IT Science Case Study: Giving Staff Device Control Yet Keeping Tight Security

Jamf was tasked with managing the devices for all Shopify employees–no small feat when everyone was used to having free reign over their own devices.


Here is the latest article in the eWEEK feature series called IT Science, in which we look at what actually happens at the intersection of new-gen IT and legacy systems.

Unless it’s brand new and right off various assembly lines, servers, storage and networking inside every IT system can be considered “legacy.” This is because the iteration of both hardware and software products is speeding up all the time. It’s not unusual for an app-maker, for example, to update and/or patch for security purposes an application a few times a month, or even a week. Some apps are updated daily! Hardware moves a little slower, but manufacturing cycles are also speeding up.

These articles describe new-gen industry solutions. The idea is to look at real-world examples of how new-gen IT products and services are making a difference in production each day. Most of them are success stories, but there will also be others about projects that blew up. We’ll have IT integrators, system consultants, analysts and other experts helping us with these as needed.

Today’s Topic: Giving Staff Device Control Yet Maintaining Tight Security

Name the problem to be solved: Shopify (NYSE:SHOP) is a Canadian e-commerce company with more than 3,000 employees and 600,000-plus merchants on its platform. The company puts a strong emphasis on its culture by giving a high level of trust, ownership and transparency to its employees. One way that the company puts this philosophy into practice is by making each employee the admin of his/her own device. Shopify also has a flexible policy on devices leaving the office, so that employees can do their work and access company data from anywhere, anytime.

Such high transparency and flexibility is often at odds with IT security best practices, and makes it difficult for IT to keep company devices and data safe.

Diana Birsan, internal security developer at Shopify, was tasked with managing the devices for all Shopify employees–no small feat when everyone was used to having free reign over their devices. She needed to figure out a way to bridge the gap between security and device freedom, and she needed to figure it out fast. Shopify was doubling in revenue every year, as were the number of employee devices that needed to be managed.

Describe the strategy that went into finding the solution: When Birsan joined Shopify three years ago, a device management solution was a growing need. The Shopify IT team had spent months researching what they wanted to do to solve this problem. Birsan previously used Jamf Pro, an Apple device management solution, for many years before joining the company and knew it would meet all of their technical needs, especially since most Shopify employees use Apple devices. Jamf Pro integrates with Apple’s Device Enrollment Program (DEP) and Volume Purchase Program (VPP), and it’s easy to enroll people and license software. When Birsan’s team received the CEO’s endorsement and needed to choose between Jamf Pro and a competing solution, they ultimately chose Jamf Pro because of its focus on Mac devices. 

List the key components in the solution: Jamf Pro is an enterprise mobility management (EMM) solution for Apple devices. Key capabilities include:

  1. Simple Deployment: Enrolls and deploys Mac, iPad, iPhone or Apple TV devices with a zero-touch, hands-free experience, or go hands-on through imaging.
  1. Customized Device Management: Customizes the user experience with device configuration profiles, uses policies and scripts.
  1. App Management: Purchases apps in bulk and makes them available automatically or through Jamf’s Self-Service app catalog, with the option to pre-configure apps beforehand. Creates a self-service app store that enables users to install apps, update software and maintain their own device without a helpdesk ticket.
  1. Secure Inventory: Automatically collects hardware, software and security configuration details from Apple devices. Creates custom reports, alerts, and manages software licenses and warranty records. Uses inventory to automate ongoing management.
  1. Security: Secures Apple devices by using native security features. Manages device settings and configurations, restricts malicious software and patched Apple devices without user interaction.

Describe how the deployment went, perhaps how long it took, and if it came off as planned: Birsan worked with the Shopify culture team to communicate the change internally in the best way possible. This was an important step, because one of the primary requirements was preserving the company’s open culture. 

The implementation began in mid-December 2015 and was met with skyrocketing adoption. After only a few weeks, 50 percent of all employees had enrolled. After six months, 90 percent had enrolled.

While the enrollment rates were promising, the remaining 10 percent still posed a risk. True to the culture of transparency and curiosity that the company worked to build, Shopify discovered that the remaining group wanted more information about Jamf before adopting. Primarily: What is Jamf doing on my device?

To give Shopify employees more visibility into Jamf's interactions with their devices, Birsan's team was able to build a “Friendly Ghost” application with the Jamf API that made digestible logs available to users. For example, a user could see that Jamf Pro was updating existing plug-ins or which policies the software was running at any given time. This empowered user to “trust, but verify” the script content, policy configurations and data collected from their devices.

Following the deployment of Friendly Ghost, within a few months, adoption had reached 100 percent and with the use of DEP, the old serial number spreadsheet was retired. This was a major win for maintaining an open culture and growing security awareness around devices at Shopify.

Describe the result, new efficiencies gained, and what was learned from the project: Technical solutions need to consider company culture. Jamf provided a solution to Shopify’s device management needs, but Birsan’s team needed to customize the solution for successful adoption internally.

Once Shopify reached 100 percent adoption, staff were able to get creative using Jamf Pro to its full potential. Shopify provided a large offering of software within self service, recovered stolen laptops, had a manageable inventory and were able to proactively provide employees laptop upgrades by using smart groups. Best of all, Shopify could ensure that all devices were encrypted which was impossible before having a device management solution.

Describe ROI, carbon footprint savings, and staff time savings, if any: Implementing Jamf Pro allowed Birsan's team to maintain Shopify's culture of transparency and trust while keeping company devices and data safe and secure.

Having moved away from using spreadsheets to track serial numbers that are assigned to employees, the team was able to leverage DEP within Jamf Pro and save several hours biweekly for onboarding new employees. Along with this, several self-service offerings lowered the ticket count for IT Helpdesk. This was a major win as it allowed the team to focus on complex problems and continue to build automation for the mundane tasks. Things like printer installs, software requests and knowledge base articles were easy to find in self service and empowered all employees to act like owners.

If you have a suggestion for an eWEEK IT Science article, email [email protected].

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...