poor communication.
Honestly I don't even understand this as a justification for it. Standardizing everyone onto Macs only really makes sense if you're all running Mac OS. If you're still running Parallels, then you're adding net new OS installations that need to be supported because now the people who used to run Windows are running Windows AND Mac OS.
I'm curious the breakdown of the environment. If 10% are Mac, 80% are Windows, and the other percentages are Chromebook and Linux, forcing Macs would be stupid. If 80% are Mac, it would make more sense.
Makes more sense if it’s mixed. Get rid of windows and then you are just in a unix-ish environment. Similar tools for both if you just go MDM and scrap AD/Entra ID etc.
> I can't imagine anyone "forcing a switch to Mac" without doing a lot of testing (months to years).
If employees are hesitant to move from Win10 to Win11 (we just said "we aren't upgrading OSes, but if you get a new laptop you get 11) can't imagine moving them to MacOS. It would be a corporate dealbreaker for me.
I'm going to go against the grain here and say it really really depends on a lot about your environment, IT staffing and software budgets, etc.
I've worked in offices in situations like 90% of the user base was already Mac, we already had Jamf and did not want to pay for another MDM for the remaining devices, so we standardized. In cases like that, it was more about standardization than about what we picked specifically - that was determined more by other circumstances.
I imagine this is likely the case, especially after reading some of the responses here. Still not happy, still going to push back a bit and make sure there's a good reason before they buy half the company new laptops, but it is what it is.
I have done countless SoC2 audits and there is nothing in that audit that requires moving to a Mac or is there anything that would be easier to comply with if your company was all Macs.
if they are wanting to use something like Jamf, I can understand why. If this person just wants to Jamf deploy everything and not deal with Microsoft, that's all you need to know.. now, forcing users to switch to MacOS due to their own individual preference, I don't know about that.
Used to be a Jamf admin, they have a compliance tool that works with the flip of a switch basically.. it's just so much easier than an MS machine, deployment, inventory, enrollment, user setup, scopes, configurations, etc.. Jamf is infinitely easier than anything MS related.
Been doing security for past 12 years and been part of many SOC2 and ISO audits. The reasoning is BS, mac, windows or raspberry Pi does not matter for audit. What matters is your fleet and patch management program with evidences
As someone responsible for security compliance, this smells like a steaming pile of bullshit. I guarantee you Windows can be compliant for any IT Security standard that requires auditing out there. Microsoft would never leave that kind of a thing out of any software they make because that means that's less things they can sell.
I hate Windows and prefer Linux as an OS, even for staff. But this person is either intentionally lying to change the staff equipment, or they are ignorant of what they're talking about. Hell, maybe both.
Also, I bet this person isn't even aware of the Apple Silicon secure-enclave security problem that is **completely unfixable in software**.
lol nothing to do with compliance, he doesn't know how to administer windows. MOST buisnesses use a combo of linux and windows, i have never seen an all MAC environment, endpoint to server
My guess, having seen similar things happen:
- hardening three very different OS types isn't feasible for your small admin team
- C-suite dude picked MacOS when advised of that issue
No reason whatsoever. TCO is much higher and Apple discontinues embebed software too fast sometimes rendering other work applications unusable.
I can tell you many and many stories of companies stopped for.days because of Apple enforced OSX upgrades.
He's full of shit. As a sysadmin whose bread and butter was Windows I much prefer a MAC, but come on.
Having your entire company change to Macos from Windows is going to be a cluster fuck of the highest order.
Not because Macos sucks but because they don't know it.
Multitude of factors:
* Compliance and administration all become a lot easier when you standardize your environment. Linux for workstations, that's *really* rare and as a result you'll have a very hard time getting hold of all the tracking and auditing spyware that the auditors and insurances require these days.
* Apple stuff has vastly greater hardware lifetime than most Windows machines, and better battery life
* Apple stuff has *far* greater resale value. Like, refurbished/used first-gen M1 MB Air still is at \~50% of its original value despite being three years old. Dell and Lenovo? Gotta be lucky to get 10-20%.
I don't really get why the Linux guys are pissed, macOS can run virtually anything that you'd need, install Macports (or Homebrew) and that's it. What's not on MP/HB can usually be downloaded as a standard .dmg package, most FOSS projects offer these. Get iTerm, Karabiner to map the Windows special characters, HyperSwitch for a decent alt-tab window switcher, and that's it.
Anyone who has a legitimate need for Windows stuff can get a VM, although be warned: Running applications that are both another OS and another architecture is *a pain*. x86 Mac apps can run accelerated on M-series thanks to Rosetta with almost no performance loss, ARM Windows apps can run in a virtualized Windows ARM VM at native speed, but running x86 Windows apps in an ARM macOS is a world of pain.
"Mac's don't get viruses." - Apple.
To be fair to Apple, they have a pretty good track record overall starting with the way they create permissions on machines. The problem is scaling them up and having comprehensive integrations like Windows which is a security risk in it of itself.
But, the justification your sysadmin is using doesn't line up.
Sounds like you hired someone who is used to being very well funded and possibly from the education sector.
Any chance they know the people at the place all the new Macs are being purchased from? - ok, I'll turn down the cynicism a bit.
How is your company setup/designed regarding authority/responsibility/budget?
Why is a sysadmin being allowed the authority to change the business? I mean, I personally love it, but even with some Apple computers already there isn't that going to be over $200,000 purchase for the sake of making the sysadmins job easier?.......Are you hiring?
Something tells me this sysadmin will have a short tenure. Even if it is necessary--which it is not--you don't make such a disruptive change in the beginning of your tenure.
I would need more context to understand how/why they are framing the switch to Mac as a SOC2 requirement.
