In episode 9 of EnterpriseReady, Grant is joined by Zack Blum, CEO and Founder of Fleetsmith, to discuss device management and security in the enterprise world, as well as different approaches to product assortment.
About the Guests
Grant Miller: Hey, Zack. Welcome to the show.
Zack Blum: Thanks, Grant. Thanks for having me.
Grant: Cool. I'd love to have you just give your background for everyone's knowledge.
Zack: Yeah, happy to. I went to UC Davis, I was an IT manager at a small department on campus there and then I got a job at Wikia when I first moved to San Francisco.
Originally I was the office assistant there, so not in IT. After a few months I started helping out with computers and IT things and eventually I got the job as the IT guy.
Over the years, I was there for about 5-something years, I got promoted to IT manager and then IT director.
When I started a media company we had about 65 people in the San Francisco office that I was supporting, and when I left we were North of 300, approaching 400 and we had 12 offices around the world.
I had a team and I was responsible for global IT.
Grant: Then that led you into what you're doing today?
Zack: Exactly. One of the challenges we faced, like most fast growing companies and distributed companies, it's another commonality we notice in our customers today is device management, and all the things that go with device management.
Like keeping a good inventory, making sure everything's up to date, making sure you're secure.
So we didn't have any capability there when I started, we were just using a spreadsheet actually for inventory.
Grant: Classic. The most useful tool of all times.
Zack: It is. It does everything pretty well, but it's all manual. At scale we needed some automation, and the trigger points were any time we hired a new person we're talking 1-3 hours of manual work.
Any time Apple updated Mac OS, hours and hours or days of work. It was a lot of spray and pray, send an email and hope that everyone updated. Or didn't update, if we needed to test it first.
We had these gaps in our capabilities, and asked around, tried to figure out how to automate this, and realized that a lot of the leading companies were using open source tools.
Configuration management like Puppet and Chef, a tool out of Disney Animation Studios called Monkey that does package management. This is all on the Apple side, by the way.
Zack: So we looked at how to do the open source thing that the big companies were doing, we ran a little POC and realized "That's great, but how about security? How about uptime? All the operations?"
"OK. We don't have the team and expertise to do this, or the resources," so we looked at the commercial side. Boy, that was a bit of a shock.
Because we were squarely in that SMB mid-market category, and most of the products out there were really geared toward larger enterprise.
So there were a lot of roadblocks from just being able to run a pilot, it was weeks until we could even run a pilot.
Zack: How to talk to a salesperson, since we couldn't test it ourselves. Then the actual ongoing costs of administering the product was very high, both in cash and technical expertise, and then security.
We had a lot of concerns about the security of these vendors. So, to be honest, I got mad at the world a little bit.
I said "Why isn't there something better here? Why can't we just go and click a button and fix this?" That's-- The answer is, "Nobody had done it yet." So I built a prototype.
Grant: You evaluated the whole market, you saw this from an end-user perspective, that there was this challenge that you had in your company and it was like no one was solving it. So, someone needs to.
Zack: Yeah. We weren't special. What I realized was we were every other company except for the Facebooks, the Googles, the DropBoxes that had the resources to do this.
Because nobody was doing this in a way that you didn't need a ton of technical expertise, a ton of security expertise, a ton of engineering expertise, and time and money to do it, everyone needed this.
So I talked to my peers in IT and security in the area and everyone said "Yeah. Boy, we'd love something that added automation, added statefullness, added great user experience, and that you could get started with and actually run a real pilot yourself before trusting this company blindly." That was out there.
Grant: The core problem was, how do you manage devices, Mac-specific devices, in an organization of, let's say, like 10 to a couple hundred? Maybe 1,000 people?
Zack: Exactly. The whole lifecycle, from when the employee starts, how do you get them setup and timed to productivity? How do you get that down to the smallest amount it can be?
Then on an ongoing basis, how do you make sure your company's data is secure?
How do you guarantee that every computer, every mobile device, has an encrypted drive? Is updated to the latest version of iOS or Mac OS?
Then you have attribution, how do you know who's got which computer and you don't have floaters? Because it's the one, the one that's just floating out there that's in the lab somewhere but that's online that lets everybody in.
Grant: Cool. We'll dive into some more of those features in a little bit, or why those matters so much. But before then, let's just talk about the founding story. You see this opportunity, and then what was the next step?
Zack: Originally I had asked somebody named Stevie Hershoe who was on my IT team at Wikia, "Do you know how to do device management?" He said, "No I don't. But I know a guy who does."
It turns out this guy who does, who's now one of our co-founders , was working at Dropbox. He actually rolled out Corp Mac management internally at Dropbox.
He used Puppet, Config Management and Monkey like I mentioned before, glued it all together with a bunch of resources from their DevOps team and their security team, and got it going.
He later worked on Windows too. After I learned how to--
Grant: Is that what inspired your first internal attempt that you mentioned earlier?
Zack: Exactly. Yeah. After that I actually went to a Puppet boot camp myself, and learned Puppet and came back and Stevie and I did the POC internally.
