At BetterCloud (the company), we—unsurprisingly—use BetterCloud (the product) quite a bit. Like every company, we on- and offboard employees and manage changes in titles, external file sharing, and many SaaS apps. In fact, we have over 200 apps in our IT service catalog!
Our last major revamp of internal BetterCloud workflows was in 2017, when we released Dynamic Fields. We’ve had many releases since then, but most recently we announced the BetterCloud Platform API and then Integration Center, which are both game changers in how we use our product.
One of the more common questions I get from my coworkers is along the lines of “So, tell me the truth. Do we even use BetterCloud internally?” and besides the semi-horrified look on my face, my response is a resounding “YES!” We have almost 40 workflows that handle everything from onboarding and offboarding to data loss prevention (DLP), notifications, and incident response (more on that later).
There’s lots to see and do, but I wanted to highlight five ways we’ve started using the Platform API and Integration Center internally at BetterCloud.
1. Automatically transfer Zoom meetings and recordings to a manager during offboarding
Why stop at provisioning and deprovisioning when you can automate even more? We use Zoom extensively at BetterCloud, and when an employee leaves, their manager often requests access to their future meetings and existing recordings they’ve made.
Using the Zoom “Delete User” action, we’ve added steps to our offboarding workflows to not only remove the user, but also transfer their meetings and recordings to their manager automatically.
In BetterCloud, go to the Integration Center and add Zoom (if you need guidance, check out this Help Center article: Integrating Zoom with BetterCloud).
The API action I’m using is “Delete User,” which you can read more about here. This action can also pass the parameters “transfer email address” with options to transfer meetings, recordings, and webinars. I’ve added the “Delete User” step to my existing offboarding workflow, and I’m using BetterCloud’s Dynamic Fields to reference my Okta (or G Suite) user’s email and that user’s manager’s email.
Note: This step assumes the “manager” field in Okta (or G Suite) is populated with emails, rather than names.
You can verify the success of your workflow by looking at the workflow results:
And in Zoom, the transferred recording will look like this:
Zoom will also send the manager an email letting them know they’ve received recordings and meetings from that user.
2. Automatically remove Aha! users during offboarding
I’m not that excited—Aha! is just the name of the product. As a user, you can go to https://features.bettercloud.com/ to make feature requests, as well as upvote existing ones. Just like a bill becoming a law, the features you see in BetterCloud have humble beginnings.These caterpillar-like requests (every one of them) are read by someone on our Product team and from there, beautiful feature butterflies emerge.
Aha! is used across multiple teams, including Product, Engineering, Customer Success, and Support, but because it’s less prevalent than something like Slack and because most users have view-only privileges, offboarding has been traditionally a bit more haphazard. It’s sort of a “oh look at these people who don’t go here… someone should probably do something about this.”
It’s a simple enough problem, a quick custom integration is a perfect solution for it, and you could be that someone.
Internally, we’ve created a “Disable User” Aha! action that we’ve added as a step in our offboarding workflows to handle future deprovs. We’ve also added “Create Product Owner,” “Create Contributor User,” and “Create Reviewer User” actions for our onboarding workflows. When we created the “Disable User” action, we also ran it as an on-demand workflow to remove all users whose status in G Suite was “Suspended” in order to clean up the existing departed users.
These actions should be available in the Integration Center soon for the public so you can have as much fun as we do cleaning up user accounts. You can and should do similar things with any integration that has the equivalent disable/delete user account.
3. Automatically lock lost or deprovisioned computers in Jamf
BetterCloud has long had the ability to take actions on mobile devices managed by G Suite, like sending an account or device wipe command to a lost phone, but if you don’t use G Suite, are you out of luck?
Using the Integration Center, you can take actions to secure your company’s and users’ computers and mobile devices if your EMM/MDM provider has the right API actions. While we use G Suite MDM for BetterClouder’s BYOD devices (yes, I know it’s redundant), we use Jamf Pro to manage our fleet of 300+ Macs and corporately-owned iOS devices.
Jamf has an extensive (and I mean extensive) set of APIs with documentation so long I thought Chrome was going to crash. You can also get help at Jamf Nation, which is a massive user community. I have yet to find a problem someone else hasn’t already taken a stab at.
In BetterCloud, go to the Integration Center and add Jamf (if you need guidance, check out this Help Center article: Integrating Jamf with BetterCloud).
The action we’re using is the “Send Command to Assigned Computer”… command.
What’s in the box?