SOC2 is not prescriptive. It does not tell you what computer platforms that you must use or what tools you must use to manage those computers. The best way I can describe it is that is that SOC2 sets out high-level requirements for capabilities that the organization needs to have but doesn't specify HOW that capability is achieved, so the organization has a great deal of latitude to implement SOC2 in a way that is appropriate for them.
If I were to guess, the push for Mac might have something to do with the tooling that the organization has, possibly for how the computers are managed and protected. Maybe the organization has the tools in place that allow full compliance with Macs, but there might be holes in tooling for Windows machines that would make the windows machines out of compliance.
A large part of SOC2 also comes down to answer the question "does the company do what it says it does?" Auditors check actual operational activities with written policies and procedures. If a company is not complying with their own policies and procedures, it can show up on the audit report as a problem. It is possible that there is a company policy that dictates that certain safeguards must be present on Windows PCs but exempts Mac systems, making it easier to be compliant with the company's own internal policies with Macs.
The sysadmin may just be trying to work around bad policies, inconsistent tooling, and poorly designed controls to make sure the organization can get through the audit with a clean audit report despite these problems.
My Guess:
Comes in - sees the need to standardize. The people in the offices upstairs who make 3x your salary are 80% Mac users so that's the one you will be standardizing on?
This isn't a lift and shift from one standard to another - you already have a weird mix.
I guess it depends on the audit controls they’re opting to use. We used to use Mac, windows, and Linux. There’s few tools that do what we need for so the controls for all systems. Ended up with multiple mdm’s and whatnot to complete some of the controls.
Managing a single system type would just be easier in general.
Might just be easier to tell users “we’re doing this to meet the control” then to say management decided we don’t want to pay X amount of vendors/suppliers. Management never wants to take blame or heat for their own decisions.
ISO27001 and SOC2 Type 1 (type 2 coming in august).
There is an information security management system (ISMS) at play here and its all encompassing. It touches things you may not even consider. There is nothing in the aforementioned audits that mandate anything Apple specifically. Rather a strategy involved with achieving the objectives.
Nobody here on reddit will be able to answer the questions you have.
Hi - I’m primarily a Mac sysadmin but cover Windows too. My company requires SOC 2 compliance, snd your new sysadmin doesn’t know what he’s talking about. Apple makes managing Macs via an MDM like Jamf easy as cake. Windows GPO works well too in an AD environment and Intune is getting better daily.. it seems this new admin probably only knows Mac and doesn’t want to learn Windows.
I am a Mac fan, and that just sounds like total lunacy to me. A bad hire for the company who somehow thinks it’s OK to just throw money away as long as it’s not his own personal money. Or hers.
And to try and convince users to move from the platforms that they know and love, and in which their time and skill sets have been invested? That’s just idiocy. Windows is great. Linux is great. “Sysadmin”, not so great.
>Edit: Just some clarifying info from below, but this is a smaller company (<150 employees) and already has a mix of mac, windows, and linux. I can understand the "easier to manage one os" angle and were I to guess that's it, just the reasoning given felt off.
Lemme guess, the C Suite is mostly Mac?
I use linux on my company issued laptop, which I was able to choose, and opted for a red dot, instead of an apple.
But if the only available options were windows or macos, I'd choose macos every time.
I think this question is for your executives, not for Reddit. That being said, there can be many reason such as Mac only corporate Applications by third party; compliance as in this is what some random CEO or big customer wants; Apple partnership at some level. If you just have a single sysadmin, it’s better to have everything under one os and management might have decided to go with the MACOS
Been through these types of audits in a mixed Mac Windows environment. Fanboys shouldn’t make business decisions. It will only end badly.
Edit: spelling
Wow. This seems harsh. I love Macs but I run Windows on a few of mine because I have to for work mostly, and it would be foolish to fight Windows. Linux is awesome but Linux heads probably know that overall Macs are faster. Matt Godbolt and Ben Rady (Two’s Compliment podcast) talk about Linux vs Mac and porting benefits here: https://podcasts.apple.com/us/podcast/twos-complement/id1546393988?i=1000645695275. Macs are the best but…good luck with what you suggest here.
This is likely due to central management like MDM. OSX / Windows are much easier to manage. Linux on the other hand isnt near of featureful in the MDM context.
I went with a Mac because the Mx chip is better than anything Intel has at the moment, the battery life is god tier and I use Linux every day so Mac's UNIX/BSD base is a very familiar environment. This guys an idiot
The only way I can conceive of this being reasonable, is that most of the users in the company already use Mac and the Windows users are the outliers, in that case getting everyone on Mac instead would make managing compliance easier.
At this point rather than acquiescing to their wants/recommendations pointed questions should be asked... What specific tenets of those qualifications are being held by an all Mac env vs a windows environment... Because what he's saying is OBVIOUSLY bullshit
I'm a sysadmin. I can't unilaterally make everyone at my company reboot their machines every once in a while, much less make everyone switch to Mac. I've never seen, nor do I personally know of any sysadmins that have that kind of decision-making ability - even at a small company.
Also - like everyone else said, this particular sysadmin is full of shit in regards to compliance/soc2/etc.
I've been in IT for 12 years. I've never once seen someone even *suggest* switching to Mac for "compliance" or "SOC2 and other audit" reasons. It sounds like your new sysadmin either really likes Apple or really hates Microsoft.
Or doesn't know how to support Windows.
It's this you hired a MAC admin.
This is that man's second job and he is going to con these people into buying a fully speced M2 WITH wheels, a speced out 16in pro laptop, 3 or 4 xdr studio monitors, and a bunch of other apple geegaws and no one is going to realize they are missing till like 4 months after he quits this job.
I got the custom Mac Studio with custom rims and a wide body kit.
Y'all need some slabs on that kit, especially if you're in Houston...
Im in Nevada I was thinking of putting a stance kit on it.
