Getting up and running with the help of dataJAR
Reform evaluated a number of solutions on the market and considered whether an integrated IAM and MDM platform might work. The options available, however, didn’t offer the functionality, features and flexibility that Reform needed, including remote wiping and locking down of devices. Reform worked with dataJAR to select the right products for its needs, including Okta for the IAM component of its IT infrastructure.
This decision was partly taken as Okta easily integrates with Jamf Connect, which Reform uses for the MDM component. Reform employees primarily use Apple MacBook and mobile devices. dataJAR was also able to help Reform during its Okta implementation process, with the help of Ignition Technology, who trained Erik on the key features of Okta and helped him with the initial setup process. “Working with dataJAR was a really big advantage for us,” Erik adds. “I think the whole process would have been much harder without them. We have a really great relationship with them, they offered us a really great price, and their Okta, Apple and Jamf expertise have helped us a lot.”
Adopting Single Sign-On for a seamless user experience
Reform adopted a staged approach to its Okta implementation, first rolling out Single Sign-On (SSO) - department by department - to a handful of apps. Once they approached 100% activation, Erik began to implement Jamf Connect. When both systems were set up, Erik added further apps. Today, all of the commonly used apps at Reform, 31 in total, are integrated with Okta SS0.
Okta SSO has brought a number of benefits to Reform. For Erik and the IT Team, it means they can rest assured that accounts are secure and password resets can be handled easily. In terms of the user experience for its employees, signing on is now a simple and convenient process. Prior to Okta, staff had separate accounts for the various apps they used, including usernames and passwords to remember. Okta has pre-built connectors for the majority of the apps that Reform employees use regularly, including Adobe, Dropbox, Google Workspace, Hubspot, Jamf Connect, and Microsoft Intune and O365. And Erik says that the flexibility Okta offers for adding apps that don’t come pre-integrated is also invaluable.
Boosting security with Adaptive Multi-Factor Authentication
A key component in Reform’s account security measures is Adaptive Multi-Factor Authentication (MFA). Before moving to Okta, certain apps - such as Google Workspace - did offer two-factor or multi-factor authentication for additional security, but this wasn’t something Reform was able to properly enforce. Now, with MFA, Erik and the team know that accounts are effectively secured, without additional disruption for employees.
In terms of additional verification, Reform favours Okta Verify, enabling colleagues to confirm their identity on their mobile devices when prompted by a push notification from the app. That means Reform is protected against the possibility of data leaks, including through the reuse of passwords that may already have been compromised in external accounts. It also means that Erik and the team can quickly help colleagues if they ever lose their devices. “For us, it's all about the security,” says Erik. “MFA offers that extra layer and Verify makes it super easy for our users to confirm their identity and keep our data safe. But, let’s not forget, we’re a kitchen company rather than Fort Knox, so we use contextual MFA to take the hassle out of the process as much as possible. That means if a user spends the week in the office, they’re only going to be prompted by Verify once during that period, but if they’re out and about, it’s going to happen a bit more frequently.”
And, as a growing business, there’s real value to Reform in minimising the number of times users are prompted to confirm their identity through MFA, beyond the frustration for staff. Each prompt is productive time that’s lost, taking around 45 seconds on average to address. With contextual MFA, that’s 45 seconds lost once a week, rather than four times per day, which Erik estimates would be the case otherwise. That might not sound like much for a single employee, but as a company with 275 users, a number that’s steadily increasing, that’s 297 hours of productive time saved each month across the company, simply by reducing MFA prompts.
Automating manual tasks with Lifecycle Management
For the IT team, the situation prior to Okta also meant that provisioning and de-provisioning users were also a challenge. For provisioning, this involved a helpdesk admin spending anywhere from 30 minutes to 2 hours on account creation alone, let alone setting up access to individual apps and other time-intensive tasks, which could take anywhere between 5 and 20 minutes depending on the permissions needed. For de-provisioning, that required HR informing IT that a person has left. But, with around 70 different systems running at that time, that would have taken around a day of work to check manually, something Erik and the team simply didn’t have the time to do.
Erik has now automated many of these processes using Lifecycle Management, in conjunction with the Hibob people management platform. When a new starter joins the company and is added to the system by HR, or is removed at the time of their leaving, access to any of the company’s 31 regularly used apps that they need for their role is granted or revoked automatically. As a result, Reform has been able to keep a much closer eye on licensing. Previously, de-provisioning of an app account required manual notification from a line manager, whose focus is likely to be on selling products, rather than account permissions. Now, Erik and the team have complete oversight and have uncovered multiple instances of unneeded licences. With individual licences costing in the high hundreds or even thousands of dollars per year, that’s a financial saving that can quickly add up. “We’ve managed to clean up quite a few accounts thanks to LCM,” Erik adds. “We didn’t really have a lot of control over this in the past, but Okta gives us a great overview. And when it comes to tasks for apps where we don’t have a SCIM connector, it’s a lifesaver.”
Reforming the future with the help of Okta
Reform is just at the beginning of its journey with Okta, yet things have changed quickly. Today the company can ship a MacBook to an employee anywhere in the world and have them up and running in minutes. That’s a big difference from the past, Erik says. He adds: “When we get a new starter, their manager will send them a computer and tell them ‘this is your username and your one-time password to open it up.’ Everything is pre-installed, they just change their password, set up MFA and log into the Okta dashboard, and all their apps are just there. It’s reduced a process that used to take half a day, with lots of calls to managers, to around maybe 15 or 20 minutes.”
And Erik already has a number of ideas for more projects he’d like to implement in the near future. Among them is using Okta Workflows to further automate tasks that are currently managed manually, including some that will further reduce unnecessary licences and apps. Erik is also hoping to set up RADIUS with Okta to improve network security.