Ironically, Puppet was a big inspiration for Fleetsmith, and now Luke Kanies is one of our advisors, which is great. The former CEO and founder of Puppet. So that's a lot of fun for me, but that's what inspired the POC.
When we realized that it wasn't going to work given our resources, and we looked at the commercially available options and said "These are no - go's for a variety of reasons."
I said "Stevie, could you actually introduce me to this guy? I want his help working on this prototype."It was really a project at this point, we didn't know where it would go.
So as Jesse, my co-founder Jesse Endahl, tells the story he met me at a cafe in San Francisco thinking "No way am I going to leave Dropbox. I've got a great job, we're growing super quickly."
But the funny thing is he shared all of my frustrations as a practitioner. He started as an IT engineer and then became a security engineer at Dropbox, so he was the customer too.
He recognized all the pain points, all of his friends in IT and security were saying "How do we do this the right way?" They were looking to him also for his model, how he built it.
But again, they all didn't have the resources. So when he saw the prototype that I'd built and when we started talking about the state of the world, it became apparent that we shared the exact same vision for how things should be.
We were both mad at the world for this not already existing, and those two things came together and the rest is history.
We just started it.
Grant: When you first started, how did you get your first customers? Did you get Wikia as a first customer, or Dropbox? Who did you go to first?
Zack: Yes. Wikia was an early one, and I actually went to the CEO at the time who was my boss, Craig Palmer. Awesome guy. I said, "Craig I'm working on this side project I want to show you, and I think it'd be great if we could use it here at some point."
He was super supportive, so that was a really great early bit of support. After it got to a point where we felt comfortable showing it more broadly, Jesse and I just talked to IT professionals and security professionals.
Mostly in San Francisco, a couple in New York. We said "What do you think? Would this be something you'd use?"
The answer was pretty universally "Yes," there was just such a high cost to either doing this yourself with open source or doing it commercially.
There was a ton of pent up demand, I'd say. We got about 10 customers who said "As soon as this is ready we'll do it," and they signed.
Shortly after that we ended up raising some venture capital and starting that.
Grant: I know your focus initially was really on the Mac world, administrating Apple devices. Was this solved in the Windows world, for small companies?
Zack: Yes. It's interesting, Microsoft has basically had a 20-30 year head start on Apple in this space. Microsoft has always built good tooling in this space. There may still be a somewhat high technical bar, but at least the tooling existed.
Apple's focus has been consumer, and they say that from the beginning, and they've relied on third party vendors to bridge the gap in enterprise.
When iOS came out and enterprise adoption started skyrocketing, first of iOS and then the Mac as a halo effect, they were really in need of, we thought, a little additional help, t o help people who didn't have companies, who didn't have the expertise or resources, accomplish the goals that all companies need to do in terms of corporate security.
Grant: In SF where even the scaling companies that are hipster enterprises, as we might call them, are using Mac as the primary computer for all their staff, there's not really a great solution for this.
Even the one that is out there is fairly legacy, and doesn't really work very well.
Zack: I like the hipster enterprise idea. But yeah, there are companies that are 100% MAC, both in San Francisco and elsewhere now. It's increasingly common across industries, too.
But then also even in enterprises, you might have a 2,000 person company with a 200-300 device Apple deployment.
Zack: You talk about the future of work and automating offices. You might have all Windows laptops for employees, but you have iPads on all your conference rooms, and you use Envoy to sign in.
There is just amazingly increasing and accelerating penetration of Apple in the enterprise, whether it's to support employees directly, or with the conference rooms and facilities.
Grant: Yeah, but that just wasn't true 10 years ago.
Zack: No. Absolutely not.
Grant: That's part of the paradigm shift, is that now we're seeing more Mac devices throughout organizations.
Zack: Yeah. The trends that we saw were Apple gaining and outperforming the PC market substantially in the enterprise, and more and more companies adopting Apple as a major part or in total.
Grant: Yeah, sure. OK. That makes total sense to me. So then you create this company of three other co-founders, right?
Grant: How many early customers did you get before you raised any money?
Zack: We had about 10. I think it was exactly 10.
Grant: They were all using your stuff, basically in production, to manage their devices?
Zack: Yeah. We had a bunch of companies using it. It was in beta, for sure. We actually took the Google approach and stayed in beta for quite a while. Long past what most companies would probably do.
We actually came out of beta earlier this year. But the way we think about beta is actually different, I won't go too far into it, but we think of beta as a horizontal issue.
Where we weren't doing all of the things that every company wanted, but the things that we focused on were really efficient, really well done, and really secure.
It was the horizontal deal that kept us in beta, now we're in GA and we tackle the entire Apple device management.
Grant: Dive into that. How do you guys think about go-to market in terms of what's alpha, what's beta, what's GA?
Zack: Yeah, totally. We want to make sure that when we say "We have this product and it's GA," it accomplishes the primary jobs that need to be done for the person who's doing it.
Depending on what the domain is that we're talking about, that can be just one job or it can be quite a few. Take Mac management for one.
I n Fleetsmith there's a ton of automation around the things you can do to an individual Mac. Then of course you can multiply that at scale across your whole fleet, securely over the internet.
