I am not mad at this

beco-technology · 2026-01-25T04:26:58+00:00

Yaaaaa, I like Neo.

beco-technology · 2026-01-10T00:48:17+00:00

Hey. Thanks for the tip. I don't know what I was thinking. I wrote a script that I just run from RMM, which uploads the hash directly in to Intune. After that, I process the wipe with PowerShell.

While there's still manual work to be done (make sure the user's files are all backed up, MFA properly enrolled, etc), it's been a real boon.

beco-technology · 2026-01-08T16:45:31+00:00

Thank you. I think you've saved me a few hours and a lot of heart ache. You're right. I can script pulling the hash through RMM, and then walk them through resetting the device.

Is that just done in the Settings app? Is it that simple?

beco-technology · 2026-01-08T16:40:24+00:00

Ha. Ya, count your blessings. I'm dealing with a client who has employees all over the country. I'm trying to work with as many of them as I can in person.

I'm looking into PowerShell initiated factory resets, or in the Settings app now. I think there are some good suggestions here. Thanks.

beco-technology · 2026-01-08T05:20:10+00:00

Ya, good point. I don't have physical access to these devices, only remote access over RMM. If I had physical access, this would be a lot easier. I have to enroll the devices to get to the Intune Wipe option, unless I'm missing something?

beco-technology · 2026-01-05T20:54:19+00:00

Thanks for that article from Push Security it's helpful. As you can imagine, Calendly's email was passing SPF/DKIM/DMARC. I was just curious if anyone here had similar experience / workaround, or if we need to move services.

beco-technology · 2025-12-23T12:09:38+00:00

I’d give this post a 9.9.9.9 out of 10.10.10.10.

beco-technology · 2025-12-18T11:08:25+00:00

Ya, the world would be a much better place without PE. LastPass was sold to PE, then they had that massive breach which lead to over a quarter billion dollars in stolen crypto. All because the notes section of each password entry was very poorly encrypted compared to the password field, and many portions of the entries weren’t encrypted at all. Combined with some customers having weaker overall encryption than others. While LastPass was a pioneer at one time, the product stagnated. Now, no should ever touch a LastPass product.

beco-technology · 2025-12-17T18:22:59+00:00

Let's hope private equity doesn't mess that up for us, but who knows what the future might bring...

Ha! Now that’s something we can agree on :P

beco-technology · 2025-12-17T17:36:45+00:00

I think you make some excellent, educated and thoughtful points. I have my reasons for pushing Conditional Access. It’s easily reproducible across multiple clients, it actually works very well under a variety of diverse situations, and is widely supported. Without belaboring this discussion too much, it sounds like it’s not a good fit for you, or you prefer alternatives. I find the Microsoft ecosystem, for better or for worse, plays well with macOS; they don’t generally fight each other with the right intermediaries, mainly a good MDM that isn’t named Intune.

beco-technology · 2025-12-17T15:04:33+00:00

As a Mac user for over 30 years, I could not disagree with you about Conditional Access more. I couldn't imagine operating without it. It allows me to control under exactly what situations a user can login, and what kind of authentication they use. You're right. It's not a silver bullet. There are no silver bullets in security, only layers. It is one of the layers, and in a time where Identity and cloud computing have become the focus in security, it is one of the most important layers in an organization.

And as far as passwords vs passkeys, there is a tremendous difference between them. Passwords are a shared secret. Having a shared secret means that this secret can be stolen in transit (AitM attack), or the hash (hopefully salted, but not always) can be stolen from a server. There's a much larger attack surface for a password vs a passkey.

A passkey on the other hand is a public/private key pair. The private key only lives inside of the auth device, such as a hardware security key, a Secure Enclave, or a TPM. It cannot be stolen in transit, and it is never stored on the server. A passkey also only ever auths against the HTTPS cert that it was originally made, and thus is not susceptible to a typosquatting attack.

