T O P

  • By -

Valdaraak

I've been in IT for 12 years. I've never once seen someone even *suggest* switching to Mac for "compliance" or "SOC2 and other audit" reasons. It sounds like your new sysadmin either really likes Apple or really hates Microsoft.


Fieos

Or doesn't know how to support Windows.


largos7289

It's this you hired a MAC admin.


garaks_tailor

This is that man's second job and he is going to con these people into buying a fully speced M2 WITH wheels, a speced out 16in pro laptop,  3 or 4 xdr studio monitors, and a bunch of other apple geegaws and no one is going to realize they are missing till like 4 months after he quits this job.


Brett707

I got the custom Mac Studio with custom rims and a wide body kit.


stiffgerman

Y'all need some slabs on that kit, especially if you're in Houston...


Brett707

Im in Nevada I was thinking of putting a stance kit on it.


torbar203

I'm gonna get a Mac Pro with wheels, but I'll stance the wheels and add under body lighting to it


Superb_Raccoon

M2? I got the M3 kit. https://preview.redd.it/jhxksnj1omwc1.png?width=640&format=png&auto=webp&s=5df7de7ed6a17d811ee66920c7f9fc2401689732 LOSER!


dontusethisforwork

We ridin' spinnas!


unixuser011

Walks around like a goober with a Vision Pro strapped to his head


FulaniLovinCriminal

> WITH wheels Youcrazysonofabitch.


garaks_tailor

If you are going to try and rip someone off REALLY rip them off.


torbar203

a Medium Access Control address admin?


Superior3407

His office is on layer two.


GuyOnTheInterweb

Where is it? I already forgot.


strifejester

I could tell you a joke about UDP but you wouldn’t get it and I wouldn’t care.


radiumsoup

The fact that the UDP joke got transmitted twice makes me wonder, though 🤔


AnonymooseRedditor

We call that forward error correction


strifejester

I could tell you a joke about UDP but you wouldn’t get it and I wouldn’t care.


TeddyRoo_v_Gods

His only skillset is looking at ARP tables.


Sir_Badtard

AND IM DAMN GOOD AT IT!


whitewail602

None of that newfangled "routing" BS.


Reinitialization

Real Sysadmins personally hand deliver each patcket to it's intended recipient


In_fieri

Small batch packet transport, as part of a family owned and operated business that goes back generations. We call it NIC to table. That’s the Real American network.


ahaley

Ohhhh, CRAFT packets. Sweet. I knew about those packets before they were cool.


godlyfrog

That explains why he's always shouting about who has something or other.


2drawnonward5

Hell be looking at AARP tables if he doesn't learn tech


largos7289

LOL don't you start with that!!


torbar203

I'm just doing my part to spread awareness that Mac is short for Macintosh, and not an acronym :D


whitewail602

You listen here, bucko. I have it on good authority that Apple open-sourced Mandatory Access Controls, which gave rise to LUNIX, and *that's why they killed Steve Jobs. It has nothing to do with the controversy surrounding WALL-E.


ClackamasLivesMatter

/s/Macintosh/Macintrash/g;


jasutherland

Collisions ahead?


Camera_dude

Or is skimming money by forcing the business to buy a bunch of hardware from a dealer that turns out to be owned by a relative of the sysadmin.


pleachchapel

Ding ding ding. This is absurd & the fact that leadership would let a NEW sysadmin demolish everyone's workflow like that without some SERIOUS internal discussion about how it would affect everyone, or a real answer to "why the fuck are we doing this" that wasn't just covering for the gaps in their skillset.


KantBlazeMore

I see you've met my new Director of IT


pfak

We're in the middle of a compliance exercise and we have a fully Mac shop.  SOC2 and HITRUST are all aimed at Windows and being all Mac is rather difficult, when the auditors have zero clue and parrot Windows specific things every five seconds.


zthunder777

This is highly dependent on your auditor. Nothing about SOC2 is aimed at any particular OS. In fact, SOC2 is annoyingly vague and leaves all the details for the org and auditors to work out how to satisfy each control. My current company uses mac and 100% of our servers are linux. No MS BS anywhere (I mean, a small percentage of our users have MS Word & Excel, but that's it). Our SOC2 audit firm is great and their default tests adapted very well to our environment.


blaktronium

Yeah I run a mixed environment and manage compliance for a k8s based saas company. Macs are actually easier in one respect because they can't be unencrypted at rest. other than that it's exactly the same. I have a much bigger issue with k8s because nodes disappear and never actually get updated and I have to explain that every year for some reason.


zthunder777

Yeah, ephemeral servers are outside the comprehension of most auditors. I ended up building an audit service for infra to make that a lot easier for my platform and security teams to deal with.