Initially you could do, I want to say, at launch 10% of the things that you can now do to your Mac. Examples, you couldn't deploy custom certificates when we launched to your Macs, and now you can.
So if you have that need you can do that automatically through Fleetsmith today. You couldn't automatically push out Wi-Fi config at launch, you can do that today.
Things you could do though that worked really well from day one and were game changers, were you could upgrade Mac OS itself. Fleetwide, securely over the internet.
To paint a picture of the contrast before Fleetsmith, that was a 20+ step manual process. There were literally blog posts written about this because it was so hard and technical to do.
Any time Apple released an update, you're doing manual package management, I could go on. With Fleetsmith it's two clicks.
So, that's what I'm talking about when I say beta vs. GA. The things that we launched with, automatic Mac OS updates, follow vault disencryption, those things worked and worked well.
We've just added and complemented those, so now we do the vast majority of things that professional IT people want to do, and we have extensibility.
Another example is now we've added compatibility and actually we can push Chef and Puppet onto the agents, onto your devices.
If you need even more power and you want to customize it completely, you can use Fleetsmith and the device enrollment program that's been rolled now into Apple's business manager and MDM, and bootstrap your own custom configuration management for your end points.
You can go as far as you want to go now, but not all that existed on day one. We wanted to under-promise and over-deliver.
So when we felt that the percentage of jobs to be done was there, and they were all working really well, we went GA.
Grant: That's cool. Then were you working with these customers, getting feedback the whole time? How do you think about finding those early beta testers or beta customers, or how do you think about rolling this out?
Zack: Totally. To start with, one of the good things about Fleetsmith was that a lot of the co-founders and early team were IT and security professionals.
So to start with, we were the customer, which really helped in terms of initially building the things just to solve our own pain.
We thought about all kinds of things, like "What's really painful? What do we have to deal with all the time?" We thought about new hires, "This is such a painful thing. What if we could automate that?"
Apple releasing new Mac OS updates, they do that semi frequently, there is a dot release or a smaller patch release at least every quarter it seems. That's a lot of work, and how about the third party apps? Google releases Chrome updates constantly.
So we looked at, what were the things that were just constant and painful that we could automate in a way that had a great user experience?
That brought us so far, and then of course we wanted to do the "Release early, release often" thing. We get a ton of feedback and requests from our customers, so I was mentioning--
We call it our "Catalog,"the things you can do, the apps and settings you can push and configure on your end points. We get requests all the time.
Until we had gotten that coverage out, we still get requests to this day, they're just much more edge cases now. But customers are probably now the number one input into that process, in terms of capabilities.
Grant: Yeah. Because you came from this background and you were your own target market, you were able to work off of all the pain points you'd seen and experienced as IT admins, and then build a solution that would solve your highest priority ones.
Then you knew that those were commonly felt throughout the industry, you could bring that solution to your potential customers, show it to them and get their feedback and even get them to start using it.
Because even if it didn't cover every possible catalog item or feature, it was going to help them get there faster in the beginning.
Zack: Exactly. If I can tell you "I can eliminate 20 hours of work a month around upgrading your fleet to the newest version of Mac OS, or third party app.
We do that really well." Do one thing and do it well, that's how we started.
Grant: That's great. OK, so one other thing I'd love to just dive into, because we're going to talk a lot more in a minute here about the overall enterprise ready features within Fleetsmith.
But one thing that I think you can help educate the audience around is just one of the core features of enterprise ready, which is security.
Specifically the enterprise ready site tries to cover what we call "Product security," which focuses on development environment and technical operations and product.
But I think you really are an expert on corporate security as well, like the stuff that you build help solve those problems.
So, maybe just talk a little bit about like as a SaaS vendor why corporate/internal security is important. What are some of the first steps are you can take to start to become more secure?
Zack: Yeah, absolutely. I would say two things. One is we've actually used enterprise ready from very early on, and some of the product decisions we made it was interesting, because they are enterprise features on enterprise ready.
But they actually just improved the product experience for SMBs which is our target market. So I think that's a really interesting overlap that we can get into more, as far as where do these quote unquote "Enterprise features" help everybody? As far as how we--
Grant: Just guidelines for SaaS and vendors that should think about internal corporate security, how should they be rolling out? Why should they be thinking about this? They're thinking about SOC-2 audit, they're thinking about something else. What should they implement?
Zack: Some companies have compliance needs, and then there are baselines that everybody should do.
You have to understand how the threat landscape has changed, I think a lot of people still have this idea that unless you're the type of organization that's going to be targeted directly by a hacker or a nation state, you don't really have to worry about security.
That's false, that's just not true anymore. The reason in large part is automation.
Attackers have gotten a lot more sophisticated, and so they're not coming out and targeting you directly, they're just writing a script that targets IP addresses across the internet at a scale that's hard to conceive of, but they're knocking at your door.
So it's not a question of "They want you?" It's a question of "Are you vulnerable?"
If you are, they will come in and get you. So there are a few different categories.
I'm borrowing a lot of this content and probably doing it no justice, from my co-founder Jesse's recent talk at Mac tech conference in LA.
But there's the nation state attackers, which I won't cover too much. That's a pretty sophisticated threat to defend against.