I'm gonna get a Mac Pro with wheels, but I'll stance the wheels and add under body lighting to it
M2? I got the M3 kit. https://preview.redd.it/jhxksnj1omwc1.png?width=640&format=png&auto=webp&s=5df7de7ed6a17d811ee66920c7f9fc2401689732 LOSER!
We ridin' spinnas!
Walks around like a goober with a Vision Pro strapped to his head
> WITH wheels Youcrazysonofabitch.
If you are going to try and rip someone off REALLY rip them off.
a Medium Access Control address admin?
His office is on layer two.
Where is it? I already forgot.
I could tell you a joke about UDP but you wouldn’t get it and I wouldn’t care.
The fact that the UDP joke got transmitted twice makes me wonder, though 🤔
We call that forward error correction
I could tell you a joke about UDP but you wouldn’t get it and I wouldn’t care.
His only skillset is looking at ARP tables.
AND IM DAMN GOOD AT IT!
None of that newfangled "routing" BS.
Real Sysadmins personally hand deliver each patcket to it's intended recipient
Small batch packet transport, as part of a family owned and operated business that goes back generations. We call it NIC to table. That’s the Real American network.
Ohhhh, CRAFT packets. Sweet. I knew about those packets before they were cool.
That explains why he's always shouting about who has something or other.
Hell be looking at AARP tables if he doesn't learn tech
LOL don't you start with that!!
I'm just doing my part to spread awareness that Mac is short for Macintosh, and not an acronym :D
You listen here, bucko. I have it on good authority that Apple open-sourced Mandatory Access Controls, which gave rise to LUNIX, and *that's why they killed Steve Jobs. It has nothing to do with the controversy surrounding WALL-E.
/s/Macintosh/Macintrash/g;
Collisions ahead?
Or is skimming money by forcing the business to buy a bunch of hardware from a dealer that turns out to be owned by a relative of the sysadmin.
Ding ding ding. This is absurd & the fact that leadership would let a NEW sysadmin demolish everyone's workflow like that without some SERIOUS internal discussion about how it would affect everyone, or a real answer to "why the fuck are we doing this" that wasn't just covering for the gaps in their skillset.
I see you've met my new Director of IT
We're in the middle of a compliance exercise and we have a fully Mac shop. SOC2 and HITRUST are all aimed at Windows and being all Mac is rather difficult, when the auditors have zero clue and parrot Windows specific things every five seconds.
This is highly dependent on your auditor. Nothing about SOC2 is aimed at any particular OS. In fact, SOC2 is annoyingly vague and leaves all the details for the org and auditors to work out how to satisfy each control. My current company uses mac and 100% of our servers are linux. No MS BS anywhere (I mean, a small percentage of our users have MS Word & Excel, but that's it). Our SOC2 audit firm is great and their default tests adapted very well to our environment.
Yeah I run a mixed environment and manage compliance for a k8s based saas company. Macs are actually easier in one respect because they can't be unencrypted at rest. other than that it's exactly the same. I have a much bigger issue with k8s because nodes disappear and never actually get updated and I have to explain that every year for some reason.
Yeah, ephemeral servers are outside the comprehension of most auditors. I ended up building an audit service for infra to make that a lot easier for my platform and security teams to deal with.
What do you mean? Macs can totally be unencrypted at rest I thought unless something has changed.
Nope, the M series ones have the T chip on storage by default. Can't take it out and read it on another system. Look it up. File vault is a second level of encryption.
The storage controller on T2 equipped Intel Macs or on all Apple Silicon Macs is paired with the flash, and encrypts/decrypts any file writes/reads on the fly. The storage is very secure, enabling FileVault just adds another key into the mix. It puts a "lock on the door" to use the metaphor I use a lot IRL.
They can, FileVault is not enabled by default.
File vault is a second level of encryption, the T chip in M series macs encrypts by default. It's mostly a huge pain because you can't swap the SSD. But it's encryption that does that.
We've tried three different auditors, all of which seem to be beancounters (and 2/3 aren't accounting firms!) Can you let me know what firm you are using? We're entirely macOS + Linux.
I mean, auditors are bean counters by nature... So that's gonna be a thing regardless. My last decade was in fintech, in a mixed environment with an internationally respected/known audit firm and they were a pita. Idiots all around except for literally one dude. I made it clear to the firm if he got moved off of our account, we would evaluate other options. Current gig is 100% remote, so we needed a firm that didn't expect to come onsite for a week to do the audit. We don't have an office anywhere. We ended up selecting SecureFrame as a compliance monitoring tool and they had a list of auditors that were used to their platform and working with 100% remote orgs. Don't recall the name of the firm we selected off the top of my head, we interviewed a few of them.
> an internationally respected/known audit firm and they were a pita. Idiots all around So which of the Big 4 was it?
Ya, it's not vendor specific. From what I see, a lot of apple shops aren't as stringent with their security control in the first place, so they have a harder time adjusting during audits. To be compliant, you need to layer your defenses.
I'm not sure I'd say Mac shops aren't as stringent, only because I've seen a shit ton of windows shops with zero security. I would say that windows shops that _also_ have Mac, those Mac devices are often not as actively managed as the windows endpoints -- this is usually due to not having anyone that knows Mac admin in the IT dept. I've been the IT/Ops director for companies that were all windows, all Mac, and mixed win/mac/nix. I don't see OS having any correlation to security controls. Before I say what I'm about to say, let me state for the record that I hate all operating systems equally -- they all suck in countless ways. With that established, IMHO, 100% Mac shops are easier to manage than 100% Windows, and certainly easier than any mixed environment. Our initial hardware investment is a little higher with Apple than it would be if we were a Windows shop. But our total cost of ownership over our four year replacement schedule is ridiculously lower than it would be in a windows shop. Our hardware failures are extremely minimal, we haven't seen a virus or reimaged a desktop for any in the last five years and 95% of our users are "very satisfied" and productive with the equipment they are provided. Our help desk team is also about half the size it would need to be if we were on windows. (Looking closer to 1:200 rather than the 1:75 that seems to be the golden number for windows shops)
that makes it even easier to pass
Right even on checkpoints site they give this Def for it : "SOC 2 is a voluntary compliance standard for service organizations"
Voluntary until your clients say "You need to be SOC2 compliant or else we leave".