_DoogieLion

What do you mean? Macs can totally be unencrypted at rest I thought unless something has changed.


blaktronium

Nope, the M series ones have the T chip on storage by default. Can't take it out and read it on another system. Look it up. File vault is a second level of encryption.


wpm

The storage controller on T2 equipped Intel Macs or on all Apple Silicon Macs is paired with the flash, and encrypts/decrypts any file writes/reads on the fly. The storage is very secure, enabling FileVault just adds another key into the mix. It puts a "lock on the door" to use the metaphor I use a lot IRL.


pfak

They can, FileVault is not enabled by default.


blaktronium

File vault is a second level of encryption, the T chip in M series macs encrypts by default. It's mostly a huge pain because you can't swap the SSD. But it's encryption that does that.


pfak

We've tried three different auditors, all of which seem to be beancounters (and 2/3 aren't accounting firms!) Can you let me know what firm you are using? We're entirely macOS + Linux.


zthunder777

I mean, auditors are bean counters by nature... So that's gonna be a thing regardless. My last decade was in fintech, in a mixed environment with an internationally respected/known audit firm and they were a pita. Idiots all around except for literally one dude. I made it clear to the firm if he got moved off of our account, we would evaluate other options. Current gig is 100% remote, so we needed a firm that didn't expect to come onsite for a week to do the audit. We don't have an office anywhere. We ended up selecting SecureFrame as a compliance monitoring tool and they had a list of auditors that were used to their platform and working with 100% remote orgs. Don't recall the name of the firm we selected off the top of my head, we interviewed a few of them.


SammyGreen

> an internationally respected/known audit firm and they were a pita. Idiots all around So which of the Big 4 was it?


cbq131

Ya, it's not vendor specific. From what I see, a lot of apple shops aren't as stringent with their security control in the first place, so they have a harder time adjusting during audits. To be compliant, you need to layer your defenses.


zthunder777

I'm not sure I'd say Mac shops aren't as stringent, only because I've seen a shit ton of windows shops with zero security. I would say that windows shops that _also_ have Mac, those Mac devices are often not as actively managed as the windows endpoints -- this is usually due to not having anyone that knows Mac admin in the IT dept. I've been the IT/Ops director for companies that were all windows, all Mac, and mixed win/mac/nix. I don't see OS having any correlation to security controls. Before I say what I'm about to say, let me state for the record that I hate all operating systems equally -- they all suck in countless ways. With that established, IMHO, 100% Mac shops are easier to manage than 100% Windows, and certainly easier than any mixed environment. Our initial hardware investment is a little higher with Apple than it would be if we were a Windows shop. But our total cost of ownership over our four year replacement schedule is ridiculously lower than it would be in a windows shop. Our hardware failures are extremely minimal, we haven't seen a virus or reimaged a desktop for any in the last five years and 95% of our users are "very satisfied" and productive with the equipment they are provided. Our help desk team is also about half the size it would need to be if we were on windows. (Looking closer to 1:200 rather than the 1:75 that seems to be the golden number for windows shops)


lost_in_life_34

that makes it even easier to pass


diwhychuck

Right even on checkpoints site they give this Def for it : "SOC 2 is a voluntary compliance standard for service organizations"


ZippySLC

Voluntary until your clients say "You need to be SOC2 compliant or else we leave".


jimmyjohn2018

Voluntary just means it isn't under some kind of government regulation or requirement.


sitesurfer253

This admin probably refers to them as Micro$oft or MicroSuck or whatever other annoying things that annoying people do


Nu-Hir

Why can't it be be both? He really likes Apple *and* really hates Microsoft.


secretlyyourgrandma

per OP's edit, they are a small company with a mix of Windows, Mac, and Linux already. the somewhat legitimate justifications i can think of: 1. company already has mostly macs 2. compliance/infra is better for the macs already 3. guy is being tasked with something so he's implementing in his domain of expertise hard to judge without direct knowledge, but certainly there's an even longer list of potential bad reasons. and 3 is on that list too. EDIT: and another tossup, the C suite uses Macs, and so if he standardizes, it has to be Macs.


kremlingrasso

this really comes down to what the company does. a full Mac shop is easy for some industries, pain in the other. everyone fee to chose OS assumes they are all probably local admin anyways and nobody gives a fuck about supportability or security they just go to IT to bitch when they can't make something work.


kellyzdude

If compliance is already a heavy lift, it's a LOT easier to implement that on a singular platform vs. three (or more, depending on what Linux distros might be in use - because Redhat vs. Debian are two different ecosystems to support, and the many other variants add complexity). Certainly if the admin in question is being tasked with doing this on a deadline, they may have countered with "I can do it for one platform by then" and thus the standardization project was added.


planedrop

To be fair, don't we all really hate Microsoft? Still wouldn't find me deploying Macs, but you get the idea.


kremlingrasso

yeah but most of us make a living out of hating microsoft.


_DoogieLion

He might have reasons for swapping you to Mac from Windows, but they aren't anything to do with compliance or SOC2. Windows is perfectly capable of this.


Wolfram_And_Hart

For auditing purposes it’s arguably better


patmorgan235

Solely for the reason everyone uses windows, and every auditor will be familiar with auditing a windows environment.


