MDOYVR26

MacDevOps Begins

Day(s)

:

Hour(s)

:

Minute(s)

:

Second(s)

Speakers 2025

Note: The talk schedule is posted and the workshops description.

Grayscale group photo of 2025 Speakers

Teg Bains (Lynxedge Solutions)


M365 Conditional Access & Addigy


Using M365 Conditional Access for macOS devices by leveraging Addigy for small to medium businesses

Bio: Teg Bains works with SMB clients supporting macOS & Windows technical projects

Nayt Brookes


Reining in Applications

I want to share my journey on building out a software centre, Self Service, or Munki, and removing admin access from as we moved towards an approved software list. I want to highlight how we used Privileges for Developers, and how we started reining in brew and using Santa. 

I want to highlight some of the complexities in working with specific compliance frameworks, and with your governance teams for maintaining an approved list. I also want to hit on Vulnerability management.

Bio: Started out as a unix Systems Engineer, before moving to NT, and finally macOS. Currently a staff engineer at Ro where I lead management of our endpoints .


Rod Christiansen (Emily Carr University of Art + Design)

Fully Running Your Munki Repo Operations in DevOps with Git and CI/CD Pipelines


Take your Munki repository operations fully into DevOps mode using continuous integration and continuous deployment (CI/CD). This session shares our journey of migration from traditional local Mac mini in the closet Munki management into a fully automated, cloud-native Git-based version control using Azure DevOps Pipelines and Artifacts, Azure Cloud Storage and FrontDoor, and Azure Service Bus. Learn how embracing CI/CD automates and streamlines repository updates, ensures scalability, reliability, and simplifies maintenance.

Bio: An overall enthusiastic geek teaching how to streamline tech with automation and intelligence tools, so you have more free time to focus on what matters most. Managing a fleet of 1000+ computers at Emily Carr U where I get to work on and manage our infrastructure and architect our DevOps workflows, repos, and CI/CD pipelines. I live in Vancouver, British Columbia, Canada. Where the sockeye salmon is abundant, people are friendly, the sea breeze is fresh, and the climate can be overcast. If I am not in my home office where I spend most of my day, you can find me biking around the city. I care about health, design, photography, writing, art, philosophy, and connecting with awesome people.


Csaba Fitzl (Kandji)

Finding Vulnerabilities in Apple packages at Scale


In the past couple of years exploiting Apple signed installer packages
became a common theme, as the Apple package installer runs with very
powerful entitlements, which allows an attacker to bypass certain
parts of System Integrity Protection (SIP).  There have been handful
of vulnerabilities found in the past, however except one known
research all of these were focusing on individual packages.

In early 2024 I decided to take a look at Apple’s entire software
catalog, which that time contained about 10.000 different installer
packages which summed to about 1.3TB. Although there was one public
research on the subject, I decided to download all packages and
systematically look for vulnerabilities in all of them in the hope
that not everything was discovered. Going through each package 1 by 1
is hardly impossible thus I turned towards automation.

In this talk I will show how I automated the vulnerability research
across the packages, and how I used ChatGPT to help me with that. I
will show the process which allowed me to trim down the research from
10.000 to about 300 packages, which allowed me to quickly go through
each package.

I will disclose five previously unpublished vulnerabilities, which I
found during my research. All these vulnerabilities allowed me to
bypass SIP’s file system protection, what I could use to persist
anything with SIP protection (so regular AVs can’t clean up the files)
or bypass TCC.

Fixing these vulnerabilities is not easy as because of the packages’
code signature someone could exploit an old version of the installer
even if a package have been fixed. At the end I will talk about
Apple’s new mitigation strategy, which allows them to protect against
installer package vulnerabilities at the operating system level, thus
finally closing the gap after many years.

Bio: Also known as “theevilbit”, which comes from RFC 3514. Csaba graduated in 2006 as a computer engineer and worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. While working for OffSec he developed the EXP-312: Advanced macOS Control Bypasses course. Currently he’s working for Kandji as a Principal macOS Security Researcher.

Brandon Friess (Stripe)


Modernizing Munki: A Go-powered Approach to Secure Package Distribution


Join me for quick look at how to elevate your Munki infrastructure using modern Go patterns and cloud services. We’ll explore how to replace traditional web servers and client-side pre-signing with a more secure, maintainable, and scalable solution.