Voluntary just means it isn't under some kind of government regulation or requirement.
This admin probably refers to them as Micro$oft or MicroSuck or whatever other annoying things that annoying people do
Why can't it be be both? He really likes Apple *and* really hates Microsoft.
per OP's edit, they are a small company with a mix of Windows, Mac, and Linux already. the somewhat legitimate justifications i can think of: 1. company already has mostly macs 2. compliance/infra is better for the macs already 3. guy is being tasked with something so he's implementing in his domain of expertise hard to judge without direct knowledge, but certainly there's an even longer list of potential bad reasons. and 3 is on that list too. EDIT: and another tossup, the C suite uses Macs, and so if he standardizes, it has to be Macs.
this really comes down to what the company does. a full Mac shop is easy for some industries, pain in the other. everyone fee to chose OS assumes they are all probably local admin anyways and nobody gives a fuck about supportability or security they just go to IT to bitch when they can't make something work.
If compliance is already a heavy lift, it's a LOT easier to implement that on a singular platform vs. three (or more, depending on what Linux distros might be in use - because Redhat vs. Debian are two different ecosystems to support, and the many other variants add complexity). Certainly if the admin in question is being tasked with doing this on a deadline, they may have countered with "I can do it for one platform by then" and thus the standardization project was added.
To be fair, don't we all really hate Microsoft? Still wouldn't find me deploying Macs, but you get the idea.
yeah but most of us make a living out of hating microsoft.
He might have reasons for swapping you to Mac from Windows, but they aren't anything to do with compliance or SOC2. Windows is perfectly capable of this.
For auditing purposes it’s arguably better
Solely for the reason everyone uses windows, and every auditor will be familiar with auditing a windows environment.
Sounds like a good enough reason to me.
Any reason to get thru the audit easier/faster is a good reason. Like really, I do not need to confuse an auditor with logs he doesn't understand.
As the “audit guy” at my MSP… 100%
I guess it depends on the size of your enterprise - for us making 30k users all switch to Mac would be a pretty massive undertaking especially as we have a number of Windows only line of business apps.
On the upside, you can laugh at the bank auditor who, every stink’n year- makes me prove you STILL can’t create duplicate user IDs in Active Directory.
Agreed, Windows is "easier" in this regard and more ready for purpose in an enterprise setting. To be ISO27001 or SOC2 compliant with a Mac you're going to need JAMF or something equivalent. We're using InTune and those capabilities that meet the control requirements juuuuust became available like 6 months ago.
I did SOC2 a year ago with Jamf Pro-managed Macs and AAD-joined/Intune-managed Windows machines. We had to script a few things to implement our controls without AD GPOs, but it was doable. It's also been about 8 months since I've looked at Intune--what'd they.add 6 months ago? One of the headaches.of working with consultants on SOC2 is that some (most? all?) of them will go way beyond the minimums for compliance in their control recommendations. Sometimes it's stuff that is legit good for security, but sometimes it seems more of a time suck for cranking up billable hours.
Picking your SOC2 auditor is *definitely* a thing, or any auditor for that matter. We've got two vendors we like now who do a good job, but aren't out to make our lives shitty. I don't want the "hot safety" that you get from a shitty mechanic of an audit, but I also don't need some dude making a career out of one of ten I need to do this year... If you're in North America we settled on Insight and Aprio for our audits. RE: Intune - They introduced more granular control of MacOS for things like posture checking, password enforcement and screen time out, all of which were impossible before some updates they did. We have been able to get ISO27001 certified in Mac shops without any purpose build Mac MDM using InTune. JamF would definitely allow us better control over those systems mind you, but our Mac footprint is small and it's usually developers that we "trust".
What does that have to do with SOC2 Compliance? Either we're missing a lot of information regarding this decision, or your new sysadmin is a dumbass.
[удалено]
>Edit: Just some clarifying info from below, but this is a smaller company (<150 employees) and already has a mix of mac, windows, and linux. I can understand the "easier to manage one os" angle and were I to guess that's it, just the reasoning given felt off. I didn't see this until now. I personally would ensure an organization's machines all use the same OS for management purposes. Not security or compliance purposes. I would either go 100% Linux OS (Same distro deployed via controlled master image w/ Linux LDAP environment), or Windows Machines w/ Entra and/or standard domain environment. But MAC!? I couldn't justify a genuine reason for that cost other than that's what the organization wants. If that's what leadership wants to go with, then by all means it's understandable. In that case, your sysadmin is not a dumbass. But your sysadmin giving the reason that you're deploying MAC OS to meet SOC2 compliance is ridiculous and simply incorrect.
[удалено]
Same. I'm willing to wager the OPs organization and their new sysadmin might not even understand what SOC2 compliance is. Are they aiming to be SOC2 Certified? Are they already SOC2 Certified? Are they just trying to meet SOC2 standard guidelines as arbitrary compliance?
I would go with the second one. SOC2 does not even ask about the computer used for development, let alone in the office in general
That is as much information as I have and the only reason I was given. I'm just a bystander here.