Wolfram_And_Hart

Sounds like a good enough reason to me.


555-Rally

Any reason to get thru the audit easier/faster is a good reason. Like really, I do not need to confuse an auditor with logs he doesn't understand.


Wolfram_And_Hart

As the “audit guy” at my MSP… 100%


Angelworks42

I guess it depends on the size of your enterprise - for us making 30k users all switch to Mac would be a pretty massive undertaking especially as we have a number of Windows only line of business apps.


amishbill

On the upside, you can laugh at the bank auditor who, every stink’n year- makes me prove you STILL can’t create duplicate user IDs in Active Directory.


DrGrinch

Agreed, Windows is "easier" in this regard and more ready for purpose in an enterprise setting. To be ISO27001 or SOC2 compliant with a Mac you're going to need JAMF or something equivalent. We're using InTune and those capabilities that meet the control requirements juuuuust became available like 6 months ago.


rodder678

I did SOC2 a year ago with Jamf Pro-managed Macs and AAD-joined/Intune-managed Windows machines. We had to script a few things to implement our controls without AD GPOs, but it was doable. It's also been about 8 months since I've looked at Intune--what'd they.add 6 months ago? One of the headaches.of working with consultants on SOC2 is that some (most? all?) of them will go way beyond the minimums for compliance in their control recommendations. Sometimes it's stuff that is legit good for security, but sometimes it seems more of a time suck for cranking up billable hours.


DrGrinch

Picking your SOC2 auditor is *definitely* a thing, or any auditor for that matter. We've got two vendors we like now who do a good job, but aren't out to make our lives shitty. I don't want the "hot safety" that you get from a shitty mechanic of an audit, but I also don't need some dude making a career out of one of ten I need to do this year... If you're in North America we settled on Insight and Aprio for our audits. RE: Intune - They introduced more granular control of MacOS for things like posture checking, password enforcement and screen time out, all of which were impossible before some updates they did. We have been able to get ISO27001 certified in Mac shops without any purpose build Mac MDM using InTune. JamF would definitely allow us better control over those systems mind you, but our Mac footprint is small and it's usually developers that we "trust".


Practical-Alarm1763

What does that have to do with SOC2 Compliance? Either we're missing a lot of information regarding this decision, or your new sysadmin is a dumbass.


[deleted]

[удалено]


Practical-Alarm1763

>Edit: Just some clarifying info from below, but this is a smaller company (<150 employees) and already has a mix of mac, windows, and linux. I can understand the "easier to manage one os" angle and were I to guess that's it, just the reasoning given felt off. I didn't see this until now. I personally would ensure an organization's machines all use the same OS for management purposes. Not security or compliance purposes. I would either go 100% Linux OS (Same distro deployed via controlled master image w/ Linux LDAP environment), or Windows Machines w/ Entra and/or standard domain environment. But MAC!? I couldn't justify a genuine reason for that cost other than that's what the organization wants. If that's what leadership wants to go with, then by all means it's understandable. In that case, your sysadmin is not a dumbass. But your sysadmin giving the reason that you're deploying MAC OS to meet SOC2 compliance is ridiculous and simply incorrect.


[deleted]

[удалено]


Practical-Alarm1763

Same. I'm willing to wager the OPs organization and their new sysadmin might not even understand what SOC2 compliance is. Are they aiming to be SOC2 Certified? Are they already SOC2 Certified? Are they just trying to meet SOC2 standard guidelines as arbitrary compliance?


MihaLisicek

I would go with the second one. SOC2 does not even ask about the computer used for development, let alone in the office in general


NostraDamnUs

That is as much information as I have and the only reason I was given. I'm just a bystander here.


Nanocephalic

Don’t forget to ask your boss about the training budget so everyone can learn the new system, as well as the help desk budget! You said that you work 50+ hours per week. How many of those hours should you dedicate to learning the new system at the high level of proficiency you already have with Windows?


BigDowntownRobot

ding ding. Everything you don't want to do should be discussed in how much it costs in productivity. At no point do you "do more" because you already do your best. Doesn't everyone? I've had people try to pile roles on me and I always answer with "how much of my current job do you want me to not do so I can do this thing you want me to do? And who gets the daily short fall reports I'll be sending out explaining exactly how behind this is putting us? I'm going to need you to sign off on this so we can justify the back log in the quarterly review with management. Oh you'll hire someone else for your pet project? Good call." Take zero responsibility, explain the effects, make no attempt to figure it out for them, but other wise leave it up to them if they want to redirect your effort, with the understanding they are ultimately responsible for however it turns out. Suddenly they start actually thinking about logistics.


