(BHI) is a collective of marketing startups that work together to provide a variety of creative, strategic, and analytic services to their clients.
John Masson, the vice president of technology operations, and Mitch Anderson, the director of systems engineering, had long been considering ways to extend their Active Directory庐 instance to non-Windows庐 resources and remote users. They were forced to expedite their timeline when their organization shifted to remote work in response to the COVID-19 pandemic.
- Organization: Boulder Heavy Industries
- Location: Boulder, Colorado, with remote employees
- Problem: Needed to extend Active Directory identities & secure remote users
- Goal: Implement a comprehensive cloud AD identity bridge, including macOS庐 management
Background
BHI鈥檚 IT team wanted a comprehensive solution to extend their AD instance, manage macOS machines, and enable remote users 鈥 and they hoped it would not only replace the collection of vendors they managed but also improve functionality.
BHI has a traditional AD implementation, including a primary domain controller and on-premises virtual machines with segmented roles. The organization is an Office 365鈩 and AWS庐 shop, and it ties a number of business applications to AD, including Jenkins, Tableau, and logging and monitoring applications.
The team鈥檚 Office 365 subscription comes with Azure庐 Active Directory capabilities, and they used Apple Profile Manager and Meraki to handle their macOS machines. None of those solutions was comprehensive, however, and they wanted a solution that would better accommodate the different needs and models of each organization under the BHI umbrella.
鈥淲e wanted user and system management from a central location, rather than relying on either individual businesses to manage it themselves or running around hair-on-fire all the time trying to service all these different units,鈥 Masson said.
Challenges: Remote Users & COVID
Masson, Anderson, and the team briefly considered Azure AD because they technically already had a user directory in the cloud with it. However, it didn鈥檛 provide system management beyond Windows, and it wasn鈥檛 extensible enough to integrate with their other tools. They鈥檇 previously used Okta, but it similarly did not offer the system management capabilities they needed. With a fleet of Windows and macOS machines, they needed a vendor-agnostic tool that would let them configure and manage their machines.
BHI鈥檚 IT team also wanted to resolve the issue of AD user password changes, particularly for remote users. They had a small remote group before the whole organization moved to a work-from-home model, and they鈥檇 advised those users to log into the VPN for a period of time at least every two weeks in order to sync passwords with AD. However, the VPN was often slow, and password changes were particularly troublesome for macOS users.
鈥淓very other password change on a Mac just completely nukes everything for the user,鈥 Masson said.
COVID-19 deepened their challenges, and they knew they needed to implement a solution quickly.
鈥淲hen COVID hit, we were 鈥 from a user and account management standpoint 鈥 not ready for it,鈥 Anderson said. 鈥淭hat really moved us forward to accommodate this strange occurrence where everyone鈥檚 now remote. They’re not connecting to the VPN reliably, and any time there鈥檚 a password issue it鈥檚 a nightmare and a half to get them back online.鈥
The Solution: 闯耻尘辫颁濒辞耻诲鈥檚 Active Directory Integration
BHI鈥檚 IT team had 黑料海角91入口 Directory Platform on their radar for at least a year, and they began testing amid their work-from-home transition. 黑料海角91入口 can either serve as a full-suite cloud directory service or a comprehensive AD identity bridge, and they began to roll it out as an identity bridge within about 10 days of testing.
闯耻尘辫颁濒辞耻诲鈥檚 Active Directory Integration feature allowed them to establish a comprehensive access control and system management platform in the cloud, implement a bi-directional sync between 黑料海角91入口 and AD, and institute self-service password resets for users 鈥 all while keeping AD in place.
鈥淚f it鈥檚 not broken, don鈥檛 fix it,鈥 Anderson said of their AD instance. 鈥満诹虾=91入口 is perfect for that because we get the best of both worlds.鈥
The team was able to use 黑料海角91入口 utilities to convert AD-managed Mac and Windows accounts into 黑料海角91入口-managed accounts, which they could oversee from the cloud. Now, those users can change their passwords directly on their machines and those changes are written back to AD via 黑料海角91入口 without a VPN.