But what do you actually put in those boxes? That depends on what you want to do. Per Jamf’s API documentation, you can send the following commands, and depending on the command, a parameter.
In this case, we’re sending the “DeviceLock” command and passing along a 6-digit number as the “passcode” parameter. The “email” field will search Jamf for all computers assigned to a specific user and send this command to them.
Note: If the user has more than one computer, Jamf will send the command to each computer. So be very cautious about the “EraseDevice” and “DeviceLock” commands unless you really want to make some enemies.
The fields should look something like this:
You can put this step in a workflow and either run it on demand, potentially along with other steps, like resetting a user’s G Suite or Okta password, or set some conditions to run the workflow, like an organizational unit (OU) or group change. For some examples, check out this article by Mike Stone, services architect for BetterCloud’s Expert Advisory Group: Anatomy of the Perfect BetterCloud Offboarding Workflow.
Once again, I should emphasize being careful with this one. As I learned from testing, users really hate it when you accidentally lock their computer during the middle of the workday. They hate it even more if you do it three times in a row.
What’s coming next?
We’re incorporating Jamf actions in both our onboarding and offboarding workflows. We recently rolled out certificate-based authentication over our WiFi (because security!) and as an offboarding step, we’re working on unassigning the user from the computer, which will trigger certificate revocation automatically.
Using a custom integration, you could also do things like:
- Put a computer in a Jamf group when a user’s title or department changes to assign them specific software or resources.
- Use a wait for duration step, and then erase and refresh deprovisioned users’ computers for re-assignment.
4. Use workflows to automatically send alerts to Slack with webhooks (and kill email)
Hey, emails are annoying right? Especially when your inbox looks like this:
Much of the email I (and many IT folks) get on a daily basis is alerts or other system notifications. My inbox is stuffed with around 100-200 emails per day, and this makes it really easy to miss an important message (as opposed to a printer running out of paper).
Yes, you can create filters to mark actual human messages as important and send system alerts to archive land, but then they’re buried away and now the printer has been without paper for 37 weeks.
Rather than sending emails, we created a Slack channel, #bettercloud-feed, that BetterCloud alerts can post to. This helps us clear up our inboxes, and it puts the alerts in a place that’s central, immediate, and actionable. As an admin, I know who’s seen the message, and if action is needed, who’s in charge of it.
BetterCloud can send alerts to Slack a couple ways:
- Send message to channel
- Send direct message
- Send alert via webhook
The first two cannot post to private channels, so while they’re good for non-sensitive alerts and are easy to set up, we have to get a bit more advanced.
The last option to send an alert via webhook can post to private channels if you set up an incoming webhook in Slack to catch it. Here’s an example of an alert:
This works for specific alerts without variables, but you can only include static text. Instead, we leverage workflows to send custom webhooks, which support dynamic fields like user, file name, path, and owner, so we can include more contextual information.
While we’ve managed to automate many parts of our onboarding process, there are still areas where manual action is needed—unfortunately robots can’t do everything yet. We can use this step as a means of notifying people that a workflow has ended so they can begin the next set of steps. An example of this could be that accounts have been created for a newly onboarded user, and now HR can set welcome meetings using that user’s email address.
5. Automate a war room for incident response
In Atlanta, Nick Church, our senior IT specialist, has been working on something a little less “user orchestration management” and a little more “when s— happens.” He’s created an incident response workflow designed to be activated (think big red button) when some kind of incident happens to summon folks together.
Firstly, the workflow creates two Slack channels and invites specific users to each channel. The channel’s names are timestamped to make them unique. Then, a webhook is executed to post into a private Slack channel, notifying our IT-Security team that an incident has occurred and describing the details of the Slack channels. Lastly, the channels’ purposes are set, and the workflow un-hides the Security Support email group in our directory.
In the coming weeks, we’ll be adding more steps to this workflow, including:
- Sending an SMS alert with details of the incident
- Clearing out a conference room in each of our offices for the day
- Creating a meeting in that room
- Messaging people whose meetings were cancelled to (very politely) apologize
- Create or reference a Jira ticket for the incident and post those details in the Slack channel
I hope highlighting a few ways we’re using the Integration Center and BetterCloud internally sparks a few ideas or answers some questions. These actions are part of a larger BetterCloud for BetterCloud project (read: lifestyle) we’re working on. If you’d like to know more, stay tuned—we’ll have more to come! But also feel free to reach out to me at firstname.lastname@example.org or if you’re a part of the BetterIT Slack community (and if you’re not, you should be), @brian-bc. You can also email your customer success manager or email@example.com with any questions.