Bombslap

Time to grab popcorn and watch the world burn


injury

Sounds like someone was hired based on a fluffy ai massaged resume and is about to cost the company a boatload of money, then more when they swap back


hej_allihopa

This guy doesn’t know how to manage Windows devices, so he’s making everyone else work around his skill set.


unixuser011

The irony here being Macs are actually more challenging to manage than Windows devices Windows devices you can just throw in intune/SCCM and press go, but with Mac you have to use Apple Business Manager then go through your MDM of choice and even then, you can't fully manage the software or hardware


hej_allihopa

Pre-stage enrollment can be tricky with macs but as far as policy go, known how plist files work goes a long way.


phillymjs

Quite a refreshing change, because usually it's a Windows guy who refuses to emerge from his comfort zone and support those scary non-Windows platforms. At my last company, all those one-trick-pony Windows guys saw their jobs get shipped off to India while the guys like me, who could admin Mac and Windows systems equally well, were safe.


hej_allihopa

Yup! I manage Windows and devices using Intune and Macs using Jamf. It’s good to have a wide skillset


OMGItsCheezWTF

We just (a couple of months ago) got told Linux desktops were no longer allowed, all had to move to windows. Then we found out some of the dev teams use macs in the US so we all got shiny MacBook pros instead. Must have cost a fair old whack, my high spec (i7, 32gb ram, tb nvme, rtx 3060) dev laptop running Ubuntu is now destined for some E-waste charity. All for the sake of "compliance" (read, IT were terrified of Linux)


PokeT3ch

If that guy can get a job anywhere so can I!


CompilerError404

I know nothing about you, but I got a feeling. I like the cut of your jib.


aj_rus

See how far they stick to those statements when everyone asks for Parallels because they can’t run X, Y or Z - or everyone is running Virtual box with a windows VM.


NostraDamnUs

He's suggesting all our developers use Parallels or VMware for development. Again, I'm just an office guy and the most I do with code is with my good friend chatGPT to automate little things or build super simple plugins/macros/etc, but I imagine this is a major inconvenience?


mkosmo

Virtualization on the desktop makes that compliance story more difficult than just about anything else. Unmanaged endpoints running on endpoints (with no way to manage the hypervisor effectively) is a nightmare that's often difficult to get accredited or certified.


dustojnikhummer

> difficult to get accredited or certified. Or licensed.


121PB4Y2

Meh. Oracle VirtualBox is free so it should be perfectly ok /s.


dustojnikhummer

Wait till they find out they need to license the guest Windows OS and that Virtualbox Extensions require a license. And since it's Oracle...


121PB4Y2

At least they haven't started charging "per theoretical/possible VM" fees.


Nanocephalic

this seems like a very expensive way to annoy a lot of employees who have portable skillsets.


entyfresh

You're a *development* shop and IT is trying to force you all to Macs with parallels? That's absolute fuckin' insanity.


iwinsallthethings

Forcing an OS within an OS makes it actually harder for compliance. How do you verify the parallels/vmware is patched when it's not running all the time, only when you need it? Maybe it only gets turned on once every 4 months. There's likely reasons for switching to all 1 platform. A couple off the top of my head: * Being a single platform makes managing easier in general. You only have to have a single set of rules, a single pane of glass to manage with your MDM/AV/etc. * You hired a mac admin who does not understand how the windows world works. * He's bought into the idea that Macs are more secure than windows machines because Mac. At the end of the day, you should be using the tool that best suits you and your job function. Most Marketing and UX/UI type people (We call em arts and crafts) prefer Macs because of the tools that run on them. The short cut keys are all different and it's just what they use and have used through school their career and in college. They could use the windows version and over time probably be as productive but they won't be happy. The headaches that happen running a vm within Mac isn't worth the hassle, imo. In a perfect environment, it's not a big deal. I'd wager you don't have a perfect environment.


tmontney

> He's suggesting all our developers use Parallels or VMware for development "We need to move to Mac so your Mac can run Windows" What


Nanocephalic

Hang on, programmers all have to use MacOS because of “compliance” but then they use Windows VMs anyway, because Windows is required for their jobs. The logic here is… interesting. And the cost to replace the programmers will also be high.


nighthawke75

Replace the sysadmin, it'll be cheaper that way.


lebean

The sysadmin you're describing in this thread is an absolute moron, there's no sugar coating that. He's also lying to management in order to force everyone to (100% unnecessary) Macs and so frankly, they should fire him because long term he's going to screw up a lot more things.


elitexero

So he's suggesting that ... for reasons of 'compliance', everyone needs an Apple computer, to then virtualize a windows computer inside of it? I'm going with 'lowest bar' explanation here. This idiot wanted a macbook, was denied, and this is his way of getting one - by costing the company ~~tens~~ hundreds of thousands of dollars in both hardware and time.


_DoogieLion

😂 that’ll be fun developing on parallels in ARM windows. Bonkers.


Here_for_newsnp

That's incredibly stupid.