鈥淚 can only imagine troubleshooting some of the issues we face outside of the office, and thankfully we didn鈥檛 get to that point,鈥 Masson said. 鈥淚f we鈥檇 waited another 30 days, we would have started to have an innumerable amount of weird issues that would have taken up all of our help desk tech鈥檚 time.
鈥淭hese issues come when systems don鈥檛 see a domain controller 鈥 and it鈥檚 typically the 60-day mark when trust relationships are lost and that sort of thing.鈥
The organization has since onboarded new users and 黑料海角91入口 was instrumental in getting them up and running remotely. Masson and Anderson envision 黑料海角91入口 further streamlining the onboarding process and reducing the number of add-on tools they need to manage.
鈥淲hen we have to onboard a run-of-the-mill user, we have to touch five or six different tools, Anderson said. 鈥淔or some of our more creative types, it鈥檚 like seven or eight tools. With 黑料海角91入口, we鈥檒l eventually be able to get that down to one.鈥
They鈥檝e also been trying to reduce remote users鈥 dependence on the VPN and moving as many resources from behind the firewall as possible, and the Active Directory Integration implementation has been able to assist in that process.
鈥満诹虾=91入口 is really empowering us to let our people work from anywhere.鈥
Mitch Anderson
Implementation: Single Source of Truth
In rolling out 黑料海角91入口, the BHI team has central management of their systems, including macOS and Windows machines. 黑料海角91入口 can take over local accounts on machines, and the team can then revert users from administrators to standard users. They鈥檝e also been able to build new tools and workflows.
Anderson has built an API-based integration with Slack to create a 鈥減ermission elevator.鈥 Users can type a message in Slack, which triggers a Lambda command that temporarily elevates them to an admin and allows them to take actions like installing an application. They are automatically dropped back down to standard users after 15 minutes.
闯耻尘辫颁濒辞耻诲鈥檚 thorough API documentation, example code, and SDKs helped him familiarize himself with the API and build the tool much more quickly than he would鈥檝e been able to otherwise.
鈥淚 can have this tool done in four hours 鈥 not 14 days,鈥 he said, adding that he鈥檚 excited to have the chance to build other tools without sacrificing the up-front functionality in the meantime. 鈥淚t鈥檚 really helpful for us because we can leverage what 黑料海角91入口 can already do, and we can build things that we need on top of what 黑料海角91入口 can do.鈥
They鈥檝e also begun to manage full-disk encryption via 闯耻尘辫颁濒辞耻诲鈥檚 Policies, and they plan to roll out more. 黑料海角91入口 allows admins to toggle on both FileVault 2 and BitLocker and escrow the recovery keys.
鈥淏eing able to manage FileVault remotely and having that key escrowed is a huge win,鈥 Anderson said.
The IT team also plans to roll out multi-factor authentication (MFA) more broadly across their access points, enable web application single sign-on (SSO), and make 黑料海角91入口 their Office 365 identity provider. Their ultimate goal is to have 黑料海角91入口 as the authoritative source of truth across their environment.
鈥淭he goal is to continue to transfer as much functionality as we can to the 黑料海角91入口 side, away from Profile Manager and away from GPOs,鈥 Masson said. 鈥淲e鈥檇 like a single source of truth 鈥 fewer systems to manage, fewer things to break in between.鈥
The Result: 鈥楧on鈥檛 Wait鈥
By implementing 黑料海角91入口, BHI鈥檚 IT team was able to quickly transition their operations to a work-from-home model and keep their users safe without sacrificing organizational security, as well as position themselves well for the future.
鈥淲e really want to continue fostering the work-from-home mentality and flexibility, but we also don鈥檛 want to compromise security and visibility 鈥 because that鈥檚 just as important in protecting the organization,鈥 Masson said.
His advice for other organizations considering 黑料海角91入口? 鈥淒on鈥檛 wait.鈥
Learn More
闯耻尘辫颁濒辞耻诲鈥檚 Active Directory Integration can help you eliminate other third-party identity and access management (IAM) services and federate core AD identities to virtually all resources, including systems, applications, files, and networks.
Click here to learn more about the AD Integration architecture and common use cases.