Standard Users in an Admin World with Collin Elliott, Capital One

Collin Elliott [00:00:00]:

Part of the discussion was engaging our developers and engaging those engineers and saying, what would it take to make this successful for you? How can we make this a more seamless process?

 

Arek Dreyer [00:00:18]:

Today's guest is Collin Elliott, senior platform engineer at Capital One, where he's exploring the frontier where the principle of least privilege meets user experience. A space where security best practices often coll with practical realities of how people work. In this episode we'll dig into the challenge of standard users in an admin world. How do we apply least privilege to endpoints while operating systems still expect admin rights? How can organizations balance security with usability? And what can these approaches help you unlock? Collin welcome to Patch Me If You Can™.

 

Collin Elliott [00:00:54]:

Hey, thanks for having me, Arek.

 

Arek Dreyer [00:00:56]:

So good to see you. Let's dive into the challenge of enabling standard users in an admin first world. What was a moment that you realized this model wasn't going to scale or stay secure?

 

Collin Elliott [00:01:10]:

It was probably six, seven years ago. My first job actually managing endpoints. I'd done support before that, but I was actually managing the endpoints and we were doing standard users. Mac OS was like Windows has long been kind of, they've kind of figured out some of this, they've got some hybrid and stuff. MacOS really hadn't figured this out. And yeah, I was at a large church here in Fort Worth and they ran as standard users and we couldn't install things like our users couldn't install things, our users couldn't do OS upgrades and there was a lot of things that had to be done to work around it. A lot of scripts and stuff that had to be written. And that was where I realized, especially like with the installing apps, this is not really scalable.

 

Collin Elliott [00:02:09]:

Like every app has to be in self service. That's a problem.

 

Arek Dreyer [00:02:12]:

Why do you think that OS platforms, you mentioned upgrades and app developers installing apps still assume that hey, the person logged into this Mac is, is an admin even in enterprise environments. Why do you think that is?

 

Collin Elliott [00:02:30]:

I think it's still that consumer first mentality. Both Apple and Microsoft have it. They have this mentality that the consumer if they're just going to set their device up as an admin, so they gear everything towards that. But even on the Unix side, the Linux distros, they see that they do it from a freedom perspective. A lot of those users are looking for that freedom. That's why they're on, you know, Unix. And so that whole process is really user focused but not business focused.

 

Arek Dreyer [00:03:08]:

No, that makes sense. I mean you, you go to the consumer experience, you go to the store or you get a, you know, you get a new Mac, you open it, open it up, take it out of the box, set it up. And the account that you create, that. That's an admin, right?

 

Collin Elliott [00:03:23]:

Absolutely. And because that's that standard experience, that's what. And while, you know, these OS vendors sell a lot of devices to the enterprise, they don't have to support the enterprise devices. That's the enterprise it. They have to support the consumer devices. So they're going to err on the side of the consumer and make it easier for the consumer.

 

Arek Dreyer [00:03:45]:

That makes a lot of sense. So how are you approaching the least privilege on user endpoints without turning it into a support nightmare for yourself or hurting productivity?

 

Collin Elliott [00:03:57]:

There are so many ways to do this. The first way I actually did this, Charles Edge wrote a script back in the day that could be run from self service that would elevate the user to admin for like 30 minutes. And that was my first, like, hey, this is our initial solution. And we actually restricted it. We had our Macs back at the time bound to ad groups and we restricted it to limited ad groups that had that, that kind of permission, you know, and now we've got SAP privileges, which is, you know, pretty much the de facto standard for orgs that are doing this. But there's, there's things that, there's other elevation tools similar to that, and then there's privilege management tools that try and bridge the gap without that full elevation from like Beyond Trust and Cyberark and Manage Engineering. And so they have an alternative way of doing it where they elevate the process rather than the task. And so it really kind of varies org to Org what the different orgs are doing.

 

Collin Elliott [00:05:03]:

I think that the best user experience just from having tried all of them is somewhere between the privileges app and the privilege management, like Cyberark and Beyond Trust and Manage Engineering. Somewhere between those two, there's kind of a happy medium that lies in there. And I don't think anybody's quite gotten there yet, but we're starting to get close.

 

Arek Dreyer [00:05:28]:

Well, and one challenge, one additional challenge is, okay, so you've got standard accounts that you elevate to admins. How do you keep track of what they did and why they did it? And who wants to sift through all that logging data? Even if you collect it?