Key topics we’ll cover:

– Leveraging Go’s embedded filesystem (//embed) for immutable deployments, eliminating the need for external file management, and simplifying deployments

– Implementing server-side CloudFront URL signing to replace client-side pre-signing, reducing key distribution complexity and improving security.

– Adding mTLS support natively in Go for enhanced security without additional reverse proxies

Whether you’re managing a small fleet or enterprise deployment, you’ll learn how to modernize your Munki infrastructure with Go’s powerful standard library and cloud-native features.

Bio: I’m just a tech enthusiast based out of Northwest Arkansas who has spent the past 6 years scaling Stripe’s Mac fleet from 1,500 to 9,000+ machines (and counting!). I love sharing knowledge with the Mac admin community and developing modern solutions to traditional deployment challenges.

Outside of work, you’ll find me strumming a guitar, hiking trails, hanging with the family, or pursuing my ongoing quest for the perfect taco & margarita combo.

Graham Gilbert (Airbnb)

The path to staff engineer

This talk addresses the career crossroads many experienced Mac admins face: after becoming senior engineers, what’s next if management isn’t the goal? It introduces the role of staff engineer as an alternative leadership path focused on technical strategy and broad organizational impact. Unlike senior engineers who solve immediate problems, staff engineers look ahead—identifying risks, shaping architecture, and aligning teams over the long term. Key mindset shifts include becoming a problem finder (not just a problem solver), thinking beyond your team and sprint, and learning to prioritize and influence. A great staff engineer is also a force multiplier—amplifying the impact of others through mentoring, documentation, tooling, and strategic thinking. Ultimately, it’s about leading technically, not just coding.

Russell Hancox (North Pole Security)


Santa in the summer


Learn about all the things the team at North Pole Security have been teaching Santa to do in the last few years. From a more modern UI with localization, to process-based file-access authorization, there’s plenty of new things to learn about.

Bio: Russell Hancox has been working on Santa for over 10 years, originally as a side-project at Google and now as a co-founder of North Pole Security.

Nindi Gill (Block, Inc.)


Cyprus – The friendly macOS self-remediation helper tool

Cyprus is brand new macOS self-remediation helper tool with the simple goal of reducing the burden on IT!

This talk will cover why there was a need for Cyprus in the first place, explore how the app was built using Swift + SwiftUI, and demonstrate various self-remediation use-cases.

If you are looking for software that empowers users to fix their own Mac, without the need to submit an IT support ticket, then this app is for you!

Bio: Nindi Gill is a software engineer at Block (Square, Cash App, Spiral, TIDAL), building tools and services for the Client Platform Engineering team.

He has been a contributing member of the Mac Admin community for over 15 years, and loves shipping open-source apps – Nindi is always looking for an excuse to write some Swift!

Nindi attended his first MDOYVR in 2024, and is based in Melbourne, Australia.


Mykola Grymalyuk (RIPEDA Consulting)


MDM Hygiene – How safe is your Mac fleet?

As the popularity of Macs grows in enterprises, so does the usage of MDM to manage them. However, many organizations are never given formal training, smaller companies have to manage multiple platforms, and mom-and-pop shops just use the very basics to get by.

So this begs the question: how safe is your MDM environment?

This talk will discuss some of the common security pitfalls administrators might fall into and delve into the enrollment process of some popular MDMs. Finally, a proof-of-concept tool will be showcased highlighting vulnerabilities in several MDM vendors’ enrollment processes.

Bio: Mykola Grymalyuk is a Lead Security and Software Engineer at RIPEDA Consulting, with a focus on offensive application security research in Mac Admin environments. He additionally leads the open-source project, OpenCore Legacy Patcher, working to get long neglected Macs running the latest releases of macOS for a few more years of life.


Samuel Keeley


Wait, how do I do that again? Saving lots of time and wasting some time with LLMs in 2025

We’ve been automating ourselves out of our jobs for over a decade at MDO, and a lot of us wear many hats. Often though, those hats get dusty as they are left in the closet for months or years on end, and knowledge on how to do things gets more hazy. 