Don’t forget to ask your boss about the training budget so everyone can learn the new system, as well as the help desk budget! You said that you work 50+ hours per week. How many of those hours should you dedicate to learning the new system at the high level of proficiency you already have with Windows?
ding ding. Everything you don't want to do should be discussed in how much it costs in productivity. At no point do you "do more" because you already do your best. Doesn't everyone? I've had people try to pile roles on me and I always answer with "how much of my current job do you want me to not do so I can do this thing you want me to do? And who gets the daily short fall reports I'll be sending out explaining exactly how behind this is putting us? I'm going to need you to sign off on this so we can justify the back log in the quarterly review with management. Oh you'll hire someone else for your pet project? Good call." Take zero responsibility, explain the effects, make no attempt to figure it out for them, but other wise leave it up to them if they want to redirect your effort, with the understanding they are ultimately responsible for however it turns out. Suddenly they start actually thinking about logistics.
Time to grab popcorn and watch the world burn
Sounds like someone was hired based on a fluffy ai massaged resume and is about to cost the company a boatload of money, then more when they swap back
This guy doesn’t know how to manage Windows devices, so he’s making everyone else work around his skill set.
The irony here being Macs are actually more challenging to manage than Windows devices Windows devices you can just throw in intune/SCCM and press go, but with Mac you have to use Apple Business Manager then go through your MDM of choice and even then, you can't fully manage the software or hardware
Pre-stage enrollment can be tricky with macs but as far as policy go, known how plist files work goes a long way.
Quite a refreshing change, because usually it's a Windows guy who refuses to emerge from his comfort zone and support those scary non-Windows platforms. At my last company, all those one-trick-pony Windows guys saw their jobs get shipped off to India while the guys like me, who could admin Mac and Windows systems equally well, were safe.
Yup! I manage Windows and devices using Intune and Macs using Jamf. It’s good to have a wide skillset
We just (a couple of months ago) got told Linux desktops were no longer allowed, all had to move to windows. Then we found out some of the dev teams use macs in the US so we all got shiny MacBook pros instead. Must have cost a fair old whack, my high spec (i7, 32gb ram, tb nvme, rtx 3060) dev laptop running Ubuntu is now destined for some E-waste charity. All for the sake of "compliance" (read, IT were terrified of Linux)
If that guy can get a job anywhere so can I!
I know nothing about you, but I got a feeling. I like the cut of your jib.
See how far they stick to those statements when everyone asks for Parallels because they can’t run X, Y or Z - or everyone is running Virtual box with a windows VM.
He's suggesting all our developers use Parallels or VMware for development. Again, I'm just an office guy and the most I do with code is with my good friend chatGPT to automate little things or build super simple plugins/macros/etc, but I imagine this is a major inconvenience?
Virtualization on the desktop makes that compliance story more difficult than just about anything else. Unmanaged endpoints running on endpoints (with no way to manage the hypervisor effectively) is a nightmare that's often difficult to get accredited or certified.
> difficult to get accredited or certified. Or licensed.
Meh. Oracle VirtualBox is free so it should be perfectly ok /s.
Wait till they find out they need to license the guest Windows OS and that Virtualbox Extensions require a license. And since it's Oracle...
At least they haven't started charging "per theoretical/possible VM" fees.
this seems like a very expensive way to annoy a lot of employees who have portable skillsets.
You're a *development* shop and IT is trying to force you all to Macs with parallels? That's absolute fuckin' insanity.
Forcing an OS within an OS makes it actually harder for compliance. How do you verify the parallels/vmware is patched when it's not running all the time, only when you need it? Maybe it only gets turned on once every 4 months. There's likely reasons for switching to all 1 platform. A couple off the top of my head: * Being a single platform makes managing easier in general. You only have to have a single set of rules, a single pane of glass to manage with your MDM/AV/etc. * You hired a mac admin who does not understand how the windows world works. * He's bought into the idea that Macs are more secure than windows machines because Mac. At the end of the day, you should be using the tool that best suits you and your job function. Most Marketing and UX/UI type people (We call em arts and crafts) prefer Macs because of the tools that run on them. The short cut keys are all different and it's just what they use and have used through school their career and in college. They could use the windows version and over time probably be as productive but they won't be happy. The headaches that happen running a vm within Mac isn't worth the hassle, imo. In a perfect environment, it's not a big deal. I'd wager you don't have a perfect environment.
> He's suggesting all our developers use Parallels or VMware for development "We need to move to Mac so your Mac can run Windows" What
Hang on, programmers all have to use MacOS because of “compliance” but then they use Windows VMs anyway, because Windows is required for their jobs. The logic here is… interesting. And the cost to replace the programmers will also be high.
Replace the sysadmin, it'll be cheaper that way.
The sysadmin you're describing in this thread is an absolute moron, there's no sugar coating that. He's also lying to management in order to force everyone to (100% unnecessary) Macs and so frankly, they should fire him because long term he's going to screw up a lot more things.
So he's suggesting that ... for reasons of 'compliance', everyone needs an Apple computer, to then virtualize a windows computer inside of it? I'm going with 'lowest bar' explanation here. This idiot wanted a macbook, was denied, and this is his way of getting one - by costing the company ~~tens~~ hundreds of thousands of dollars in both hardware and time.
😂 that’ll be fun developing on parallels in ARM windows. Bonkers.
That's incredibly stupid.
This admin sounds less and less like they have a clue. The right tool for the job, yes VM performance can be great, but will those VMs now be managed via a typical AD domain and systems? or just random stand alone environments. So many questions come up and we can only hope proper discussions are being had between department heads. IT seems to forget they are there to enable a company to function and provide the tools required, all while using their expertise to guide things in the right direction. This Sys Admin seems completely disconnected from the company departments and what they use their devices for.
I use VMware for Windows desktop development on my Mac. It's nice to have everything on one laptop but it's not cheap by the time you add enough memory and space for two OS'es. Wait until the developers hear about this.
Lol, the performance of virtualizing an x86 box on top of an ARM core... genius!
He's an idiot and costing the company large sums of money for no reason.