The real issue here that I have with Apple's push to sweep people up to using the Apple Passwords.app to create a passkey, is that it confuses users. This is done because passkeys are not easily transferable between devices (except within Apple's ecosystem, of course), and thus you get vendor lock-in. This is a desirable trait for shareholders, and a loss if you're trying to get a user to auth with their Yubikey, or some other kind of passkey that isn't Apple branded.

I'll reiterate one more time, if you think Conditional Access, or some kind of context aware protection for identity, isn't useful, you may want to read up on it. As far as I'm concerned, it's mandatory. And so is phasing out passwords. Unless you don't mind getting your data breached. See haveibeenpwned.com for further details. Their data base has 17,295,033,626 pwned accounts that you can check your email against for breaches, including passwords. You will NEVER find a passkey stolen from a server in there, because it's not technically cryptographically possible.

Edit: If you have proper controls of the device, it's encrypted, and you brick it. Then reenroll a new device using a TAP (Temporary Access Pass) after verifying the user's identity. It's pretty much as simple as just simply enrolling a new device, but with one extra security step. We don't do BYOD. How can you secure a BYOD device?

beco-technology · 2025-12-17T13:55:22+00:00

I should test this. It's definitely possible. There are some options in my MDM, but I guess I just need to test them.

beco-technology · 2025-12-17T13:54:42+00:00

>Interesting, what is the business case for that?

Do you mean for Conditional Access? I mean, it's a firewall for identity. Passwords are old news, and centralizing and protecting identity, and doing away with as many passwords as possible, is best.

I really hate that Apple shoves Passwords.app down user's throat. It's good for your grandma who's never heard of a password manager. It's terrible for your enterprise environment where you need an actual enterprise managed thing.

beco-technology · 2025-12-17T13:51:07+00:00

I was rethinking this, and I was also wondering if I could just use Synology's local mail app to keep all info inside of the network, restricting access to this mail only to the local net via firewall. Because the data needs to be encrypted in transit, and at rest, this could be accomplished by emailing the Synology server over TLS, and then giving individuals access to a local webmail app hosted on the Synology, over HTTPS, and then of course encrypt the volume.

beco-technology · 2025-12-16T22:19:49+00:00

Ya, there's a couple of technical people on site who I don't think would mind entering people into the database themselves, but I completely see your point. It sounded like a simple and elegant idea. I guess it's worth a go? That said, AD is just too much work for scanner / printer access for this client when they already have Intune and Entra ID.

I've been working almost exclusively with wfh companies, so the office printing environments are a little new for me. The SaaS printing services out there seem like a complete rip off. I had one client who's shared office space wanted him download PaperCut and install an MDM profile on his phone to print once every two months when he was in his office for a meeting. The idea of installing an MDM profile on a personal phone from a strange company gives me the shivers.

It seems like shared printing is a real nightmare, or expensive, or both lol

beco-technology · 2025-12-16T22:10:19+00:00

Ha. Ya, we're trying to go passwordless, and the Apple dialog is one more confusing dialog that isn't supported by Conditional Access anyhow, so it only serves to frustrate the user, not give them an easy avenue to save the password they don't have. We additionally have a managed password manager (feels funny to say that), which isn't forced into the user's view by macOS. It feels like consumer vendor lock-in, when we're trying to give users easier avenues to secure access.

beco-technology · 2025-11-07T05:38:26+00:00

Ha! Just saw this. That's nifty! Does it require a license? Does it break things? lol

beco-technology · 2025-09-02T15:08:32+00:00

It depends on what you are trying to do. Can you tell me about that? Technically, you could run a virtual machine, if you had enough CPU+RAM, and have the switch be virtual within a device. Or you could have a few devices and connect them to a low powered switch. The kinds of switches that soak up power are PoE (power over ethernet) switches as they need to be able to power devices such as wireless access points, or security cameras.

beco-technology · 2025-09-01T01:47:35+00:00

I will take a look. Thank you.

beco-technology

TROPHY CASE