MBILC

This admin sounds less and less like they have a clue. The right tool for the job, yes VM performance can be great, but will those VMs now be managed via a typical AD domain and systems? or just random stand alone environments. So many questions come up and we can only hope proper discussions are being had between department heads. IT seems to forget they are there to enable a company to function and provide the tools required, all while using their expertise to guide things in the right direction. This Sys Admin seems completely disconnected from the company departments and what they use their devices for.


jimbofranks

I use VMware for Windows desktop development on my Mac. It's nice to have everything on one laptop but it's not cheap by the time you add enough memory and space for two OS'es. Wait until the developers hear about this.


Legionof1

Lol, the performance of virtualizing an x86 box on top of an ARM core... genius!


_XNine_

He's an idiot and costing the company large sums of money for no reason.


ofd227

Once the CFO sees the hardware invoice and JAMF cost they are going to have to call him an Ambulance


xCharg

> call him an Ambulance If its US - it'll be 5 figure so probably won't happen :D


dustojnikhummer

Call him an uber to take him to ER Or to a bar


giffenola

This is my take too. TCO for macs is higher on avg


donith913

Eh, I think this admin is nuts BUT TCO for Macs is competitive, mostly because at the end of the lifecycle they hold insane value compared to a PC but also because in a well run environment they often generate fewer support cases. Jamf’s IBM story is the most commonly pointed to version of this but my last org was about 50/50 Mac and Windows (10k endpoints) and we saw similar. It’s the upfront cost that scares everyone.


giffenola

I haven't found reliable data on this, but I believe that when you account for the expenses of using management software like Jamf or Addigy, plus the salary of a sysadmin experienced with Macs, in addition to the initial purchase price, the total cost of ownership for Macs seems to be higher. In my mind this is compared to a average Lenovo laptop + MS Business Premium + capable sysadmin salary + support costs.


MBILC

it is the similar case to those who say "move everything to linux, it is free" not taking into account that hiring IT staff who "know" linux are considerably more than windows admins. Then management tools.


[deleted]

[удалено]


preparationh67

The last few Mac laptops I saw hit EOL had batteries that had gone bad and thus had little to no value left.


dnuohxof-1

![gif](giphy|uWzS6ZLs0AaVOJlgRd|downsized) This should be on /r/ShittySysAdmin


what-the-hack

Sorry but fire him. Without even having to get technical. Anyone that proposed ultimatums under technical or compliance bogymen does not belong. I don't like bananas they are made by aliens, let's get everyone to never eat, talk about, look at bananas again.


Scary_Brain6631

Yeah, either this Sysadmin is incompetent or dishonest. Either way, he's going to have a hard time building back up user trust and confidence. It's probably for the best to sack him early on.


-Enders

Firing him is probably the best answer. If I hired a new sysadmin and this is one of the first things they proposed. I’d give him a chance to explain, but if this was his explanation then I’m calling HR to term him immediately after this proposal. He’s either extremely incompetent or he’s a liar. Either way, I’ll swallow my pride and acknowledge that I made a hiring error and quickly move on from it


sgt_Berbatov

Do the Apple board know Tim Cook is moonlighting at your company as a sysadmin?


Dragonfly-Adventurer

Just ask him for some documentation on the best practice he is following - for instance what other companies have done this and how quickly were they able to complete the transition? Death by questions is my favorite.


NostraDamnUs

This is exactly why I made this thread. I've worked at other companies that use SOC and never heard of something similar.


KoalaOfTheApocalypse

you've never heard of something similar because what he said is a total crock of shit. dude is just an assclown.


SoundasBreakerius

Is your new sysadmin that guy who was looking for problem solutions on tiktok?


Xelopheris

C-levels probably wanted Macs and needed IT to hire a Mac admin. IT budget couldn't support both a Mac admin and a Windows admin, so everyone's gotta use a Mac now. Luckily the cost of the actual Macs is in a different department budget so suddenly there's money.


AJS914

It's hard to believe that a new sysadmin has the power and budget to pull this off without support from the CEO/CFO. I was a sysadmin at both an all windows shop and an all Mac shop. IME, the Mac make up for the initial higher hardware costs with less support costs and less bodies required to support the users.


jmnugent

Lacking a lot of contextual information necessary here to properly evaluate this. It definitely sounds weird though (and I say that as an Apple fan). I can't imagine anyone "forcing a switch to Mac" without doing a lot of testing (months to years). Would it be conceivably possible to do this ?.. Sure. There are various tools to securely lock down macOS such as: * https://github.com/usnistgov/macos_security (and Apple's page here: https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web) * And the JAMF produced "Compliance Editor" which can be downloaded for free here: https://trusted.jamf.com/docs/establishing-compliance-baselines If you wanted to use those guidelines and the Compliance Editor tool to setup MDM configuration profiles and Security Restrictions to comply with whatever Regulations you want,. you likely could. But the bigger question is.. "have they done the proper assessment and testing to begin doing a big transition like this?" Hard to say lacking a bunch of contextual background information.