How many times have you said “Ugh, I know I know how to do this” as you Google how do to something in Python, the same search you’ve done once or twice a year for the past decade? What was the right way to make that for loop multithreaded, remain thread safe, and add retry logic? 

How many times have you had an idea to glue a few APIs together to pass data around, or needed to pull data from a few ad-hoc places to do analysis and 

Thankfully, AI hasn’t taken over the world quite yet, but LLMs like ChatGPT and Gemini have gotten significantly better over the past year and can really provide a net benefit on your time investment, helping to solve real problems in the devops world.

Here, we’ll discuss a few learnings from excessive use of these tools – where they are really helpful, where you’ll probably run in circles with errors, and some hope for the future on applicability to the MDO community.

Bio: Just. Sam.

Mike Meyer (Foursquare Labs, Inc.)


No News is Good News… But What If You Got the News? AI-Powered Monitoring for Fleet MDM Enrollments


In IT, there’s an old adage: “No news is good news.” If an MDM enrollment works, users move on, and we never hear about it. But what if we could definitively know that everything worked as expected—before anyone reports an issue? On the flip side, we always hear when something breaks because we’re called in to fix it.

This talk explores how Amazon Bedrock powers an automated monitoring system that tracks Fleet enrollments in real-time, ensuring both successes and failures are proactively detected. Using AWS Lambda, API integrations, and intelligent tracking, we’ll show how AI can confirm when an enrollment is truly complete and notify teams when something needs attention. Whether you’re in IT, engineering, or automation, this session will show how LLMs can bring visibility to the “invisible” side of IT operations.

Bio: Mike Meyer is an engineering leader with over a decade of experience specializing in identity management, device management, and systems integrations. With a background spanning leadership, automation, and infrastructure management, he has architected and deployed solutions that enhance security, streamline operations, and improve employee experiences. Skilled in Okta, macOS management, and cloud-based workflows, Mike combines technical expertise with a human-first approach, ensuring technology works seamlessly for the people who rely on it.

Kory Prince & Victor De Souza (Airbnb)


Securing macOS MDM Enrollments


macOS offers several features to verify device and user identity so we can secure MDM enrollments, including some new options in Sequoia.

In this talk we’ll cover several of these features including inventory verification, managed device attestation, OS version enforcement, and user authn/authz including physical security key MFA. We’ll then show a live demo showcasing all of these features using open source software!

Bio: Kory is a Staff Engineer and Victor is Senior Engineer on the Client Engineering team at Airbnb, where they build cool solutions for managing devices and implementing zero trust.

Kory helps maintain the MicroMDM project and has over 15 years of experience managing Macs and writing open source software to automate away boring things.

Victor has spent the last 5 years on the Client Engineering team, bringing DevOps to macOS management and improving the user experience. Outside of work, Victor enjoys woodworking and the outdoors.

Harrison Ravazzolo (Fleet)


Santa’s Little Helper: Managing macOS Security with osquery


Introducing a new approach to managing Santa on macOS by leveraging osquery instead of traditional sync servers. I’ll demonstrate how the osquery extension creates a seamless integration between these powerful security tools, providing a SQL interface to Santa’s binary authorization capabilities, allowing you to deploy and manage a tool in a platform many security and IT teams already have in place.

Bio: Harrison is a Solutions Engineer for Fleet Device Management. He’s passionate about improving IT workflows and approaching problems and solutions through a lens of security. Before entering tech, he was a sourdough bread baker in San Francisco.

Guillaume Ross (Security nerd and poutine sommelier)

Living off the Pipeline: Discussion of the security of GitOps and build pipelines for software including a demo of Poutine the open source security tool

https://github.com/boostsecurityio/poutine

Guillaume (presenting research by François from Boost Security) warns the Mac admin and developer community about supply chain risks specifically targeting CI/CD pipelines (like GitHub Actions). These attacks, called LOTP (Living Off the Pipeline), are the build system equivalent of “living off the land” – abusing trusted tools and processes for malicious purposes.

Key Messages: 🧠 Supply Chain Is the New Battleground, and by building and sharing open source tools, developers become targets. Build pipelines can be abused to inject malicious code even before software is signed or shipped. 🔓 The Risk: Insecure CI/CD Pipelines • Attackers can: • Submit a malicious pull request (PR). • Use that PR to run code inside your pipeline (even if the PR is never merged). • Exfiltrate secrets, compromise runners, and persist silently.