But then there are the vandals, the script kiddies, that are doing it for amusement. Then there are the criminals, which are doing it for the money.
So if you think about what they want, they want data. Typically data is what they can sell and turn around for the money.
Whereas the script kiddies are in it for defacement. So when you talk about data, that's on the corp side typically.
If you want to defend against that attack, you're thinking about stuff like ransomware or you're thinking about people exploiting known vulnerabilities in your operating system, or a physical attack where you're at Starbucks and someone pulls all the data off your harddrive because it's not encrypted.
There are a couple things you can do that are really simple and basic, and if you do them you're way ahead of the game.
On the app side, app security in the corporate environment, if you use G-suite as an example you want to turn on 2FA. Not just enable it, but make it mandatory across your domain.
Consider white listing which applications can authenticate with OAUTH and grab data. On the device side, make sure all of your devices are patched to the latest version of the operating system.
There's this myth that Apple back port security to two major versions of the OS prior, and that's actually not always true. Long story short, you only get all the security patches if you're on the latest version of the latest major release.
You want to have disencryption on, that's a real simple one. There are some more, but those are the core ones. 2FA, patch your computers, and disencryption.
Grant: Yeah. I think what's interesting to think about is you're categorizing these different security steps, one from "What should your applications be doing?"
Because your applications could be vulnerable, so that's where it's like "Use 2FA, use some of these--" Enforce some best practices.
The next is on the device, because turns out your devices--
You could have great internal security but if you allow someone to download a random piece of software that has malware in it, that can then exploit all the software solutions you have on the device.
Zack: Phishing. Increasingly common.
Grant: Sure. Then the final piece we were talking about earlier, which I think you'll dive into next, is just what do individual users need to be doing in order to think more about security? It's training oriented, right?
Zack: Absolutely, yeah. It's easier to go in the front door than the back door. We found that a lot of companies are hardening their production infrastructure, and that area of security seems to be maturing a lot.
There hasn't necessarily been the thought and care put into corporate security that there has been on the prod side. What we're trying to do is we're trying to help people automate best practices around security, and just general IT hygiene as well on the corp side.
As far as training goes, yeah. You absolutely want people using a password manager. You want long, unique, random passwords for all of your third party accounts and you just want that one master password for your password vault itself.
We could talk about password misconceptions and hygiene all day, but that's a really basic thing you can do.
You want to train people on phishing, right? You don't want to open attachments that you don't know about. You don't want open emails from unknown senders that look suspicious.
But the bottom line is, somebody is going to do it. As much as you try to prevent it, big companies do these tests all the time. They'll have an auditor come in and send a fake phishing e-mail out, and every single time someone opens it.
So, how do you secure your fleet and your data in response to knowing that one or two or three or ten people are going to do the wrong thing inadvertently?
Grant: Yeah. The one thing I love that Google talked about, they've basically been able to eliminate phishing attempts through using U2F tokens, which I think is a really important thing we do here at Replicated.
Zack: Everybody should do it.
Grant: Yeah, it's a great security feature. But there's a lot to do, and so I think with technology like Fleetsmith you can help automate some of these things and you can learn what the best practices are.
Ultimately my perception is with end users, as you bring more people on board, you just have to make sure everyone has a security mindset.
If you're an application vendor, if you're a SaaS company or a software company, it turns out you're also a security company.
Because you're going to either be processing data or distributing your software to people who need to deploy it securely, and so your entire organization has to be organized around doing things securely.
Because if you're not, then it just leaves so many vulnerabilities open, and I think it's a huge risk that people don't really understand.
If you want to have any of the compliance certifications, not just check the boxes, but if you are truly liable for a bunch of end user's information you want to make sure you're really doing all the things and checking it and covering all of the different bases to do things as securely as possible.
Zack: Yeah, absolutely.
Grant: It's hard. It's a lot of work.
Zack: "Security is everybody's problem." That's how we talk about it at Fleetsmith. If you see something, say something. That's totally OK. We want to promote an atmosphere of over-disclosure, if possible.
Then there's just the best practices, and that's an ongoing thing. When you hire someone new, obviously there's that onboarding training, and then there are refreshers. As the security landscape changes we need to educate employees about that.
Grant: So, early on in a company's history or development, let's say you're 15-20 employees. Who should be in charge of internal corporate security?
Zack: Yes. So, we got lucky with that. My co-founder Jesse was the natural choice. He's our CISO, and so it just made sense. Not everybody has a CISO at 15 or 20.
What we've actually seen, we've got great inductive evidence of who actually is in charge of this, because they use Fleetsmith.
We've seen a combination of co-founders, we've seen engineers, we've even seen office managers do it. We've seen almost literally everybody do it, and I think the most important thing is there just needs to be someone designated.
Ideally they get educated around the basics. Obviously we're doing our best to help people just be able to see what the best practices are in our product, and there are a lot of companies and products that do that. That try to push the best practices so that if you're not an expert you just get them. You can see them.
But, just like if you're building a product, go look at EnterpriseR eady. If you're building an enterprise product there are some good resources that we can dive into around how to be basically secure.