 

Collin Elliott [00:05:43]:

That's a big problem. So, you know, the, the original script I used from Charles Edge didn't have a whole lot of logging. It just elevated and then it de. Elevated and later on he added some logging to it but you had to know how to parse the logs or pull it into a theme or something like that. The Privileges app is configurable where you can direct those logs right into one of those tools which is why it's so commonly used by a lot of enterprises. And then the privilege management, they're not elevating to admin at all. So there are fewer logs. Their logs can be streamed into a scene.

 

Collin Elliott [00:06:22]:

They're also in their consoles and things like that. So there's less risk there. But for like privileges or the make me an admin script there's a lot of risk and that's a lot of logging. I've had previous orgs where they asked us to try and create like we'd pull the logs and then we'd have a script running against the logs that looked for specific activities and that was, you know, that tried to remove some of the manual human work but it was still a lot of data. A lot. Yeah.

 

Arek Dreyer [00:06:59]:

Well back to the user experience. Implementing least privilege on an endpoint can result in some user pushback. Do you have a specific example of pushback that you've received that you were able to overcome and how this led to better security practices across that entire organization?

 

Collin Elliott [00:07:21]:

Yeah. So the first time I encountered the user pushback was early again on in my Mac admin journey was I didn't really know how to overcome it at scale. That's where I kind of started going down this path of what's the way to handle this? How much can we script, how much can we automate. But also there's a limit of I, I have to put everything in self service. I can't like I, I've got to or I've got to figure out a way to automate like every app that somebody wants to go into self service. I was a one person team. I was early in my journey. I was not a strong scripter at the time.

 

Collin Elliott [00:07:55]:

So that was a really tough thing to overcome and it was really the leadership above me coming down and saying no, this is, this is the way we, we declared it. This wasn't call his decision. And so we're going to, we're just going to go down this and that's the way it is. And it wasn't a great user experience. It got a lot of buy in but it wasn't a great user experience. And then another org I was at we, we didn't end up going down the standard user route but we looked at was the only org I've been at that didn't have standard, that wasn't standard users. And part of the discussion was engaging our developers and engaging those engineers and saying what would it take to make this successful for you? How can we make this a more seamless process? Really clicking a button to elevate to admin isn't a whole lot, but you're having to do that a bunch during a day. It does create a headache, it does create a challenge.

 

Collin Elliott [00:09:00]:

And then I started exploring some of the privilege management tools and those are really great because they're more seamless. You don't click on button, they just have specific processes and that really helps get user buy in. But there's also the trade off of there's still things that those privilege management tools can't do because Apple just doesn't let them. And so again, there's still not a perfect solution to this. Everybody's working towards one, but there's a lot of good solutions.

 

Arek Dreyer [00:09:29]:

I love the tension between the user buy in and the management buy in and how just important it is to be in discussion with everybody, to have everyone understand so you to understand what are the users challenges, what's the friction that you can remove for them and what is management concerned about in terms of what people can do and what risk that puts the organization at?

 

Collin Elliott [00:09:56]:

Absolutely. One of the, I had a leader at one of the previous orgs where he was a super senior leader but he viewed himself as a user and so he tried to think of everything and that was probably the best I've ever seen buy in from both sides because he came from the user ranks, he'd grown, he developed, but also he was at that senior level. So he was well respected and he could say what needed to be done. And he was also our first guinea pig for anything we wanted to test. He told us very explicitly, I know you typically exempt executives from testing right away, but I want to be your first test. I want to be the person who can give you the feedback and then get the buy in. And having that very unusual dichotomy of a senior executive buying in like that was absolutely phenomenal and really cool. I've had other great buy in, but just having an executive that wanted to be on the front lines was really helped the user experience a lot.

 

Arek Dreyer [00:11:05]:

I mean that sounds like an amazing example of what leadership means.

 

Collin Elliott [00:11:09]:

Yeah, I've had a lot of great leaders, but this was a really impressive person.

 

Arek Dreyer [00:11:14]:

That's so awesome to hear. One of our big themes is that the patch is just the start so what did implementing least privilege for user endpoints unlock after implementing that patch?

 

Collin Elliott [00:11:28]:

A lot of enhanced security. I mean, macOS is inherently quite secure anyway. But there's still malicious apps out there, there's still malicious tools out there. And being able to just say, hey, these aren't just automatically going to run. You're not going to automatically install. You have to make a conscious decision and you have to know that it's going to be logged. It really puts a lot of pause in users to trying to even bypass some of those things. Being able to create that environment of freedom with those guardrails has been really key.

 

Arek Dreyer [00:12:08]:

Just to put some context into it, what are just some examples of things that if you say okay, well we're going to log this, and the user would say, well yeah, of course I need to do this. So what's an example of something that was, you know, good versus something that maybe user would be like? Maybe if, if you're going to know about it, if you're going to log it, maybe I, maybe I don't actually need to do this.