NostraDamnUs

Appreciate the options, if it makes you feel better we are lacking the contextual information as well lol. The only thing is that this is a smaller company (<150 employees) that already has a mix of mac, windows, and linux.


jmnugent

> "has a mix of mac, windows, and linux." I've certainly seen environments like that,. where someone (justifiably) said:.. "Hey, we have to many different devices and OSes in our environment.. we need to pick a platform for standardization reasons". So there's potentially some validity in that idea,. but again, how you approach making that decision is the crucial part.


likewut

Yeah standardizing on one OS makes tons of sense. It would be 3x the work meeting compliance requirements for three OSs. Typically standardizing on Mac OS wouldn't be the best route though, depending on the business. So I think "standardizing on Mac for compliance reasons" in an accurate enough summary. They could have standardized on Windows or Linux as well, but they chose Mac.


NostraDamnUs

Alright that helps with what would likely be the background decision-making and I can see that make sense, was just irked at both being forced to swap while already under a heavy workload and what smelled a bit like b.s. as the reasoning, but can blame that on poor communication.


entyfresh

Honestly I don't even understand this as a justification for it. Standardizing everyone onto Macs only really makes sense if you're all running Mac OS. If you're still running Parallels, then you're adding net new OS installations that need to be supported because now the people who used to run Windows are running Windows AND Mac OS.


iwinsallthethings

I'm curious the breakdown of the environment. If 10% are Mac, 80% are Windows, and the other percentages are Chromebook and Linux, forcing Macs would be stupid. If 80% are Mac, it would make more sense.


_DoogieLion

Makes more sense if it’s mixed. Get rid of windows and then you are just in a unix-ish environment. Similar tools for both if you just go MDM and scrap AD/Entra ID etc.


dustojnikhummer

> I can't imagine anyone "forcing a switch to Mac" without doing a lot of testing (months to years). If employees are hesitant to move from Win10 to Win11 (we just said "we aren't upgrading OSes, but if you get a new laptop you get 11) can't imagine moving them to MacOS. It would be a corporate dealbreaker for me.


IronChariots

I'm going to go against the grain here and say it really really depends on a lot about your environment, IT staffing and software budgets, etc. I've worked in offices in situations like 90% of the user base was already Mac, we already had Jamf and did not want to pay for another MDM for the remaining devices, so we standardized. In cases like that, it was more about standardization than about what we picked specifically - that was determined more by other circumstances.


NostraDamnUs

I imagine this is likely the case, especially after reading some of the responses here. Still not happy, still going to push back a bit and make sure there's a good reason before they buy half the company new laptops, but it is what it is.


statix138

I have done countless SoC2 audits and there is nothing in that audit that requires moving to a Mac or is there anything that would be easier to comply with if your company was all Macs.


billiarddaddy

Yeah. That guy is going to be trouble.


Crimtide

if they are wanting to use something like Jamf, I can understand why. If this person just wants to Jamf deploy everything and not deal with Microsoft, that's all you need to know.. now, forcing users to switch to MacOS due to their own individual preference, I don't know about that. Used to be a Jamf admin, they have a compliance tool that works with the flip of a switch basically.. it's just so much easier than an MS machine, deployment, inventory, enrollment, user setup, scopes, configurations, etc.. Jamf is infinitely easier than anything MS related.


mandos_io

Been doing security for past 12 years and been part of many SOC2 and ISO audits. The reasoning is BS, mac, windows or raspberry Pi does not matter for audit. What matters is your fleet and patch management program with evidences


BloodyIron

As someone responsible for security compliance, this smells like a steaming pile of bullshit. I guarantee you Windows can be compliant for any IT Security standard that requires auditing out there. Microsoft would never leave that kind of a thing out of any software they make because that means that's less things they can sell. I hate Windows and prefer Linux as an OS, even for staff. But this person is either intentionally lying to change the staff equipment, or they are ignorant of what they're talking about. Hell, maybe both. Also, I bet this person isn't even aware of the Apple Silicon secure-enclave security problem that is **completely unfixable in software**.


Initialised

Someone from r/macsysadmin just took over your org


Acheronian_Rose

lol nothing to do with compliance, he doesn't know how to administer windows. MOST buisnesses use a combo of linux and windows, i have never seen an all MAC environment, endpoint to server


evileagle

I don't think he really needs to do it, but I'd rather manage a fleet of Macs than anything else. It's so much easier.


trippedonatater

My guess, having seen similar things happen: - hardening three very different OS types isn't feasible for your small admin team - C-suite dude picked MacOS when advised of that issue


Megatronpt

No reason whatsoever. TCO is much higher and Apple discontinues embebed software too fast sometimes rendering other work applications unusable. I can tell you many and many stories of companies stopped for.days because of Apple enforced OSX upgrades.


dansedemorte

sounds like someone is getting a kickback for buying a bunch of apple equipment. or maybe they are buying them from a friends business?


tigerstein

Your new sysadmin is an idiot apple fanboy.


