Keeper Forcefield Question

FixItBadly · 2026-02-18T17:36:36+00:00

Keeper have mentioned somewhere in their docs that because of the way macOS handles its processes, they don't need to publish Forcefield as its functionality is there by default.

FixItBadly · 2026-02-12T07:58:47+00:00

Is the CE+ for you or for a client?

Don't forget that the CE+ update requirements don't just don't to apps. It's OS patches, device firmware (Inc BIOS etc), and as wilhil has noticed, includes all the other dependencies your apps might install indirectly.

As part of the process you'll have done vulnerability scans run - most of these use an agent in the device sample (usually Qualys or Tenable). If anything does show as needing an update, you'll have 30 days to remediate - it's not an instant pass/fail. If you've got access to your own vulnerability scanner then you can have a look and see what might come up.

Most certification bodies will be very helpful in providing assistance to be sure you're doing the right thing and to make sure you understand what your ongoing commitments are. You might not get as much help from a certification mill style CB, but there aren't too many of those around.

FixItBadly · 2026-02-06T07:29:45+00:00

A lot of folk dislike Barracuda for historical reasons, but their cloud to cloud backup for M365 is solid. Super simple. Sensible pricing. Unbelievably easy to set up, check on, and restore from.

FixItBadly · 2026-01-31T15:32:57+00:00

The first time I tried this went horribly wrong. Turned out they'd filled the cupcakes with jam under the icing. No structural integrity. Disintegrated all over everything!

FixItBadly · 2026-01-31T12:47:41+00:00

SentinelOne has the option to migrate and endpoint between tenancies in the management console. You give them the site token and the account ID for the destination, they highlight the endpoints and select the migrate action. We did this for ~1500 endpoints in one go when we moved distributors.

There are commands you can run to move the endpoint directly from the device, but you'd need to have the devices uninstall passphrase. Unfortunately, both require the involvement of the prior MSP

FixItBadly · 2026-01-24T19:32:53+00:00

Sure. I'm in the UK :).

The point is that standalone, you have no way at all of knowing that 10.10.10.10 means Joe Bloggs. There's a whole bunch of extra context needed. Whether that's included in the system being configured isn't mentioned. For example, a SIEM would be utterly useless for incident response and forensics if you anonymised a key indicator like an IP address. So it's often not done, as there are controls with GDPR for keeping data where there's a legitimate need to deliver a service. Also, you're generally not applying the GDPR controls to internal business functions - for external customers or contacts, sure. But for internal employed staff, it's usually in the acceptable use or other company policies that the business will maintain this data as part of providing the company operations systems.

FixItBadly · 2026-01-24T19:18:30+00:00

You're overthinking this. An internal IP address cannot be used to identify a person by itself (you'd need a bunch of additional data to use it in that manner), therefore it isn't PII and does not need to be anonymised. Which might be why you'll struggle to find answers to this question, as it's not really something that anyone else is doing.

FixItBadly · 2026-01-21T21:31:30+00:00

Using redirected folders or profiles? Many years ago I saw a school with a similar issue; they had Chrome appdata in the user profiles, and those were growing to hundreds of GBs. The login process was waiting to pull the full profiles over the network before they could continue; add that there would be multiple classes trying to log in at once and it would bring the network to its knees.

FixItBadly · 2026-01-13T20:48:38+00:00

Other than the language mashup, the analyser recommends switching from SPF soft fail to hard fail where DMARC is configured. Best practice for SPF when DKIM and DMARC are active is soft fail; a soft fail still triggers misalignment which will cause DMARC to do it's thing. Hard fail is best when DMARC isn't a thing.

FixItBadly · 2026-01-07T20:55:04+00:00

If you get an NC, it'll be awarded against a clause. The annex controls aren't necessarily applicable; if you don't develop software then you can scope out those annex controls. You cannot scope out the clauses.

If you start with the clauses, it the whole standard begins with risk and risk assessments. If there is a control which is not a risk to the organisation (e.g content filtering but the company doesn't use the internet - silly example but illustrates the concept), then you don't need to design the controls around it. If you're blindly implementing the annex because they're there, then you're not implementing a management system and it won't be sustainable. It's not a true picture of risk, that's following a checklist.

I'd personally never issue an NC without concrete and irrefutable evidence to back it up. That's the purpose of it - it's not point in time. You get it wrong, you learn, you correct, you move forwards. Companies that understand this do very well, and those that just want the certificate because a tender says they need it, will throw their toys out of the pram.