 

Collin Elliott [00:12:30]:

I mean a lot of the logging, you know, we found out that, you know, music apps are very valuable to users for focus. You know, there's a lot of orgs that block those, but every org I've been at has allowed those because they've realized that that's really important for focus for a lot of users. And so just kind of having some of that data was really great showcase what the impact was, things that it's blocked. One of my orgs, we found a computer that was, that somebody had purchased and they were exclusively using it to play World of Warcraft, a corporate computer exclusively used for World of Warcraft.

 

Arek Dreyer [00:13:10]:

And that kind of data can lead to discussion about, hey, what is acceptable use, what are we comfortable with our organizational resources being put towards. And like your music example, like I can see the, the instinct to shut that down and say, oh, you know, that's wasting bandwidth or that's, you know, getting in the way of productivity. But if, then you can turn it around and say, well, actually for, for this, for, for what I'm needing it for, this helps my focus.

 

Collin Elliott [00:13:38]:

Yeah. And even not all games are bad, there are a lot of great games out there for team building. And so, you know, there, it even creates a discussion within like that, like that genre. You know, there's, there's games out there that do really increased teamwork and really increase the, like just the team and those are really great and they're more collaborative type Games, more trivia type games. But there's other games that are like the single player and those probably aren't the best for the enterprise. Great. Do those on your device, on your personal device. They're fun to play, but they may not be the best use of company equipment, especially if it's just one machine dedicated to that.

 

Collin Elliott [00:14:19]:

Yeah.

 

Arek Dreyer [00:14:20]:

But if you had to give it teams one mind shift to adopt today, or one mindset shift based on what you've learned, what would that be?

 

Collin Elliott [00:14:32]:

Minimize the clicks. Because a lot of times with most of these solutions that do take the elevation route or the making an admin route, there's clicks and sometimes there gets to be more and more clicks as they're like, hey, we want to audit this or we want to, you know, do an MFA on this or things like that. It becomes cumbersome. And when you start calculating that up and you start adding that up, that's a lot of parts of the user's day that are just wasted by clicking. And so yeah, I think that minimizing the clicks is one of the biggest areas, at least in this specific area that can be beneficial.

 

Arek Dreyer [00:15:18]:

I mean it sounds trivial like, oh sure, our users have to go and click something in order to do the thing that they need to do. How much time can that really take? It takes three seconds to get there. But in terms of focus and flow and just the annoyance of knowing that I need to do this thing, I'm going to have to get out of the thing that I'm doing, go to the thing to request admin access, click it, and I'm going to be timed. I only have 30 minutes to do this. Um, that, that, that makes a big difference. It makes a big difference in productivity, it makes a big difference in morale. So that it all, it all adds up.

 

Collin Elliott [00:15:58]:

And creating that, that solution to be intentional about how you're doing it, don't just like make an arbitrary time that your user's gonna have to click, but also don't make it too long because that, that opens up vulnerability. There is, there's that balance, there's that tension there between, that we keep talking about between the, the least and find that balance that's right for your Org and it will make all the difference in the world.

 

Arek Dreyer [00:16:24]:

We're seeing improvements in the OS that will allow standard accounts to do more and more. You know, you mentioned like seven years ago, users standard accounts as opposed to admin accounts, standard accounts couldn't upgrade the OS. Recent versions of macOS, anyone who, you know, at least in An MDM solution where the MDM solution has escrowed the bootstrap token. Any standard account has the ability to update, upgrade. Now, of course, we saw dialogues that would pop up on the screen that said enter your admin credentials. And that dialogue was lying because you could actually enter your standard account credentials in order to do the update. But do you see a future in macOS where the standard account, admin account distinction or bifurcation that difference is will that eventually go away, do you think?

 

Collin Elliott [00:17:28]:

I don't think so. Because there's actually been a lot of things recently that have made life harder for standard users. I know that one of the things that I've seen recently is installing certs for development work. That used to be something that a standard user could do without admin passwords. They can't do that anymore. Bypassing gatekeeper for unsigned apps used to be a thing that standard users could do, especially with the configuration profile. They can't do that anymore. They have to have an admin password.

 

Collin Elliott [00:18:03]:

And so I think that Apple is taking a very strategic and measured approach to. These are the areas that we really think that standard users should be able to do things, and these are areas that they shouldn't. And then there's pushback from the community where, you know, as engineers we go, hey, but this is what this is actually doing to us. And there's this tension. And I think that's one of the things that makes this community unique and makes just working in the Apple world unique, is that there is that, that connection between Apple and the community and that tension back and forth and that they really do listen to us, but they also really do care about security and trying to push forward and push that next step to make everything better.