If you maintain open source tools run Poutine on your repos now. • Don’t wait to be breached — LOTP is real, active, and evolving. • Additional resources and a longer talk are available for deeper insights.

Closing Quote: “Everything we feared about insecure software supply chains is happening — in your build systems. Check them before someone else does.”



Alan Siu (Snap, Inc.)


Tips for avoiding Munki install loops


Why are Munki install loops bad? And how can you avoid them? We’ll go over multiple scenarios and some common pitfalls.

Bio: Alan is currently an IT Client Engineer at Snap but has spent most of zer career working in schools, first as a teacher, later in admissions, and finally in IT. Zie loves cats, Disneyland, and drawing.

Henry Stamerjohann (Zentral)

Introducing PAW – A Privileges Audit Worker for macOS Admin Access Monitoring

Henry, who can’t attend in person, presents via Quick Talk a new tool he’s developed called PAW, short for Privileges Audit Worker. It’s designed to work with SAP Privileges, a macOS tool for managing admin rights.

There wasn’t a backend service to receive and process Privileges app webhook events, so Henry created PAW, a lightweight, self-hosted backend that: Collects webhook events securely (requires client certificate), Stores and serves these events through an API and Supports offline caching of events that are sent once the machine is online again. Note: Currently in pre-release, with pending improvements to documentation. Henry invites collaboration and feedback via GitHub or Slack.

Carmil Thelemarque (Drata)

Introducing GitOps into IT Operations


1. GitOps Explained: We’re using Git (like for code) as the single source of truth for all our IT setups, applying software development practices to traditional IT tasks.
2. Where We Use It: This applies to things like managing Okta user groups, making changes to Cloudflare DNS, and even automating Slack workflows, all tracked in Git.
3. Our Setup: Our system combines GitHub/GitLab with automation tools, secure secrets management, and approval processes through pull requests.
4. What We Learned: Getting IT teams comfortable with Git was a challenge, and we’re always balancing speed with good governance. Clear communication about these changes is crucial.
5. Positive Outcomes: GitOps gives us better auditing, faster recovery from mistakes, and a solid foundation for compliance, building trust within the company.

Bio: Carmil Thelemarque, is Senior Information Technology Engineer at Drata. He’s all about helping employees shine. With a solid background in IT engineering, Carmil is passionate about making things smoother and more efficient for the greater organization.
He’s worked in different settings over the past 10 years, from high education to managed services and startups. Outside of work, he likes traveling and going to the beach!

Zach Wasserman (Fleet)

Turning it up to 11 – Keynote

This keynote celebrates the 11th year of MacDevOps:YVR, reflecting on how the community has grown into a powerful hub of innovation, support, and technical leadership. Zach will highlight the conference’s role in launching careersfostering first-time speakers, and building an inclusive environment that blends Apple IT with DevOps practices.

The keynote will trace the evolution of community talks through recurring themes:

  • Exploring new capabilities
  • Crafting user experience
  • Building tools
  • Automating workflows
  • Measuring success
  • Uplifting the community

The talk honours key tools celebrated in the MacDevOps community—including Munki, MunkiReport, AutoPkg, OSQuery, Nudge, Swift Dialog, Crypt, Zentral, and Micro/NanoMDM—and acknowledges the creators behind them, many of whom are active members or have since joined Apple.

Looking ahead, 2025 is dubbed the “Year of GitOps in IT”, with a focus on using Git-based workflows to manage configurations and MDM at scale. The speaker showcases how Fleet, built on foundational community projects, is pioneering GitOps for MDM and observability across platforms—empowering organizations to manage Macs with modern engineering rigor.

The keynote closes with appreciation for the community spirit, the importance of open-source contributions, and a warm welcome to newcomers—inviting them to participate, speak, and help shape the future of MacDevOps.


Wesley Whetstone (Stripe)


A not so secret agent


Come see how you can use AI agents like Goose and Cursor to help automate tasks during your development process.

Bio: Wesley has been managing endpoint devices at scale for over a decade and is currently a Staff Engineer at Stripe.