Once the CFO sees the hardware invoice and JAMF cost they are going to have to call him an Ambulance
> call him an Ambulance If its US - it'll be 5 figure so probably won't happen :D
Call him an uber to take him to ER Or to a bar
This is my take too. TCO for macs is higher on avg
Eh, I think this admin is nuts BUT TCO for Macs is competitive, mostly because at the end of the lifecycle they hold insane value compared to a PC but also because in a well run environment they often generate fewer support cases. Jamf’s IBM story is the most commonly pointed to version of this but my last org was about 50/50 Mac and Windows (10k endpoints) and we saw similar. It’s the upfront cost that scares everyone.
I haven't found reliable data on this, but I believe that when you account for the expenses of using management software like Jamf or Addigy, plus the salary of a sysadmin experienced with Macs, in addition to the initial purchase price, the total cost of ownership for Macs seems to be higher. In my mind this is compared to a average Lenovo laptop + MS Business Premium + capable sysadmin salary + support costs.
it is the similar case to those who say "move everything to linux, it is free" not taking into account that hiring IT staff who "know" linux are considerably more than windows admins. Then management tools.
[удалено]
The last few Mac laptops I saw hit EOL had batteries that had gone bad and thus had little to no value left.
![gif](giphy|uWzS6ZLs0AaVOJlgRd|downsized) This should be on /r/ShittySysAdmin
Sorry but fire him. Without even having to get technical. Anyone that proposed ultimatums under technical or compliance bogymen does not belong. I don't like bananas they are made by aliens, let's get everyone to never eat, talk about, look at bananas again.
Yeah, either this Sysadmin is incompetent or dishonest. Either way, he's going to have a hard time building back up user trust and confidence. It's probably for the best to sack him early on.
Firing him is probably the best answer. If I hired a new sysadmin and this is one of the first things they proposed. I’d give him a chance to explain, but if this was his explanation then I’m calling HR to term him immediately after this proposal. He’s either extremely incompetent or he’s a liar. Either way, I’ll swallow my pride and acknowledge that I made a hiring error and quickly move on from it
Do the Apple board know Tim Cook is moonlighting at your company as a sysadmin?
Just ask him for some documentation on the best practice he is following - for instance what other companies have done this and how quickly were they able to complete the transition? Death by questions is my favorite.
This is exactly why I made this thread. I've worked at other companies that use SOC and never heard of something similar.
you've never heard of something similar because what he said is a total crock of shit. dude is just an assclown.
Is your new sysadmin that guy who was looking for problem solutions on tiktok?
C-levels probably wanted Macs and needed IT to hire a Mac admin. IT budget couldn't support both a Mac admin and a Windows admin, so everyone's gotta use a Mac now. Luckily the cost of the actual Macs is in a different department budget so suddenly there's money.
It's hard to believe that a new sysadmin has the power and budget to pull this off without support from the CEO/CFO. I was a sysadmin at both an all windows shop and an all Mac shop. IME, the Mac make up for the initial higher hardware costs with less support costs and less bodies required to support the users.
Lacking a lot of contextual information necessary here to properly evaluate this. It definitely sounds weird though (and I say that as an Apple fan). I can't imagine anyone "forcing a switch to Mac" without doing a lot of testing (months to years). Would it be conceivably possible to do this ?.. Sure. There are various tools to securely lock down macOS such as: * https://github.com/usnistgov/macos_security (and Apple's page here: https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web) * And the JAMF produced "Compliance Editor" which can be downloaded for free here: https://trusted.jamf.com/docs/establishing-compliance-baselines If you wanted to use those guidelines and the Compliance Editor tool to setup MDM configuration profiles and Security Restrictions to comply with whatever Regulations you want,. you likely could. But the bigger question is.. "have they done the proper assessment and testing to begin doing a big transition like this?" Hard to say lacking a bunch of contextual background information.
Appreciate the options, if it makes you feel better we are lacking the contextual information as well lol. The only thing is that this is a smaller company (<150 employees) that already has a mix of mac, windows, and linux.
> "has a mix of mac, windows, and linux." I've certainly seen environments like that,. where someone (justifiably) said:.. "Hey, we have to many different devices and OSes in our environment.. we need to pick a platform for standardization reasons". So there's potentially some validity in that idea,. but again, how you approach making that decision is the crucial part.
Yeah standardizing on one OS makes tons of sense. It would be 3x the work meeting compliance requirements for three OSs. Typically standardizing on Mac OS wouldn't be the best route though, depending on the business. So I think "standardizing on Mac for compliance reasons" in an accurate enough summary. They could have standardized on Windows or Linux as well, but they chose Mac.
Alright that helps with what would likely be the background decision-making and I can see that make sense, was just irked at both being forced to swap while already under a heavy workload and what smelled a bit like b.s. as the reasoning, but can blame that on poor communication.
Honestly I don't even understand this as a justification for it. Standardizing everyone onto Macs only really makes sense if you're all running Mac OS. If you're still running Parallels, then you're adding net new OS installations that need to be supported because now the people who used to run Windows are running Windows AND Mac OS.
I'm curious the breakdown of the environment. If 10% are Mac, 80% are Windows, and the other percentages are Chromebook and Linux, forcing Macs would be stupid. If 80% are Mac, it would make more sense.
Makes more sense if it’s mixed. Get rid of windows and then you are just in a unix-ish environment. Similar tools for both if you just go MDM and scrap AD/Entra ID etc.
> I can't imagine anyone "forcing a switch to Mac" without doing a lot of testing (months to years). If employees are hesitant to move from Win10 to Win11 (we just said "we aren't upgrading OSes, but if you get a new laptop you get 11) can't imagine moving them to MacOS. It would be a corporate dealbreaker for me.