Certainly on the device side, Fleetsmith tries to show you what those best practices are and then make it really easy to automatically enforce them.
Grant: Yeah, it's funny.
For us I feel like device is the last mile, like you can do a lot of great internal training and you can have systems set up. But ultimately if the devices get compromised, you lose it all. It invalidates everything else you've done because you can have people pull off keys, or even if you're using client side search, you can have these things extracted.
So that's one of the reasons we love these hardware security modules, like U2F tokens, is that they're not readable. A device security is one thing that feels a little bit out of the reach of malware.
But that is today, who knows what happens over time, and there's other ways people can hack around and find malware to trigger U2F.
Zack: Yeah, and that's one class of attack. That's the man in the middling of 2FA codes. You're basically eliminating those with the hardware key in today's world, by keeping your machines patched to the latest OS you're eliminating another class of attack against known vulnerabilities and unknown vulnerabilities in previous versions.
Same thing with third party software, same thing with disencryption. So if you layer on these defenses, you're just eliminating wholesale massive classes of attacks, and you make the attack surface pretty small and much more challenging.
To the point that, again, if you go back to who the attacker is here, they're trying to make money. Make it cost prohibitive to be attacked.
So it's not that you're perfectly safe, nobody ever is. But if you add defense in depth and layers, you make it cost prohibitive and you're a less-likely target.
Grant: The other reason I think this is actually super important for application vendors, is oftentimes you're going to be in a security review on the other side.
When you're shelling into a large enterprise deal, part of procurement is going to be going through security review. Not only do you want to have implemented this approach, but you want to be able to talk to it.
You want to understand what that CISO is thinking about when they're looking and evaluating your product, and also your company.
So one thing I always recommend to founders is to actually read the ISO 27001 standards.
It's definitely a thick read, but when you get into it the thing that always amazed me is the first time I read it I was like, "This is basically the playbook for every IT security admin out there. They're all looking at ISO saying 'Here's what I should be doing.'"
When I talk to a vendor I'm going to bring up every one of these topics, so from the idea of common vernacular it's one of the best ways I think to understand what the other side of the table is thinking about when you're talking about security.
Zack: Totally agree. We've got a lot of customers who are in regulated industries, and have all sorts of compliance needs.
It's funny because we tend to see customers with really sophisticated needs that you might think a large company would need earlier, when they're in a financial industry or a health care industry.
So if you go and read the ISO spec like you were mentioning, or have worked in this industry before, you can get a really good sense of it.
The thing is if you start early you can actually put systems in place and automation in place to solve a lot of these problems with minimal overhead, or no overhead in certain cases.
But getting the awareness initially is a big deal, and a lot of the controls and these common compliant certifications we just automate for you.
Grant: Yeah, I love it. The thing I always think about that's interesting with SaaS and software vendors, is that your end customers-- The legislation and the compliance that they have to live up to, they push down to you.
When we talk about GDPR, you might not have that much customer data, but you're a processor or a sub-processor. You end up with all these downstream effects, so you really have to think through it.
I think the same is true if you're going to sell into fin-tech government. Even selling to a hipster enterprise fin-tech company, you're going to have their downstream downstream. It just always trickles down.
If you understand the frameworks that they're using to evaluate and do these things, you're just I think in a much better position. It's like, ISO if you read any of the NIST papers, those are all--
Zack: Love NIST.
Grant: Yeah, but you get some really interesting guidelines and audit controls that they're implementing in order to make sure that they're secure and you see these security matrices, and things that people will reference.
But if you read it and you get all the context, I think it really helps you speak intelligently towards those. So it can help you get some of those deals done, or implement that feature the correct way, instead of having a mismatch.
Zack: Absolutely. Grant, did you know that NIST recently updated their password guidelines, as an example?
Grant: Tell me more.
Zack: Yes. So expiry and complexity aren't where it's at, it's really length. The recommendations are obviously you want to have long unique random passwords, but for the ones that you need to remember, the best practice is just length.
A great way to do that is make it four or five words, put a space between it so your muscle memory just works like you're typing out a phrase, and then you only have to remember four or five things rather than 30 things with 30 unique random characters.
So, stuff like that. I totally agree with you in the NIST updated guidelines, go read it. Light reading, bedtime reading.
Grant: Yeah, exactly. I make myself read it in a hammock laying outside in the sun, because it's one of those things where if you're trying to read it at night you'll just-- Five minutes and you're asleep.
Zack: Yeah, absolutely. But good stuff.
Grant: Cool, so that's super helpful. I think that the more that these enterprise software companies can approach their internal security and product security and really take that approach, it'll just help get more deals done and get better customers onboard and create smoother conversations and faster time to adoption.
Zack: Absolutely. If you can come in and look at a dashboard and show it to your customer, or pull out a report and show them that you're meeting these standards in advance of them asking you, even if you don't actually have the certification oftentimes you can win the business.
Grant: Yeah. At Replicated we don't have any massive certifications. We actually don't handle a ton of super sensitive data, but we can talk to every one of these pieces, and our whole team is super aware of security.