 

Arek Dreyer [00:18:55]:

Yeah, no, it's, It's, I mean, iOS, iPadOS, vision OS, TVOs, like they don't have the concept of a user. I mean, okay, yeah, there's shared iPad, but apart from that, the user of the device is the user of the device. Like that's, there's no. You don't have extra privileges and apps are sandboxed and can't see each other's data. Now, to apply that, that security model to Mac would mean that all the development work, all the, like, the shortcuts, like all the things, things that make a Mac a Mac kind of go out of the window. So Apple, I know Apple wants to have macOS be as secure as iOS and ipados. That, and they're on that road. But, you know, there's a lot that needs to happen between now and that reality.

 

Arek Dreyer [00:19:51]:

Now it sounds like you're, you know, because you keep talking about developers and development tools. It sounds like you're spending more time in your career now around engineering skills rather than just managing Mac. Can you talk about that a little bit?

 

Collin Elliott [00:20:08]:

Yeah. So really kind of over the last seven years I've watched not just like my career but also the industry as a whole be more focused on engineering. Like the click ops and stuff is. It's a thing. But we're starting to see a lot of that be more handed off to a junior engineer and then train them into creating solutions. And it's more of a. DevOps is really kind of where a lot of this has gone. Regardless of what MDM provider you use, what different packaging solutions you use, there's a lot of automation, there's a lot of API work and that has become really the big thing in the industry is focusing on that DevOps, that automation.

 

Collin Elliott [00:21:00]:

Let's scale how much we can do. And I think that's somewhat because of the way that a lot of companies operate. I really got into DevOps when I went from a large nonprofit to a unicorn startup that was growing at 600 people a week. We couldn't do things the same way. There was a lot of, we couldn't even hire staff for managing the endpoints and IAM and all that at the rate that we would have needed to do with the old ways. And so creating those engineering solutions, automations, building out things like using Swift Dialogue to create automations to set up a Mac which I know most of the MDM vendors kind of have their own solutions. But having a solution that's very detached from the MDM vendor that can still do all that stuff has really proved useful to the community because it can be shared and taught across. I started with Depnotify and building out devices that way and creating that and that was really my first.

 

Collin Elliott [00:22:18]:

We're going to start automating all the things and automating that process. And as I did like a. That just was fun. I love like just writing the, the little code and stuff that does that. And you know, now my scripts are you know, thousand lines long and then I went from like, you know, quick and dirty like three line script and I was like hey look, it does the job to like now there's, there's all these detailed statements in this like bordering on like full fledged app like functionality and it's really cool to see what kind of data that can bring in and what kind of User experience that can do really enhancing that user experience from a kind of both sides, the development side and the admin side. And that's the way the industry is heading. You'll see that a lot in the Mac admin slack. There's a lot of people talking about that.

 

Collin Elliott [00:23:15]:

There's a lot of career development that is focused on that. And it's really kind of the way the industry is heading. And it also is a way to grow your career. It adds levels to what we do.

 

Arek Dreyer [00:23:30]:

For sure. It's interesting how you kind of connect that experience at that organization that was adding 600 people a week and you can't give. I can't imagine giving 600 people admin access on endpoints in my organization. So by using a DevOps approach to automate things and to get approvals, like there's kind of two different. There's two benefits is that you're automating so that you can scale and also you've got an approval process so that you can see who's done what and how that's gone. So really exciting to see where, you know, how we can keep learning from those experiences and bring them back. For every Mac admin around the world, I've got a question for you and it's if you could instantly patch anything in your world, what would that be?

 

Collin Elliott [00:24:26]:

Parenting.

 

Arek Dreyer [00:24:27]:

Parenting. Oh, parenting.

 

Collin Elliott [00:24:29]:

Yeah, parenting. There is so much to it. It's not something that you can automate or like, you know, like you can't. It's. Kids are so unique and they are so much fun, but also they're difficult and that's beautiful. But yeah, there's definitely things that I'm like. I wish there was like an easy button.

 

Arek Dreyer [00:24:55]:

Do your kids have standard rights or admin rights?

 

Collin Elliott [00:24:58]:

They have standard on their devices.

 

Arek Dreyer [00:25:04]:

Thank you so much, Collin, for joining us on this episode of Patch Me If You Can. If you like this episode, hit follow and share it with someone who's ready to lead it. And security from the front. We'll see you next time.