SHAPE DACH GmbH (formerly appmotion GmbH) is an IT company from Hamburg that has been operating for 13 years in the German and Swiss markets. They specialize in custom software development, user experience design and digital strategy.
The Challenge
Lars Petersen, Lead DevOps and CISO at SHAPE, had a problem.
As SHAPE emerged from its start-up phase, their IT staff of two was finding device management increasingly difficult as their staff grew to around 70 people.
SHAPE IT staff were especially concerned about:
- Managing updates
- Device locking and encryption
- Network threat detection
- Compliance management
Security concerns were at the top of their list. SHAPE is certified with ISO 9001 and ISO 27001. The company had processes and guidelines for system configuration, but no means of technically enforcing them.
MDM to the rescue?
It seemed obvious to Petersen that SHAPE needed an MDM. However, both he and his staff were wary of MDMs.
“As we are very focused on software development,” says Petersen, “we had the strong requirement that at least the software developers must maintain as much control over their machines as necessary.”
Software developers, he goes on to explain, do things that regular users don’t do.
“From experience,” continues Petersen, “we knew that MDMs — and specifically network and security solutions — often don’t respect this. They interfere with network traffic, hook into processes in undefined ways and drive power users crazy sometimes.”
Petersen knew that any MDM he chose must not slow network traffic and just allow for developers to have more control than other MDMs. The solution would need wide acceptance to prevent users from undermining the solution and its security measures.
Determining SHAPE's requirements
Apple expertise
SHAPE was founded on mobile app development when mobile apps were, by definition, Apple devices. The strong emphasis on design and software development specifically for Apple devices made it the logical choice.
The company has since evolved into a hybrid digital agency, expanding beyond its roots in app development to offer consulting, business development, QA, UI/UX, DevOps, and AI-powered solutions. Still, all employee workstations are Apple-only.
Whatever MDM they chose, it had to be built specifically for Apple.
Powerful, customizable security
SHAPE needed:
- Access restrictions based on cryptography and strong authentication rather than origin networks and host-based access control, all of which can be faked
- Zero-Trust Network Access (ZTNA) that allowed customers with IPSec Site-to-Site VPNs to confidently allow access to SHAPE developers from their home offices
- Insights into dangerous network traffic and anomalies without breaking up encrypted connections or tunneling all traffic unconditionally through a proxy
Why choose Jamf?
Jamf is the most complete Apple MDM solution
After an extensive market survey, SHAPE determined that Jamf Pro is the market leader for managing homogenous Apple environments.
Integrated ZTNA
Specifically, as SHAPE is a remote-first company with the majority of their users working remotely, they knew that Jamf’s ZTNA solution is integrated as an integral part of the MDM.
“With Jamf’s ZTNA solution,” says Petersen, “we were able to make our whole network security concept no longer rely on trustworthy company networks (which would rule out home offices), but the security is instead based on the security of the endpoint device.”
The ability to control access to company services based on device management status and threat assessment on a per-device basis was a huge selling point.
“The transport layer or the network the user resides in is no longer relevant,” says Petersen. “The user on the road is as safe as the user in one of our offices.”
Flexibility of Jamf security solutions
With Jamf Protect, SHAPE live-monitors suspicious activity based on DNS names, and they decide which traffic they want to tunnel and which traffic is allowed to route normally.
Jamf security gives us real time insights into our mobile device fleet and secures our users and assets be it on the road, in their home offices or in our company offices by fully leveraging the zero-trust approach.
Results and benefits of adopting Jamf
With Jamf Pro, SHAPE can:
- Technically enforce and report compliance with their technical guidelines
- Assess patch management status of their fleet in real time
- Enable fully automated force updates for a subset of critical apps through the entire fleet as soon as patched versions are released
- Automate device configuration for new users
- Allow users to install their own apps without an IT ticket through Self Service
Thanks to Jamf Pro’s built-in ZTNA, SHAPE can now tunnel traffic to external services and business apps through a dedicated egress gateway with the option to restrict access; this hides user traffic from local networks.
Jamf Pro has also simplified enforcement of compliance standards. “ISO 27001 and other standards mandate that we manage the network,” says Petersen. “By being able to define the office network as no more trustworthy than any home office network, we gain a lot of homogeneity in our security assessment ( . . . ) home office users are no longer second tier.”
Jamf Protect offers SHAPE IT insight into network threats, as well as automated blocking of malicious traffic and phishing attacks.
All of these improvements have paid off: Petersen’s overall security assessment tracking shows that in the first six months of Jamf use, the company went from a security rating of 50% to 95%.
SHAPE looks ahead
Petersen has plans for even better ways to use Jamf Pro and Jamf Protect. The organization would like to further restrict access to certain applications until they meet the necessary preconditions. They would also like to make the Jamf Trust app available on private mobile devices for access to a limited subset of services, such as communication.