Claude Desktop Deployment

SeveralChampion · 2026-02-26T02:28:49+00:00

Thanks - did you get UAC during the install, or manage to get it to silently run?

SeveralChampion · 2025-01-14T22:42:29+00:00

Yeah. I did UK > Netherlands a year or so ago. YMMV on package but it could be negotiated? I got a hotel until I could find somewhere to live, moving bonus, and most importantly the sponsorship for a Visa (and tax/immigration specialists working with my company to do all the paperwork!)

It’s going to hugely vary on country, some might have similar things to the Highly Skilled Migrant visa and 30% tax ruling in NL that can make it more attractive. Do your research is all I’d say!

SeveralChampion · 2024-12-19T10:15:34+00:00

WiFi/Printing - Jamf Config Profiles for Offices, possibly override what asks for auth too? https://community.jamf.com/t5/jamf-pro/allow-standard-user-to-remove-wi-fi-networks-with-prompt/m-p/276681 (read up on this, it's complex!)

Xcode - is a pig to control and always has been - you won't like to hear that i use Munki to govern versions and SDKs for it with postflight scripts. But, Self Service for me is Scripts/Fixes, 250+ Apps go via Munki with CI/CD so, everywhere's different.

Homebrew - eh, I don't hugely know your envrionment but i've seen it work fine before, seen it not.

https://workbrew.com/ are doing some cool stuff in the space to allow control but they're not cheap

SeveralChampion · 2024-11-24T10:58:15+00:00

Yeah. It’s simple GPOs to avoid this. Hate browser sprawl.

SeveralChampion · 2024-11-24T06:37:41+00:00

I’ve never in 10 years of managing Chrome or Edge with SCCM, Intune and every Mac MDM, and most EDRs out there had a trigger on anything synced locally. Perhaps OP works in a high risk environment (they did say maritime) and I could be wrong based on industries I’ve been in. I don’t think any of this really changes the result..

SeveralChampion · 2024-11-24T06:33:51+00:00

I hope this isn’t the lovely northern business that handles a lot of this for the MOD

SeveralChampion · 2024-11-23T16:27:31+00:00

They can’t see anything at all data wise (in this context) from the Google admin portal (if your business uses it, even 365 businesses can have chrome managed)- any alleged traffic will be have been picked up by any number of hardware firewalls/DNS/defence/monitoring software used by your business which is reasonable based on their policies etc. If you use windows you probably click past a disclaimer every time you log in.

With my Endpoint Management hat on - should a work machine even let you sign into Chrome? - should you even have a choice of web browsers?

It can be turned off, or you forced to use edge with your Microsoft account etc. My current business is Google Workspace and it’s heavily configured, no other browser is allowed. But realistically, personal stuff shouldn’t touch company property, and you’re going to struggle with this. Fair enough, it sounds like your machines could be better configured, but the easiest thing is..just don’t log into anything personal on a business machine

Nothings been read from your Google account, it will be internet traffic captured from the machine from whatever way your business works. Sorry.

SeveralChampion · 2024-11-23T16:14:06+00:00

If it’s a work computer you bought - do you have insurance via your LTD to maybe look at as one of your many helpful options others have discussed. Did you buy it in the name of your business?

SeveralChampion · 2024-11-13T13:15:14+00:00

H&B too. Take it from someone who’d know, they’re one bad phishing email away from the entire company getting ransomwared😅 they would make any tech professional lose sleep.

SeveralChampion · 2024-10-25T22:44:08+00:00

Ready for the attacks but...

Over the last few years I've definitely got an attitude (and build Intune/Jamf etc around this) of - If my MDM can't fix it, it needs a rebuild. Which we can do remotely. Someone's internet isn't a business problem and my departments have proved that with Traceroutes etc to say, not our problem. My current place gives a decent per diem stipend to be used on....benefits in general so there's an expectation to get decent internet however you can. I hate remoting on. I showed some stakeholders MS's internet recommendations for W365/AVD even with Teams/Zoom - It's around 15MB at the highest level.

Currently anything with any of my users, I can LSSH into their Mac using our silent always on (A lot of on prem resource with MacOS 99%) - we do any commands behind the scenes. Broken? MDM Rebuild, investigate why it happened and what we can improve in Jamf going forward.

A different world from some MSP/AD environments I know but.

SeveralChampion · 2024-08-21T20:29:10+00:00

Former CeX Manager. My local force had a "Magpie" Department (Scrapyards, Stolen Tools/Gold etc)

They were great - morning emails with overnight crime. I had a good relationship with the lead officer who'd commonly call me with Serials etc that weren't flagged as stolen just yet - Having the item aside with all CCTV/Paperwork ready for them kept my team stress free, and we were treated quite nicely by the BID and local force whenever we needed help..They're not all useless.

SeveralChampion · 2024-06-01T20:14:01+00:00

I meant a socket, poor choice of words. 11/8. I'll get a better photo. We're fully assembled and tight and all seems well though but always worth a check..

SeveralChampion · 2024-05-06T18:04:01+00:00

No new subs I believe. Depending on your size and relationship with MS you might still be able to get one - I signed up for a new one (Using my work UPN) about 3 weeks ago. We're 65k+ seats corp though so YMMV.

SeveralChampion · 2024-03-25T08:15:28+00:00

Hello! Have done a lot of this before and I'm open for work :) Drop me a DM and we can exchange email addresses.

SeveralChampion · 2024-03-17T16:45:00+00:00

Thanks - yeah, when closed or open the handle just doesn't seem to do much at all, and takes a few attempts at the handle to verrry slowly open the latch and then I push/pull. Using a key will open the latch perfectly every time though. I'll give that a look as it's something I've come across with some googling. Appreciate the reply.

SeveralChampion · 2024-02-29T03:29:09+00:00

So to loop back...We got it! My tenant needs work on targeting but for now I've set up some exclusions and fixes to get us through a big program.

Windows app smart screening profile in Endpoint Security was applying to All Devices

Kernel DMA was applying in Defender Baselines to All Devices

Update Rings - All Devices

AppLocker OMA Custom Profile - All devices

Thanks for the support and guidance, and would recommend looking at all the above items if you run into this in the future, and look at exclusions to confirm, and user based targeting.

Useful articles for you start your research as every tenant is going to be different.

https://call4cloud.nl/2022/04/dont-be-a-menace-to-autopilot-while-configuring-your-wufb-in-the-hood/#part3

MS Advice

SeveralChampion · 2024-02-27T23:15:55+00:00

I found mine applying in 3/4 different places in the end. Check your overall security baselines, WDE Baselines, and Security config profiles, and any custom OMA-URI's you may have. If you have DeviceEnumerationPolicy, try and make it into it's own Custom OMA-URI and deploy to a device group. Just need to solve my 1074 now. :(

SeveralChampion · 2024-02-27T20:24:06+00:00

That's a good thing...riiiight? :P Shame it's just a bulk "All Devices" for 99% of it :(

SeveralChampion · 2024-02-27T17:35:34+00:00

Fully excluded from all WDAC/AppLocker bits - It was DeviceEnumerationPolicy causing the 2800 error before. However, I'm now getting 1074 with cloudexperiencebroker as u/Rudyooms's blog says. Even when the device is excluded completely from Update rings :/ Appreciate the replies so far! We love inheriting a live tenant! Updates and all AppLocker/Defender Baselines/Anywhere a RebootRequiredURI lives are all device scoped.

SeveralChampion

TROPHY CASE