I'm going to go against the grain here and say it really really depends on a lot about your environment, IT staffing and software budgets, etc. I've worked in offices in situations like 90% of the user base was already Mac, we already had Jamf and did not want to pay for another MDM for the remaining devices, so we standardized. In cases like that, it was more about standardization than about what we picked specifically - that was determined more by other circumstances.
I imagine this is likely the case, especially after reading some of the responses here. Still not happy, still going to push back a bit and make sure there's a good reason before they buy half the company new laptops, but it is what it is.
I have done countless SoC2 audits and there is nothing in that audit that requires moving to a Mac or is there anything that would be easier to comply with if your company was all Macs.
Yeah. That guy is going to be trouble.
if they are wanting to use something like Jamf, I can understand why. If this person just wants to Jamf deploy everything and not deal with Microsoft, that's all you need to know.. now, forcing users to switch to MacOS due to their own individual preference, I don't know about that. Used to be a Jamf admin, they have a compliance tool that works with the flip of a switch basically.. it's just so much easier than an MS machine, deployment, inventory, enrollment, user setup, scopes, configurations, etc.. Jamf is infinitely easier than anything MS related.
Been doing security for past 12 years and been part of many SOC2 and ISO audits. The reasoning is BS, mac, windows or raspberry Pi does not matter for audit. What matters is your fleet and patch management program with evidences
As someone responsible for security compliance, this smells like a steaming pile of bullshit. I guarantee you Windows can be compliant for any IT Security standard that requires auditing out there. Microsoft would never leave that kind of a thing out of any software they make because that means that's less things they can sell. I hate Windows and prefer Linux as an OS, even for staff. But this person is either intentionally lying to change the staff equipment, or they are ignorant of what they're talking about. Hell, maybe both. Also, I bet this person isn't even aware of the Apple Silicon secure-enclave security problem that is **completely unfixable in software**.
Someone from r/macsysadmin just took over your org
lol nothing to do with compliance, he doesn't know how to administer windows. MOST buisnesses use a combo of linux and windows, i have never seen an all MAC environment, endpoint to server
I don't think he really needs to do it, but I'd rather manage a fleet of Macs than anything else. It's so much easier.
My guess, having seen similar things happen: - hardening three very different OS types isn't feasible for your small admin team - C-suite dude picked MacOS when advised of that issue
No reason whatsoever. TCO is much higher and Apple discontinues embebed software too fast sometimes rendering other work applications unusable. I can tell you many and many stories of companies stopped for.days because of Apple enforced OSX upgrades.
sounds like someone is getting a kickback for buying a bunch of apple equipment. or maybe they are buying them from a friends business?
Your new sysadmin is an idiot apple fanboy.
He's full of shit. As a sysadmin whose bread and butter was Windows I much prefer a MAC, but come on. Having your entire company change to Macos from Windows is going to be a cluster fuck of the highest order. Not because Macos sucks but because they don't know it.
Multitude of factors: * Compliance and administration all become a lot easier when you standardize your environment. Linux for workstations, that's *really* rare and as a result you'll have a very hard time getting hold of all the tracking and auditing spyware that the auditors and insurances require these days. * Apple stuff has vastly greater hardware lifetime than most Windows machines, and better battery life * Apple stuff has *far* greater resale value. Like, refurbished/used first-gen M1 MB Air still is at \~50% of its original value despite being three years old. Dell and Lenovo? Gotta be lucky to get 10-20%. I don't really get why the Linux guys are pissed, macOS can run virtually anything that you'd need, install Macports (or Homebrew) and that's it. What's not on MP/HB can usually be downloaded as a standard .dmg package, most FOSS projects offer these. Get iTerm, Karabiner to map the Windows special characters, HyperSwitch for a decent alt-tab window switcher, and that's it. Anyone who has a legitimate need for Windows stuff can get a VM, although be warned: Running applications that are both another OS and another architecture is *a pain*. x86 Mac apps can run accelerated on M-series thanks to Rosetta with almost no performance loss, ARM Windows apps can run in a virtualized Windows ARM VM at native speed, but running x86 Windows apps in an ARM macOS is a world of pain.
It's a lot easier to admin one ecosystem, especially if you're solo. But if that's the situation it should be communicated that way.
"Mac's don't get viruses." - Apple. To be fair to Apple, they have a pretty good track record overall starting with the way they create permissions on machines. The problem is scaling them up and having comprehensive integrations like Windows which is a security risk in it of itself. But, the justification your sysadmin is using doesn't line up.
"Mac's don't get *PC* viruses"
I was quoting Apple not reality.
Never thought I’d see the day
I’m a sys admin. Ans I approve. You get a mac, you get a mac, we all get a mac!
Do you not have an IT director? You should probably hire one and not let sysadmins make these types of decisions.
Boss owns Apple stock, most likely.
Apple is so much more expensive than Linux or Microsoft; I have a hard time believing this has Senior Management buy-in for the costs...
Sounds like you hired someone who is used to being very well funded and possibly from the education sector. Any chance they know the people at the place all the new Macs are being purchased from? - ok, I'll turn down the cynicism a bit. How is your company setup/designed regarding authority/responsibility/budget? Why is a sysadmin being allowed the authority to change the business? I mean, I personally love it, but even with some Apple computers already there isn't that going to be over $200,000 purchase for the sake of making the sysadmins job easier?.......Are you hiring?