So we end up, just being like, people talk to us and they're like "OK. They get it a lot." It also matters, the sensitivity of the data, so we can point to a matrices of data security and be like "We don't handle that much important data. So, you can trust us."
Cool. So from there, I know we talked a little about-- You actually read EnterpriseReady early on in the founding of the company, and you were thinking about some of these features when you first started.
The first one we should dive into is maybe just how you've thought about product assortment. That's one of those features that I feel like isn't necessarily a--
It's not really an enterprise feature, per se. But I think it's an important thing with enterprise go-to market. So, maybe you can talk a little about that?
Zack: Absolutely. Fundamentally, you mentioned this earlier. Taking a bottoms up approach, we're not starting in the enterprise, we're starting in the small and mid-market.
When we initially thought about product assortment, we looked out at the market and said "There's a limited number of commercial products here, and it's a quote unquote 'Enterprise buying' process."
And we said, "First of all, what if this could be self serve?" We're talking about SMB here. "What if you could run an actual pilot yourself? And what if we were innovative on running that pilot?"
So here's what we did. When we first launched we had some device restrictions, in terms of minimum device count, license count, credit card up front, and so on.
Last year we came out and said "Fleetsmith is free. You can have up to 10 devices managed at no cost, no credit card, for an unlimited period of time."
Grant: That's great.
Zack: Yeah. Most companies are doing a time based thing, and that makes sense in a lot of cases. What we found though is that IT folks usually are a bit overloaded.
Having been one, I understand that, and often they'd start a pilot when they had a little bit of spare time and have some fires pop up and miss the two week or four week window for their pilot, and be ready to go in five weeks.
It wasn't that this isn't important, just no one's working on their schedule. So he said "No, you run this for a while. You see the value and go from there." So because people can-- Again, in contrast the two weeks with a traditional vendors.
Because of that what we saw is just a ton of people signing up and actually trying out the product, getting engaged with it, and proving the value to themselves.
That was really-- Fleetsmith Free was really a way to try our full product. And we had no product restrictions, by the way, on those 10 devices. It was 100% full product.
Once you had eleven, you paid then for all eleven devices, again intended as a pilot. More recently we came out with two different products.
Fleetsmith Intelligence, and Fleetsmith Managed. That replaced the previous world. Fleetsmith Intelligence gives you-- Operationalizes, actually, a best practice which is awareness of your entire fleet.
That's completely free, regardless of fleet size. So the idea there is that people can understand in real time or very quickly what's going on across their fleet, in terms of "Are my devices patched?"
Just look at every best practice, "Are my devices patched? Do I have disencryption turned on? Are my third party apps patched? Do I have firewall?" I could go on.
Also you get an inventory with the devices checking in, so if you step up a level you can say "The worst category here is devices that I don't have visibility into at all,"and we actually service that.
Those are the ones that you need to remediate first. Those are in a separate category from "I have visibility and there's something wrong." So we go down the stack, giving you visibility and giving you the ability to make intelligent decisions about what to do.
Now if you want to automate remediation of these things including automated patching turning on disencryption, even stuff like remote lock and wipe, then you can switch over and upgrade to Fleetsmith Managed, which is the full product that also automates new device setup completely and so on.
What we saw was two things. We saw initially a need to give people a good pilot that wasn't being served in the market, and then we also saw the need with Fleetsmith Intelligence for people to be able to have full fleet-wide visibility.
We often talk about how if you have two devices that you don't have visibility into, those are the ones you're going to get owned on. Being able to say "100% of my devices are enrolled in Fleetsmith Intelligence and I can see that all the best practices are being followed," is so powerful.
To democratize that and bring that down from only the biggest companies with the most sophisticated teams, to literally everybody, and for free, was a big deal for us.
It also lets people understand the value in advance. You can see "I don't have these setup, and I can literally click a button and fix all of this right now." That's pretty powerful.
Grant: Yeah, OK. This makes a ton of sense. I'm looking at your pricing page, I can see how these are differentiated. One seems more like discovery and visibility.
I would actually argue that this isn't true product assortment yet, the way that I would move this towards the product assortment world would be--
So you have your managed version, that's $8.25 per device per month. That currently has all of these features.
What I would see coming sometime would be maybe a $20 a month per device plan that has really in-depth features around how you can do different role based access control, like really granular and build different users in there, and maybe some type of single sign on that's beyond Google and using ACTA and SAML.
These advanced reporting features where people can build out some-- You embed something like Looker In and it gives you all these crazy reports that you can create. That would be the--
Because the goal is there's a bunch of features that only a really big team running lots of lots of devices, or like an enterprise that maybe only has a certain number of devices but needs super in-depth visibility into, they would start to really want those features and they have these heavy requirements.
What I see here is one product that's like a genius way to help expose the problem to your customers, this intelligence and discovery problem. "Put this out in all of your devices, know what's going on, and then discover the problem. Solve it with our product. Turn it on and solve it."
Zack: That's the idea, yeah.
Grant: I love that.
Zack: It's interesting. The dividing line if you're in the world of mid-market enterprise, what's the distinction there? I think you're 100% right.
