Categories
General Off Topics

Off Topic: My 2026 Salsa Fargo Bikepacking Rig

Back in late 2022 I got my first custom built bikepacking rig, based around a Soma Wolverine frame and a Rohloff Speedhub – you can read the full breakdown of that bike here. Unfortunately, that bike came to a sticky end after my abortive Ride 35 adventure on the East Coast of New Zealand ended up in Taupo. You can read the full adventure here, and the specific demise of the bike here. With that bike mostly damaged, I decided to replace it with a Salsa Fargo and recycle some of the key parts.

It’s always really tough considering what new bike frame to build a new bikepacking rig around when you can’t get a chance to ride them first. I did a heap of research and used a number of different Generative AI tools (Grok, Copilot) trying to compared the geometry and riding style of my Soma Wolverine with the Salsa Fargo. It’s pretty tough getting an accurate idea, but in the end I liked what I was reading about the Salsa Fargo and chose that. Whilst originally designed for dropbar configurations, I was pretty keen to keep the Surly Moloko handlebars that I really liked from the Wolverine and this would make it easier to keep the Rohloff drivetrain system as well. With a steel frame and a carbon fork, it’s a super versatile bike:

Fargo is our versatile steel or titanium bike with drop bars and mountain bike features. It’s designed for adventures ranging from rugged gravel rides to long, self-supported bikepacking trips.

Here is the finished bike out at Waitapu Wharf just outside of Takaka in Golden Bay:

Despite the damage to my Wolverine, I was able to recycle a fair number of parts from that bike and so similar to my original post on the Wolverine, I’m going to break down a bit of the bike build:

Key Components

Some other features of the custom build that I was super happy with on the finished product include:

  • Rohloff Speed Hub (red)
    • I was able to recycle this from the original Wolverine and combined it with a new Gates Carbon Belt Drive. Over thousands of kilometres on the old bike, the Rohloff and Gates combination never let me down and I’m looking forward to many more adventures on the new Salsa Fargo.
  • Brooks B17 leather saddle
    • I kept this from the old bike too, but with a few new scuffs on it from the wear and tear of three and half years on the Wolverine and a fair knock when it came off the roof of the car during the accident. Good seat, largely happy with it.
  • Son Dynamo (red anodized)
    • I liked the Son Dynamo on the Wolverine but I was very keen to get it with a thru axle configuration for the new bike, so I replaced it with the same anodized red colour but a thru axle configuration. Same great power generation, easier wheel alignment.
  • KLite Front and Rear Light (adventure configuration)
    • I replaced the Son Edelux II on the old Wolverine with the KLite front and rear light combination. I’d heard about this from a few bikepacking magazines and people were very complimentary of the lighting and I was keen to add a rear dynamo-powered light as well so this was a great combination. I opted for the Adventure Configuration which would prioritise a wide spread of light at lower speeds, with an “auto high beam” that would shine further ahead when the bike exceeded 20kph – clever stuff. KLite also has a configuration that gives you a charging option as well but I chose not to get this. I had previously had the Sinewave Cycles Reactor (red anodized) – USB charging port in stem on the Wolverine, but honestly rarely used it, so decided to save some money and just do the light combination.
  • Favero Assioma PRO MX | MTB Power Meter Pedals SPD®
    • In mid 2025 I had replaced the red pedals I originally had on the Wolverine with the Favero Assioma Pro MX power meter pedals. They’re great, highly recommend.
  • Surly Moloko Handlebar
    • I retained this – great handlebar, lots of hand positions, really like it. I did toy with some dropbar configurations for the Salsa Fargo like the Salsa Woodchipper Handlebar – Salsa Cycles, as the bike is originally intended to be a drop bar configuration. Perhaps I’ll give that a go at some point (will need some thinking in how to handle the Rohloff gear switcher at the handlebars)
  • Panaracer GravelKing SK TLC 50mm with brown walls (running tubeless)
    • At the time of the Wolverine demise, I was running G-ONE R PRO Line | Schwalbe in 45mm configuration. They were super fast rolling, but lacked grip in some of the muddier stuff. I opted for the rebuild to go back to the original gravel tires I got on the Wolverine, the fantastic Panaracer GravelKing Semi Knobbly with tubeless configuration. I chose the 50mm which seem really wide compared to 43mm or even 45mm I’ve run in the past, but they’re wide and ride great.

