No MDM just isn’t an option for most enterprises but ideally the keys to the kin...

mulmen · 2026-03-12T10:39:26 1773311966

How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability?

heraldgeezer · 2026-03-12T14:47:42 1773326862

"Principle of least privilege" as MS calls it.

Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.

Limit roles, even within the application, here Intune.

Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.

"Break glass" global admin accounts now also require MFA. https://learn.microsoft.com/en-us/entra/identity/authenticat...

pixl97 · 2026-03-12T21:11:43 1773349903

At the end of the day someone needs remote wipers privs, and in a large company it's something done pretty often.

mulmen · 2026-03-12T16:57:00 1773334620

Ok and who has access to the global admin and how resistant are they to Iranian operatives?

heraldgeezer · 2026-03-12T17:48:16 1773337696

What are you asking?

For Stryker specifically? We don't and probably won't know details.

For companies in general? Background checks, security clearance etc are done if the company determines this necessary and are willing to pay for the process and higher salary.

mulmen · 2026-03-13T02:08:00 1773367680

I’m asking if it’s possible to secure the MDM process in a way that Iranian operatives can’t simply torture an administrator into pushing the big red MDM button.

butlike · 2026-03-13T15:45:54 1773416754

https://xkcd.com/538/

mulmen · 2026-03-13T17:23:06 1773422586

Yes I made this reference upthread.