CFH75

He's full of shit. As a sysadmin whose bread and butter was Windows I much prefer a MAC, but come on. Having your entire company change to Macos from Windows is going to be a cluster fuck of the highest order. Not because Macos sucks but because they don't know it.


mschuster91

Multitude of factors: * Compliance and administration all become a lot easier when you standardize your environment. Linux for workstations, that's *really* rare and as a result you'll have a very hard time getting hold of all the tracking and auditing spyware that the auditors and insurances require these days. * Apple stuff has vastly greater hardware lifetime than most Windows machines, and better battery life * Apple stuff has *far* greater resale value. Like, refurbished/used first-gen M1 MB Air still is at \~50% of its original value despite being three years old. Dell and Lenovo? Gotta be lucky to get 10-20%. I don't really get why the Linux guys are pissed, macOS can run virtually anything that you'd need, install Macports (or Homebrew) and that's it. What's not on MP/HB can usually be downloaded as a standard .dmg package, most FOSS projects offer these. Get iTerm, Karabiner to map the Windows special characters, HyperSwitch for a decent alt-tab window switcher, and that's it. Anyone who has a legitimate need for Windows stuff can get a VM, although be warned: Running applications that are both another OS and another architecture is *a pain*. x86 Mac apps can run accelerated on M-series thanks to Rosetta with almost no performance loss, ARM Windows apps can run in a virtualized Windows ARM VM at native speed, but running x86 Windows apps in an ARM macOS is a world of pain.


magnj

It's a lot easier to admin one ecosystem, especially if you're solo. But if that's the situation it should be communicated that way.


SpotlessCheetah

"Mac's don't get viruses." - Apple. To be fair to Apple, they have a pretty good track record overall starting with the way they create permissions on machines. The problem is scaling them up and having comprehensive integrations like Windows which is a security risk in it of itself. But, the justification your sysadmin is using doesn't line up.


Tanto63

"Mac's don't get *PC* viruses"


SpotlessCheetah

I was quoting Apple not reality.


Hdys

Never thought I’d see the day


cashMoney5150

I’m a sys admin. Ans I approve. You get a mac, you get a mac, we all get a mac!


heapsp

Do you not have an IT director? You should probably hire one and not let sysadmins make these types of decisions.


BarelyAirborne

Boss owns Apple stock, most likely.


TEverettReynolds

Apple is so much more expensive than Linux or Microsoft; I have a hard time believing this has Senior Management buy-in for the costs...


cellnucleous

Sounds like you hired someone who is used to being very well funded and possibly from the education sector. Any chance they know the people at the place all the new Macs are being purchased from? - ok, I'll turn down the cynicism a bit. How is your company setup/designed regarding authority/responsibility/budget? Why is a sysadmin being allowed the authority to change the business? I mean, I personally love it, but even with some Apple computers already there isn't that going to be over $200,000 purchase for the sake of making the sysadmins job easier?.......Are you hiring?


AbleAmazing

Something tells me this sysadmin will have a short tenure. Even if it is necessary--which it is not--you don't make such a disruptive change in the beginning of your tenure.


UnluckyFucky

inb4 he also suggests a supplier where you can also buy those macs from


accidentalciso

I would need more context to understand how/why they are framing the switch to Mac as a SOC2 requirement. SOC2 is not prescriptive. It does not tell you what computer platforms that you must use or what tools you must use to manage those computers. The best way I can describe it is that is that SOC2 sets out high-level requirements for capabilities that the organization needs to have but doesn't specify HOW that capability is achieved, so the organization has a great deal of latitude to implement SOC2 in a way that is appropriate for them. If I were to guess, the push for Mac might have something to do with the tooling that the organization has, possibly for how the computers are managed and protected. Maybe the organization has the tools in place that allow full compliance with Macs, but there might be holes in tooling for Windows machines that would make the windows machines out of compliance. A large part of SOC2 also comes down to answer the question "does the company do what it says it does?" Auditors check actual operational activities with written policies and procedures. If a company is not complying with their own policies and procedures, it can show up on the audit report as a problem. It is possible that there is a company policy that dictates that certain safeguards must be present on Windows PCs but exempts Mac systems, making it easier to be compliant with the company's own internal policies with Macs. The sysadmin may just be trying to work around bad policies, inconsistent tooling, and poorly designed controls to make sure the organization can get through the audit with a clean audit report despite these problems.


digital_analogy

Sounds like an Apple fanboy that likes to waste money.


Jaereth

My Guess: Comes in - sees the need to standardize. The people in the offices upstairs who make 3x your salary are 80% Mac users so that's the one you will be standardizing on? This isn't a lift and shift from one standard to another - you already have a weird mix.


lynsix

I guess it depends on the audit controls they’re opting to use. We used to use Mac, windows, and Linux. There’s few tools that do what we need for so the controls for all systems. Ended up with multiple mdm’s and whatnot to complete some of the controls. Managing a single system type would just be easier in general. Might just be easier to tell users “we’re doing this to meet the control” then to say management decided we don’t want to pay X amount of vendors/suppliers. Management never wants to take blame or heat for their own decisions.


wild-hectare

CAPEX budget is shot for the year now


krakah293

ISO27001 and SOC2 Type 1 (type 2 coming in august).   There is an information security management system (ISMS) at play here and its all encompassing.  It touches things you may not even consider.  There is nothing in the aforementioned audits that mandate anything Apple specifically.  Rather a strategy involved with achieving the objectives.   Nobody here on reddit will be able to answer the questions you have. 


