IT Admin is a mess — Please go fix it

This was originally a long, multi-threaded tech rant on the boring but massive #ITSM market that touches every reader here daily.

Yes, I’m brilliant, but I don’t do enough drugs to qualify as a multi-disciplinary visionary like @elonmusk. If I’m wrong about something, please correct me.

If you’d like to see how a 2,100 word blog looks on a Twitter thread, you can go here, but my Tweets self destruct after 30 days so by the time you read this it may be gone:

The crazy long twitter thread.

The device, app, provisioning, management, & identity markets are fragmented, complex, mostly legacy, and all broken. You could make a fortune and have a gigantic TAM by making this simple and being platform agnostic.

Building this newco is a 1-year $3–5M build to get to MSP, 2 more years to get meaningful logos and figure out the sales, 2 more to become a top-right quadrant leader. To get there, you’ll need 6 key features that work together and ~$50M

All of the technologies you need are open source too, which further blows my mind that nobody has done this yet. Nothing any corp does in any of these categories (except MS Active Directory) is proprietary. It’s all open standards & open source.

I’ll tell you precisely what to build at the end. Possibly I’ll win a prize for the longest @Twitter thread ever. This should probably be a blog, not a thread, but I like the structure of threads. They force word choice. I’ll port it to @Medium afterward.

Perhaps in my next chapter, I’ll be a seed VC or just be @mcuban rich and have my own family VC or PE roll-up fund like Joe Liemant. Successful investing is tough, but identifying markets & opportunities feels easy (to me).

For now, I’ll armchair quarterback from the comfort of my living room on a rare personal health day off* from running @Osano (which by the way — privacy management is quickly becoming the #7 item below, but not appropriate as part of the 6-piece package for various reasons)

* Just kidding, there isn’t really a day off when you’re a founder. You have to be insane, foolishly optimistic, or emotionally broken to choose to build startups. That topic deserves a separate thread. I’m all 3, but writing keeps me sane. Now Back to ITSM.

Every company in the world needs 6 things for excellence in IT:

1. Restricting device access w/ identity provider
2. Auto-provisioning & wiping of the device
3. Auto-provisioning native apps
4. Auto-provisioning SaaS
5. Securing device w/ policies
6. Protecting device w/antivirus

Even two years ago, you could get away with doing some, but not all and could still defend a healthy IT approach. But between #privacy laws, an increasing reliance on SOC, & various ISO certs, a massive increase in attacks, & a new remote work world, now all 6 are mandatory.

So who does what and how and why? I’ll explain the key players, and then at the end, I’ll lay out what you need to build to create a competitive startup to solve for all 6. Some players do multiple things, so I can’t entirely break this thread out by the 6 capabilities.

@Rippling by @parkerconrad is a player now, but it’s trying to be all things to everyone. What % of companies really want payroll, Mac admin, app provisioning, ATS, & HR benefits from one provider? Clearly, some do, but smarties know that level of vendor lock-in is terrifying.

Parker started @Zenefits (respect for the growth curve), which was (is?) a unicorn but a horrible product. Lots of news has said that cheating was rampant as was overselling. Rippling looks cool, but the origin story keeps me from ever trying it.

Then @DavidSacks came in post-crisis to fix Zenefits. It seems like he improved a lot of the operational issues, but the damage was done. I think David is one of the smartest tech people in the world for the record. You should follow him.

@OneLogin by @chrispeddk is prettier, & does identity well, but just like Okta b/c they need enterprise clients & sell top-down, it’s not a delightful product. They had a breach years ago (mostly forgotten & remediated) that still makes me nervous. They do identify really well.

There are 20+ other enterprise identity providers & auth providers (Google, MS Azure, Open Directory, Amazon, JumpCloud). Most are fine, most require a Ph.D. to use or at least dedicated teams. There are some super innovative players like @Groove_Identity by @bousqatx.

Google is moving slowly & I think it has the opportunity to win identity. With LDAP dir sync, SAML provider, & their simple OIDC config. They could dominate identity if they prioritize it. Their products only make sense if you are a dedicated Google shop.

JumpCloud looks like it’s been struggling to figure out who it is and who it serves for so long that I can’t even figure out what they’re good at. Google SAML works & is secure, but is mediocre at best. Azure is ok too, but again, you’ll need to spend a ton to implement correctly.

Open Directory is so Apple-specific that it just never had a chance pre-iOS. 10 years ago I had an X-server with OD managing Mac’s, it worked really well, was easy to provision, but no longer relevant (too bad). Ironically they could dominate now b/c of iOS but haven’t.

And all of that is purely focused on the #1 item… Identity. You’d think identity would be fixed, easy, and simple… Nope. It’s very competitive, but there is still massive opportunity in identity as a standalone feature.

The other gold standard MDM platform was @FleetsmithHQ (I realize their Twitter account is dead). Fleetsmith was like JamF Pro, but cheaper, easier, and delightful. They had some beta iOS features, but for all intents & purposes, it was Mac only.

FleetSmith automatically provisioned new devices you bought from Apple’s Business and automatically connected those accounts to Google Gsuite users. It had a few bugs, but it was so promising. I was a happy customer. Fleetsmith auto-installed apps and enforced policy also.

One day I got an odd call from Apple. They were asking if I’d like to buy a SaaS-based MDM solution from them (some other brand I’d never heard of). I was happy with FleetSmith, so I told them so and never thought much of it.

A few weeks later, Apple announced that they had purchased FleetSmith. Clearly, they are replacing their clunky provisioning profile system with FleetSmith. Immediately post-acquisition, they gutted the app, removed existing configs, & essentially forced us to flee for safety.