If you're talking about going from small to medium, actually when you're small sometimes you can manually take care of those things. So this is all you actually need, and we want to make sure that we're democratizing that power for everybody.
I totally agree, when you get into the mid to large divider, there are a lot more features that bigger enterprises want. All I can say is "We don't talk about product roadmap," but stay tuned.
Grant: But that makes sense. So you're saying "This is actually still valuable, even when you're smaller. Just to know that visibility is going to give you the insights that you can then change later."
Zack: Sure. Because the end result if you actually remediate them yourself is the same.
Grant: Sure. Yeah. It's just not automated.
Grant: That makes total sense. That's super interesting.
I also love your perspective that some of the EnterpriseReady features are, even though they're designed for enterprise adoption and pulled people up into these higher priced plans that you think that some of them are actually making their way into the mid-market table stakes, in SMB table stakes type features as well.
I think that's something that happens over time. Before this we were talking about how SSL encryption was a thing that SaaS companies used to list on like their pricing page as a feature that you would get when you chose a higher price plan, and obviously that's just-- If you don't have that, you laughed at.
Zack: Can you imagine? Google dings you if you don't have it on your marketing page now.
Grant: Yeah, exactly. It's like making that a feature that someone paid for at some point would be insane. So now, it's like you're saying that even in your perspective some of these features like single sign on maybe, might be something that you came out with from the very start.
Now it wasn't SAML based, it was Google Auth based, but still. That's a single sign on way to manage all these users.
Zack: 100%. When we started, we launched the product with single sign on via G-suite. It just turns out that that eliminates a whole class of problems that we as a vendor didn't want to have to deal with, because it would make our customers more secure if we let Google deal with them.
Who has amazing security. That's pretty widely known. One of those things is passwords. There's no such thing as a Fleetsmith password, you must sign up and then sign in through G-suite and now office 365.
So an additional benefit there is password reset flows, Google and Microsoft take care of those. 2FA? I hope that you're enforcing that domain-wide, a little bit of RBAC and looking at the permissions that you do for users and admins in those IDPs which is what they are for us.
We piggyback on those, and so we got a whole host of these enterprise ready features built in by doing those integrations from day one.
Grant: Now, there's no password. Is there an API key that I can create?
Zack: So there's no public Fleetsmith API right now.
Zack: At some point it probably will be, but again, no comment on roadmap. But as far as passwords there are none.
Grant: The API keys, we talked about this a little bit earlier. Our truly secrets are really passwords, so when you think about API key management that's one of those things that people have to think about managing securely.
If you're going to have API keys, you need to make sure that your customers can manage those as well. There's really not a great single sign on for APIs today.
Zack: Yeah, exactly. They should be treated like passwords if a human is going to be the one using it, they should be in your password vault.
If they're going to be in production and machines are going to be using them, they should be in your secrets management system. Period.
Grant: OAUTH is the API key for single sign on, but it's a pain in terms of flows.
OK, so you launch with single sign on and that's been super helpful, and obviously a lot of your customers-- Has that been a challenge? Has anyone been like "We don't use either of those two?"
Zack: Yeah. From day one people said, the most frequent suggestion or request was "Can we do office 365?" So we released Office 365. There are a few people, quite a few people requesting other ones.
At some point we may or may not decide to do those, but we definitely listen to our customers and that's why we've got probably the two most common SMB IDPs out there. Which are really G-suite and Office 365.
Grant: Yeah. So let's say when you went to market, maybe that would cover 60-70% with Google, and then you add another 20 or 30% with Microsoft. Then maybe you're still left with the last 10% of prospective customers who would use some other system.
Zack: Yeah, I think that's fair. Whether it's something like Octo-1 logged in or just pure SAML. But we're also talking about people at companies who are up to 1,000 employees, and so if you're talking about enterprise I think that percentage that we don't today cover might get bigger.
Zack: But because we're talking about small and mid-market companies, we're covering the vast majority with just G-suite and Office 365.
In part because even with a product like ACTA, you can automatically provision G-suite and office accounts, and therefore you can use Fleetsmith with those.
So, we're really covering almost everyone in the SMB space.
Grant: Sure. The interesting thing is even-- There's not too long ago when the idea that every small business would either have a Google G-suite account or Microsoft 365 account to auth with. That probably wasn't a given 5-6 years ago, right?
Zack: Yeah, absolutely not. It's funny, when you want to set up e-mail at a company, if you start a company today, it would be ridiculous to say "I'm going to get exchange servers and have an email administration team," nobody really does that anymore.
Of course the obvious thing is take 10 minutes and get G-suite or Office 365. We're actually trying to do the same thing with Fleetsmith, which is I'm not going to not manage my computers or manage them manually with some legacy tool.
I'm just going to automate all this and it's exactly the same thing. So when you're talking about the move to modern tooling, we're another example of that.
If you're running legacy on prem, Replicated is another example of moving to the modern tooling to do that.
Grant: Sure. Even like-- The interesting thing is that Google Auth or 365 Auth can work really anywhere. You can deploy--
We've actually used Google Auth in front of internal services that we create, that are not even available officially on the public internet, where it sits behind an access proxy and then uses that to authenticate into. So, that's pretty cool.