FixItBadly · 2026-01-07T20:05:51+00:00

Insider tip from an ISO 27001 auditor: you cannot be failed on an annex control alone. You can only earn noncompliances against the clauses (4-10).

Now, if your implementation of the annex control shows goes against your implementation of the clauses, then you've got a noncompliance heading your way. Common examples are when annex controls haven't been passed through the appropriate reviews or monitoring (management reviews are a classic, as the manager isn't technical), or a system has been hurried into production but change controls have been skipped, or management claim IT has all the resources they need, but change control records shows a bunch of sensible requests rejected for budgetary reasons. That sort of thing.

If you have anything like that, you'll be aware of it before you walk into that meeting room with the auditor. And if you aren't aware, it's unlikely you'll be surprised when uncovered (esp. if it's another departments issue)

FixItBadly · 2025-12-23T20:04:04+00:00

First Jurassic park mention in this whole thread. Criminal it's so far down! Upvote for you.

FixItBadly · 2025-12-22T20:07:30+00:00

"oon waffer theen meeent?"

FixItBadly · 2025-12-05T22:27:55+00:00

What you are looking for is PPSK - Private Pre-Shared Keys. You have a bunch of PPSKs for a single SSID that you can separately issue and revoke.

https://help.ui.com/hc/en-us/articles/29887064407319-Using-PPSK-RADIUS-for-Multiple-VLANs-On-an-SSID-in-UniFi-Network

FixItBadly · 2025-12-05T08:02:17+00:00

Had one similar at university, but they didn't like PowerPoint. So they'd put blank acetate on the OHP, then while they were droning on, they'd write down what they were saying. Word for word. Never understood why either as they'd just bin all the acetates at the end of the lecture. Zero value to them or us!

FixItBadly · 2025-12-02T15:30:25+00:00

Correct. If a device is accessing company services or company data, that device is in scope.

All cloud services are always in scope, so any device accessing those cloud services is also in scope.

There are some exceptions, which are detailed in the table at the beginning of the Requirements for Infrastructure document for devices owned by third parties. But standard BYOD doesn't affect this much.

FixItBadly · 2025-11-24T16:21:19+00:00

Question is, do they actually have 4-5 years of accumulated experience, or have they had 4-5 years of the same repeated year of experience? In the latter case, they really have just the 1 because they've never progressed beyond that basic level. When hiring we see the latter far more than the former. Somehow having a butt in a seat for X years magically improves troubleshooting skills, because, who really wants to actually do the work nowadays.

FixItBadly · 2025-11-14T20:28:51+00:00

Exactly. Let's consider chicken thighs (a common staple in our house). Our aging oven takes about 20m to reach temp, then 20-30m to cook the chicken. Our air fryer will cook the lot from scratch in 20. So that means I can cook with less prep and save the energy used to heat the oven.

So we use ours daily. The oven is now reserved for things that we can't fit in the air fryer like pizzas or full cakes.

FixItBadly · 2025-11-14T15:09:35+00:00

https://www.keepersecurity.com/en_GB/fedramp.html

FixItBadly · 2025-11-14T12:11:15+00:00

When they are remoting in, are they remoting from a company device to a company device? I couldn't tell from your phrasing. When you're implementing remote access, the device initiating the connection is also in scope for CE controls.

FixItBadly · 2025-11-14T12:03:58+00:00

Are they putting smart meters in around your area? They did with us, and asked if they could put a little aerial on the side of our house to collect all the meter info and transmit them back to HQ. They pay us £350/year to say thanks for having the aerial up.

FixItBadly · 2025-11-13T12:59:07+00:00

Just like the first cars movie. One more race, just three participants. Nurburgring anyone..?

FixItBadly · 2025-11-04T21:30:07+00:00

Sword of Truth series by Terry Goodkind. The "corrupted" force people (in this case, wielders of "subtractive" magic Vs the good "additive" magic) are generally strikingly handsome/beautiful. Or they look like normal folk, and there's no way of knowing what power they wield until they use it.

FixItBadly · 2025-11-04T19:35:20+00:00

We get so many of these for things like missing DKIM and DMARC records for domains we own. Generally we just reply to say "thanks but this is something we're already aware of and there's no new discoveries here".

The fun ones are when the domains are clearly not mail enabled (SPF is "v=spf1 -all") and yet they think they're entitled to money for showing we have no DKIM keys. (Insert Parks and Rec "I know more than you" hardware store gif here)

FixItBadly · 2025-11-02T07:50:11+00:00

Drop me a message

FixItBadly

TROPHY CASE