@JamfSoftware, now owned by @RFS_Vista is decent. Sorry sir, but Vista has no twitter account of its own to tag. JamF is decent. Like most PE-owned companies, its products mostly work, all Frankenstein bolted together, though.

JamF is worth its own discussion because they have breadth & depth. JamF Now (the specific product) is a joke, don’t waste your time. As an MDM only focused on iOS, it’s ok, but they advertise it as a Mac solution too, and it falls so short on Mac management that it’s comical.

JamF Pro is a reliable solution and seems to be their primary focus. It’s software, and all software has bugs, but this is a well-tested product.

JamF Connect promises to do for Mac what Active Directory did for PCs. It works & is the commercial version of the OSS @NoMADdotMenu by @mactroll, who wrote NoMad sold to JamF. The OSS is still available, but you’re better off buying, or you get no support.

JamF Protect, which is their anti-malware/antivirus solution, is impressive, but like all JamF products, it is a separate thing you have to buy, build, and configure yourself. Alerting is nearly non-existent unless you buy 3rd parties for alerting about critical security events.

If you are 100% dedicated to using Windows machines only (my sympathies), then you have tools like hosted Azure with Microsofts various MDM tools that provision, enforce policy, add antivirus, and works across both mobile (ios+android) & desktop (Windows only)

If you are 100% dedicated to using Chromebooks (apologize to your employees who want to use critical native apps), Google provides a native solution that just works instantly. Also, iOS & Android controls, although iOS is a 2nd class citizen.

Most MDM (both mobile & desktop) platforms can deploy native apps to their destination host. That is table stakes these days.

The problem with all this so far is that the only fully end-to-end solutions require a complete devotion to Google or Microsoft on both hardware & software. Most modern companies use heterogeneous devices and include BYOD.

Like DevOps, IT administration is shifting away from large dedicated teams to automated systems as the lines between software and hardware blur.

So far, a significant theme of this thread has been this: 99% of the IT administration tooling is old. It’s a perfect innovator’s dilemma. The category kings like the status quo, the tools are mediocre, and the companies are not incentivized to disrupt themselves.

Further, we’re now in an era of product-led growth. Top-down sales are declining instead of end-user selling. Modern account expansion happens not by through new products, but through new features. Feature expansion is infinitely easier & more affordable than product expansion.

The one topic I haven’t yet touched on is the auto-provisioning of SaaS. Auto-provisioning has to also include auto-deprovisioning, or you’re building a flawed process that creates risk and manual work.

My last company @MetaSaaS (acquired by @Flexera), focused on SaaS licensing. From startups to big companies, I understood what a “pain in the SaaS” licenses can become. We concentrated on SaaS spend, and through that, we learned a lot about why most companies overspend.

The same reason for overspend is often a cause of many risks and compliance failings. It’s the leftover accounts from people who have left or no longer need access. It wasn’t unusual for us to find 100+ users in a SaaS account with elevated privileges in sensitive systems.

Identify providers like Okta & others, use a standard for auth called SAML. Setting up SAML is not fun. It requires certificates, configuring multiple systems, and more. And that is just for the most basic “ability to securely login through a provider.”

Some SaaS vendors added just-in-time provisioning of SAML based user accounts (@zoom_us comes to mind) so that if the user didn’t already exist, it would create them for you and let them log in using that identity provider. This is nifty, but most vendors don’t do this.

Auto creating accounts is a big win for SaaS vendors, especially those who charge by the user. It’s not shocking that deprovisioning users never got the same level of focus from product teams who are often bonused on revenue. After all, if you deprovision, you lose revenue.

As I mentioned above, the end result of most automated provisioning is lots of users in a tool with access and costs but no easy way to auto-remove inactive or terminated users.

The Open Web Foundation & IETF came up with a standard solution called SCIM. SCIM basically enabled provisioning & deprovisioning accounts in SaaS vendors by identity providers. Sounds pretty cool, but in practice, it’s a mess.

SCIM relies upon both the identity provider and the SaaS vendor supporting it. Most SaaS vendors do not support SCIM (because it’s a lot of work but also lets customers auto-deprovision and loses you money). What sane product team focuses on features that reduce revenue?

Identity providers would have accurate numbers, whereas I’m just guessing, but I would spitball that 10% of vendors support SCIM. Oh, and configuring SCIM is yet another pain. It requires even more mapping and grouping by IT admins between SaaS vendors and ID providers.

Finally, although SCIM could be a panacea for cross-application user management if implemented everywhere and well, many identity vendors deprovision on a schedule. Google’s SAML implementation, for example, deprovisions “within 24 hours”.

Scheduled deprovisioning is the equivalent of breaking up with your ex & leaving them in your apartment overnight. Maybe they take the break up like an adult, but odds are good that you’ll discover your toothbrush in the toilet at best, or your favorite art destroyed at worst.

So what is the opportunity for a startup? It’s simple, but not easy. Built a single platform providing iOS, Mac, Android, Windows, Identity, native apps, and SaaS management.

Device users should be provisioned, and device access should authenticate against your central identity provider. Password changes in the identity provider should result in a mirrored change of the device password. Support SAML, OIDC, and real-time deprovisioning on SaaS apps.

Support pre-configured settings for the leading apps companies need. Provide stellar audit logs and alerts into modern alert systems, and make the experience consistent across all devices and apps. Oh & make the user experience for admins & end-users alike delightful.

NoMad, SAML, Santa, SCIM, Group Policies, Managed Preferences, directory-based authentication, browser policies, all of it already exists, it’s just that nobody (trustworthy) has packaged it all together yet. Maybe you should.