I've seen a handful of other companies going to market with that as the initial user model, and I guess particularly for your tool, it doesn't really have a single player mode.
There's not a one person thing that even makes more sense.
Zack: Absolutely. The funny thing is it wasn't only for single sign on that we chose those integrations. You actually get a lot more out of Fleetsmith because of those, so it eliminates a lot of manual work.
For example when you want to do inventory and you're signing a device to a person, because we connect to your G-suite or Office 365, you grant us read-only access to see the list of users.
We literally see First Name, Last Name and corporate email. We can import that into Fleetsmith and actually automate the assignment of devices to those users. So, you have amazing automatic inventory.
Imagine that, back to that spreadsheet, that's gone and it's automated in a great way. When we're setting up a new hire device, again, we know who it's for because of that automatic attribution.
We can create the local user account on the device based on the G-suite or Office 365 user name. We're the only device management provider that does that.
So there are a lot of benefits to having initially integrated with these IDPs beyond just SSO. It's funny that it seems so obvious to us, and yet no one else was doing it.
So it's on EnterpriseReady, and we're looking at "Are there other items on EnterpriseReady?"
We actually literally look at it all the time and say, "What's missing? Are there other things that we can add here that would be really beneficial, even in additional ways from what you see on enterprise ready?"
It's amazing how that works to SMBs, and increasingly the answer is "Yes."
Grant: Yeah. The one area that I think ends up being probably-- I know you piggyback on some of the role based access control that you get from Google, in terms of what your user profile is.
I think I even remember you would set up, you could set up different user groups inside of Google admin and then you would piggyback on top of that. It was this inheritance of permissions.
Zack: You need a specific permission to be a Fleetsmith admin.
Zack: So if you put Google users in those groups, then they can be Fleetsmith admins too, yeah.
Grant: I think I-- Because we're users of Fleetsmith. I think I do remember that one challenge was that was a little bit opaque in terms of how to actually do it.
I had to read the documentation versus sometimes clicking on a user table, and clicking "Make admin."
But we talked about trade offs, so it's like "OK. It's still possible, and I still figured out how to do it, it just maybe took me an extra 10 minutes to figure out how to make my co-founder also an admin," or something.
Zack: Yeah, absolutely. On the office side it's a little bit more like what you were talking about, because we built that later.
Zack: "I totally agree with you" is the answer, and we should make that a little bit easier.
Grant: Yeah. But it's early on, and you're making these product decisions, you're trying to get the feature in and making sure that's happening.
Administrative features oftentimes don't get the same level of attention because it's just not the core functionality of the application.
Zack: A lot of people think that everything Fleetsmith does is an administrative feature, which I think is funny. This is just quote unquote "Just IT," right?
Now we're talking about the administrative features for the administrative product. But yeah, all of the benefits of getting G-suite integration from day one, including SSO.
Actually creating a new account in 10 seconds, self-served, all the stuff in product with attribution and new user account creation.
We even have a cool e-mail integration where if people's computers are not enrolled, and you can't see them anymore, we can actually automatically group them and let you send them a message.
So there's all kinds of cool stuff with that, and you're right, there's a tradeoff on the RBAC side. But boy, I love it on balance.
Grant: One thing I love to do is have everyone give a quick pitch, because I think one thing that's really interesting for me at least, is hearing how other people describe the thing they're bringing to the world.
The problem, and everything else. We all as founders have a standard pitch we always do, so I'd love to hear yours. Go for it.
Zack: Sure. So, Fleetsmith puts device management on autopilot. We solve four big problems that our customers have.
One is setting up new hire devices, so we bring that from 1-3 hours per device down two minutes and fully automate it.
The second one is awareness. With Fleetsmith Intelligence you have live updating inventory. Get rid of that spreadsheet, just completely solved the manual inventory problem.
The third one is updates. Huge important thing to do. Get everyone on a uniform computing environment and it's part of security.
We completely automate updates, and that's just a massive amount of manual work for the OS and for third party apps. Also OS settings, we completely automate pushing those out.
The last one is security. We fully automate the most important things you can do to secure your device fleet, which are like I said, patching before but also disencryption, firewall, I could go down the list.
But there's a ton of security automation in there, and your surface here is when you log into Fleetsmith you see what we recommend as the best practices, and you actually have awareness as to where you fall.
Is your fleet in a situation where these best practices are enforced? We make it a one or two click operation to bring yourself up to best in class, and we do this for all Apple devices. So Macs, iPhones, iPads, and Apple TVs actually which is great for conference rooms too.
Like we mentioned before, we've got two products. Fleetsmith Intelligence, which fully operationalizes the best practice of fleet awareness. That's free regardless of fleet size.
Then we have Fleetsmith Managed which brings all of those automation best practices to your whole fleet. That's $99 dollars per device per year, or $8.25 a month if you pay annually. Or if you just want to pay monthly, that's fine too.
We're one of the only device management products that lets you pay monthly, and it's $10 dollars a month per device. So, that's it.
Grant: Perfect. Zack, thank you so much for coming. This has been a pleasure.
Zack: Thanks for having me, Grant. I loved it.