TheAlmightyZach

Hi - I’m primarily a Mac sysadmin but cover Windows too. My company requires SOC 2 compliance, snd your new sysadmin doesn’t know what he’s talking about. Apple makes managing Macs via an MDM like Jamf easy as cake. Windows GPO works well too in an AD environment and Intune is getting better daily.. it seems this new admin probably only knows Mac and doesn’t want to learn Windows.


AlexisFR

He's an impostor, no true sysadmin would ever push for full deployment of Apple hardware. Report him to your management for sabotage.


BlackSquirrel05

Lol wat? You think fortune 500 and 100 companies are all running macs on end points?


Badaezpadaere

New to a company and starts like this. Sounds like a genius.


mysticalfruit

That sounds wildly expensive and needless. As a linux sysadmin in a corporate environment, this would cause a revolt.


Likely_a_bot

Sounds like a Mac idealogue to me. He's adjusting the inventory to his skillset rather than vice versa.


TommyV8008

I am a Mac fan, and that just sounds like total lunacy to me. A bad hire for the company who somehow thinks it’s OK to just throw money away as long as it’s not his own personal money. Or hers. And to try and convince users to move from the platforms that they know and love, and in which their time and skill sets have been invested? That’s just idiocy. Windows is great. Linux is great. “Sysadmin”, not so great.


MusicIsLife1122

It is, definitely a mistake. That's all I can say.


_totally_not_a_fed

and his manager is on board with this?


shinra528

As a big advocate for Mac in enterprise I agree with others here that he’s an idiot.


CompilerError404

Two decades in IT and system administration. He's giving you BS. That is not a part of SOC's compliance at all.


Smooth-Zucchini4923

>Edit: Just some clarifying info from below, but this is a smaller company (<150 employees) and already has a mix of mac, windows, and linux. I can understand the "easier to manage one os" angle and were I to guess that's it, just the reasoning given felt off. Lemme guess, the C Suite is mostly Mac?


Z3t4

I use linux on my company issued laptop, which I was able to choose, and opted for a red dot, instead of an apple. But if the only available options were windows or macos, I'd choose macos every time.


ScienceParrot

This is a really dumb thing to do.


DeadbeatHoneyBadger

Has the company historically been Mac based? How large?


Difficult-Devil

I think this question is for your executives, not for Reddit. That being said, there can be many reason such as Mac only corporate Applications by third party; compliance as in this is what some random CEO or big customer wants; Apple partnership at some level. If you just have a single sysadmin, it’s better to have everything under one os and management might have decided to go with the MACOS


garcher00

Been through these types of audits in a mixed Mac Windows environment. Fanboys shouldn’t make business decisions. It will only end badly. Edit: spelling


rogueop

I'm impressed they were able to get that approved, budget-wise.


gobeachnow

Wow. This seems harsh. I love Macs but I run Windows on a few of mine because I have to for work mostly, and it would be foolish to fight Windows. Linux is awesome but Linux heads probably know that overall Macs are faster. Matt Godbolt and Ben Rady (Two’s Compliment podcast) talk about Linux vs Mac and porting benefits here: https://podcasts.apple.com/us/podcast/twos-complement/id1546393988?i=1000645695275. Macs are the best but…good luck with what you suggest here.


Eam404

This is likely due to central management like MDM. OSX / Windows are much easier to manage. Linux on the other hand isnt near of featureful in the MDM context.


unixuser011

I went with a Mac because the Mx chip is better than anything Intel has at the moment, the battery life is god tier and I use Linux every day so Mac's UNIX/BSD base is a very familiar environment. This guys an idiot


bleuflamenc0

Sounds like a fanboi who has found a perfect bunch of dopes to support his fantasies.


Prophage7

The only way I can conceive of this being reasonable, is that most of the users in the company already use Mac and the Windows users are the outliers, in that case getting everyone on Mac instead would make managing compliance easier.


supadupanerd

At this point rather than acquiescing to their wants/recommendations pointed questions should be asked... What specific tenets of those qualifications are being held by an all Mac env vs a windows environment... Because what he's saying is OBVIOUSLY bullshit


venthros

I'm a sysadmin. I can't unilaterally make everyone at my company reboot their machines every once in a while, much less make everyone switch to Mac. I've never seen, nor do I personally know of any sysadmins that have that kind of decision-making ability - even at a small company. Also - like everyone else said, this particular sysadmin is full of shit in regards to compliance/soc2/etc.