My spouse’s employer mandated that everyone move off AWS “because they’re a competitor” (they’re absolutely not), and Microsoft was happy to roll out discounts for Azure.

To say that has gone poorly would be generous. Azure is impressive in its own right, but it’s not comparable to AWS. (Which has its own problems, to be clear.)

The stagnation in Azure is apparent everywhere you look. The capacity issues have only gotten worse. There are still change advisory callouts in the Azure Portal with dates in the year 2020.

The point is to make sure there’s not a mess on the other end when you enforce SSO for MAIDs.

Apple’s documentation for ABM and ABE is atrocious, but they do manage to document a bunch of footguns, just poorly and in seemingly bizarre places.

For example, ABE doesn’t support MDM migration (either as source or destination), despite the fact that the feature launched with macOS/iOS/iPadOS 26 and is supported by other MDM solutions.

And you cannot push custom config profiles with ABE which declare a non-Apple preference domain. Utter nonsense.

If you’re using the full ABM-with-ADE and MDM stack, it’s expected that you push apps to employees.

You can also use Munki to make apps available to users. You can just push only Munki via MDM if you want, and let it manage app installs and self service installs for you. There are caveats.

Which I find…unusual.

Or, at best, competently.

Sometimes both of those, or neither, are in evidence.

But I like the way you think. Make it a contract performance issue for legal teams to police internally.

At least the new edition would be a worthwhile expense.

I made this suggestion when I served on the security team at a major cybersecurity player.

When we had our company-wide annual internal conference it was always in person. This meant that basically everyone, with basically cumulative access to everything, and all our code, would be traveling across a multitude of borders at once. Some of which were less friendly than the US (at that time).

This was rejected as impractical for developers and redundant for everyone else. So I suggested locking the accounts of everyone who was traveling between the time they left and the time they arrived. This would have the side effect of signing them out of our most sensitive systems and removing certain highly confidential data from laptops. This was also rejected as “unnecessary”.

That company now counts a healthy proportion of the Fortune 500 amongst their customer base. I hope things are not so cavalier anymore.

But what it seems to be is just a fast way to deploy resources to platform providers that use Stripe to bill you?

Or maybe the marketing is just confusing?

I don’t think this is for me though. I’m using things like AWS, Azure, and dedicated servers from companies that lease out dedicated servers. For my company Stripe is nothing more than a payment processor.

They’re also purpose built to do tax/accounting work, and can’t go “off script” with filling in your tax return.

Half my compute vendors are raising prices because of this insanity.

Giving users an option between both paths is usually best. Most users care a lot more that they can’t restore a usable backup of their messages than they do that their messages are unreadable by the company storing them.

I used to work at a company where our products were built around encryption. Users here on HN are not the norm. You can’t trust that most users will save recovery codes, encryption seed phrases, etc in a manner that will be both available and usable when they need them, and then they tend to care a lot less about the privacy properties that provides and a lot more that they no longer have their messages with {deceased spouse, best friend, business partner, etc}.

Between buying a phone and reading the OS EULA to providing an E911 address to my carrier, I can count at least three disclosures of this feature.

Nothing is secret or magic here.

Apple makes available on a highly controlled basis iPhones which permit the user to disable “virtually all” of the security features. They’re available only to vetted security researchers who apply for one, often under some kind of sponsorship, and they’re designed to obviously announce what they are. For example they are engraved on the sides with “Confidential and Proprietary. Property of Apple”.

They’re loaned, not sold or given, remain Apple’s property, and are provided on a 12-month (optionally renewable) basis. You have to apply and be selected by Apple to receive one, and you have to agree to some (understandable but) onerous requirements laid out in an legal agreement.

I expect that if you were to interrogate these iPhones they would report that the CPU fuse state isn’t “Production” like the models that are sold.

They refer to these iPhones as Security Research Devices, or SRDs.

I would dance on Oracle’s grave, but they have too much staying power because of their core database and ERP business.