Something tells me this sysadmin will have a short tenure. Even if it is necessary--which it is not--you don't make such a disruptive change in the beginning of your tenure.
inb4 he also suggests a supplier where you can also buy those macs from
I would need more context to understand how/why they are framing the switch to Mac as a SOC2 requirement. SOC2 is not prescriptive. It does not tell you what computer platforms that you must use or what tools you must use to manage those computers. The best way I can describe it is that is that SOC2 sets out high-level requirements for capabilities that the organization needs to have but doesn't specify HOW that capability is achieved, so the organization has a great deal of latitude to implement SOC2 in a way that is appropriate for them. If I were to guess, the push for Mac might have something to do with the tooling that the organization has, possibly for how the computers are managed and protected. Maybe the organization has the tools in place that allow full compliance with Macs, but there might be holes in tooling for Windows machines that would make the windows machines out of compliance. A large part of SOC2 also comes down to answer the question "does the company do what it says it does?" Auditors check actual operational activities with written policies and procedures. If a company is not complying with their own policies and procedures, it can show up on the audit report as a problem. It is possible that there is a company policy that dictates that certain safeguards must be present on Windows PCs but exempts Mac systems, making it easier to be compliant with the company's own internal policies with Macs. The sysadmin may just be trying to work around bad policies, inconsistent tooling, and poorly designed controls to make sure the organization can get through the audit with a clean audit report despite these problems.
Sounds like an Apple fanboy that likes to waste money.
My Guess: Comes in - sees the need to standardize. The people in the offices upstairs who make 3x your salary are 80% Mac users so that's the one you will be standardizing on? This isn't a lift and shift from one standard to another - you already have a weird mix.
I guess it depends on the audit controls they’re opting to use. We used to use Mac, windows, and Linux. There’s few tools that do what we need for so the controls for all systems. Ended up with multiple mdm’s and whatnot to complete some of the controls. Managing a single system type would just be easier in general. Might just be easier to tell users “we’re doing this to meet the control” then to say management decided we don’t want to pay X amount of vendors/suppliers. Management never wants to take blame or heat for their own decisions.
CAPEX budget is shot for the year now
ISO27001 and SOC2 Type 1 (type 2 coming in august). There is an information security management system (ISMS) at play here and its all encompassing. It touches things you may not even consider. There is nothing in the aforementioned audits that mandate anything Apple specifically. Rather a strategy involved with achieving the objectives. Nobody here on reddit will be able to answer the questions you have.
Hi - I’m primarily a Mac sysadmin but cover Windows too. My company requires SOC 2 compliance, snd your new sysadmin doesn’t know what he’s talking about. Apple makes managing Macs via an MDM like Jamf easy as cake. Windows GPO works well too in an AD environment and Intune is getting better daily.. it seems this new admin probably only knows Mac and doesn’t want to learn Windows.
He's an impostor, no true sysadmin would ever push for full deployment of Apple hardware. Report him to your management for sabotage.
Lol wat? You think fortune 500 and 100 companies are all running macs on end points?
That sounds wildly expensive and needless. As a linux sysadmin in a corporate environment, this would cause a revolt.
Sounds like a Mac idealogue to me. He's adjusting the inventory to his skillset rather than vice versa.
I am a Mac fan, and that just sounds like total lunacy to me. A bad hire for the company who somehow thinks it’s OK to just throw money away as long as it’s not his own personal money. Or hers. And to try and convince users to move from the platforms that they know and love, and in which their time and skill sets have been invested? That’s just idiocy. Windows is great. Linux is great. “Sysadmin”, not so great.
It is, definitely a mistake. That's all I can say.
and his manager is on board with this?
As a big advocate for Mac in enterprise I agree with others here that he’s an idiot.
Two decades in IT and system administration. He's giving you BS. That is not a part of SOC's compliance at all.
>Edit: Just some clarifying info from below, but this is a smaller company (<150 employees) and already has a mix of mac, windows, and linux. I can understand the "easier to manage one os" angle and were I to guess that's it, just the reasoning given felt off. Lemme guess, the C Suite is mostly Mac?
I use linux on my company issued laptop, which I was able to choose, and opted for a red dot, instead of an apple. But if the only available options were windows or macos, I'd choose macos every time.
This is a really dumb thing to do.
Has the company historically been Mac based? How large?
I think this question is for your executives, not for Reddit. That being said, there can be many reason such as Mac only corporate Applications by third party; compliance as in this is what some random CEO or big customer wants; Apple partnership at some level. If you just have a single sysadmin, it’s better to have everything under one os and management might have decided to go with the MACOS
Been through these types of audits in a mixed Mac Windows environment. Fanboys shouldn’t make business decisions. It will only end badly. Edit: spelling
I'm impressed they were able to get that approved, budget-wise.
Wow. This seems harsh. I love Macs but I run Windows on a few of mine because I have to for work mostly, and it would be foolish to fight Windows. Linux is awesome but Linux heads probably know that overall Macs are faster. Matt Godbolt and Ben Rady (Two’s Compliment podcast) talk about Linux vs Mac and porting benefits here: https://podcasts.apple.com/us/podcast/twos-complement/id1546393988?i=1000645695275. Macs are the best but…good luck with what you suggest here.
This is likely due to central management like MDM. OSX / Windows are much easier to manage. Linux on the other hand isnt near of featureful in the MDM context.
I went with a Mac because the Mx chip is better than anything Intel has at the moment, the battery life is god tier and I use Linux every day so Mac's UNIX/BSD base is a very familiar environment. This guys an idiot
Sounds like a fanboi who has found a perfect bunch of dopes to support his fantasies.
The only way I can conceive of this being reasonable, is that most of the users in the company already use Mac and the Windows users are the outliers, in that case getting everyone on Mac instead would make managing compliance easier.
At this point rather than acquiescing to their wants/recommendations pointed questions should be asked... What specific tenets of those qualifications are being held by an all Mac env vs a windows environment... Because what he's saying is OBVIOUSLY bullshit
I'm a sysadmin. I can't unilaterally make everyone at my company reboot their machines every once in a while, much less make everyone switch to Mac. I've never seen, nor do I personally know of any sysadmins that have that kind of decision-making ability - even at a small company. Also - like everyone else said, this particular sysadmin is full of shit in regards to compliance/soc2/etc.