Hey everyone!
Just a heads up I only have abour 1 year in IT after college with a CS degree, only 24 years old. My company also does things in a very unconventional manner, which is something I've been trying to improve on.
I am essentially the sys admin at my company, I report directly to the CTO. I was the only dedicated IT staff for about a year until Jan. So I handle everything from Helpdesk to implementing our new RMM from scratch. Our company has 100 users with emails, about 110 endpoints with probably 40 full time remote. Most remote users are Windows, hybrid workers are being issued Chromebooks. Securing remote users is one of our focuses per leadership.
Our current stack for remote users is JumpCloud and Action1. Soon to be NinjaOne and Google Credential Provider for Windows (Login to PC). The current policy leadership wants is hardware pfSense firewalls for remote users with desktops. And full tunnel VPN for laptop users at all times so they are filtered through the pfSense firewall at the office. We have no LDAP/Radius server, so it's very manual to deploy VPNs. We have no on prem resources being acessed through VPN. All of our work is done through SaaS for probably 95% of users.
My proposed replacement is using NinjaOne (RMM) to lock down the Windows firewall and environment. And configure NextDNS (DNS filtering) so users have consistent web filtering no matter where they are. I know that leaves gaps still, but it is definitely an improvement from just throwing a firewall on things and calling it safe. Especially since users unplug them all the time, plus they are Netgate 1100s that crash running full web filtering. I am also suggesting Huntress EDR, although I am not optimistic it will be approved due to cost. We don't have a budget and anything new needs approval from the very top.
We also want a way to ensure users don't login to critical web apps on their personal PCs. Any suggestions there would be great. I would love to use Google Workspace's conditional access policies, but again cost. The current roadmap was IP restrictions on web apps and requiring VPN to the main office to ensure it's a work PC. But again, with no type of cloud directory that needs to be manually built out.
Any advice you all have would be greatly appreciated. I've been doing my best to improve things since I started. For example, we did not patch anything when I started. Any software installs were also completely manual, requiring me to go to each PC to install stuff. Essentially looking for feedback and some options to achieve what we're looking for. Thanks all, and I apologize for the rambling.