Here are some photos of the bike at Totaranui Beach after an 85km ride including a 300m climb to get to the remote bay across some great gravel:

I want to give a shout out to the great crew at Goat Cycles who patiently worked with me as I figured out the specs in the transition from the Soma Wolverine to the Salsa Fargo. They’ve done a great job building it for me and I’m super happy, anticipating thousands of kilometres riding on this new rig!

Categories
General Off Topics

Ride35: The Adventure That Wasn’t

Approaching two years on from a devastating knee injury, I was anticipating an incredible bikepacking trip around the legendary SH35 in the remot East Cape of New Zealand. Sadly, the weather had other plans and the trip took a few unexpected turns – read about the adventure here.

Categories
Microsoft365 Windows 11

Summary Post: How Windows Device Check-in Works With Intune

I don’t blog about Intune nearly as much as I used to, now that I no longer work for Microsoft and have a greater focus on the Apple ecosystem (which, to be fair, Intune still plays a pretty significant role with iPad/iPhone management).

However, I like to keep across what is happening in this space and I saw a great tweet earlier this week that touched on one of the age old complaints about Intune – the perceived slowness of policy synchronisation (especially compared to other MDM such as Jamf). The tweet came from Rudy Ooms who describes himself as:

Content Creator at Patch My PC | Reverse engineering Intune and Windows internals. Sharing what actually happens under the hood.

Back in 2019 I shared a similar blog post from Oliver Kieselbach entitled New To Intune As An MDM? Read This Blog Post First! – SamuelMcNeill.com (which is still a good read), where Oliver dived into how policy syncs work. In this newer post from Rudy, he tackles similar ground but with a view 6yrs on (wow, time flies!) and as always, I encourage you to read the original post in full:

Intune Sync and Policy Delivery: Debunking the 8 Hour Myth

Rudy does have a video overview of this topic if you’re more into listening and watching than reading:

I’ll share a few highlights from the post that are pertinent in my view, starting with:

Microsoft has documented this first enrollment sync behavior: during the Intune/MDM enrollment, devices check in more frequently to PULL down configuration profiles, certificates, and policies.

  • Every 3 minutes for the first 15 minutes
  • Then every 15 minutes for the next 2 hours
  • And only after that, it shifts to the ~8-hour cycle

Those first two bullet points are generally pretty well understood and most IT Pros will have seen this frequent sync and update during the first OOBE workflow (Out Of Box Experience).

Rudy correctly focuses on “Change Based Check-ins” with Intune and has even created a great diagram to help explain that:

To expand on that, he talks about the role of the Windows Notification Service (WNS) which functions in a similar fashion to Apple’s own Push Notification Service (APN – Configure devices to work with APNs – Apple Support (NZ)). As explained by Rudy:

That push message travels over the Windows Notification Service (WNS) and tells the device to check in. These are the triggers that make Intune notify devices:

  1. Changing targeting (adding or removing a device or user group)
  2. Editing a payload (changing/adding a new Intune policy or updating app assignment)
  3. Entra group membership changes
  4. Store app version updates released by the vendor

In practice, the first policy change is usually pushed down within a few minutes. From there, Intune enforces a quiet period/throttle (roughly 30 minutes per device) before sending another push. So, while it’s not instant like a remote wipe (which must always be immediate), it’s still far faster than waiting for the full 8-hour maintenance cycle. Let me zoom in on the push message itself a bit more.

The blog includes some interesting testing data showing that the WNS is somewhat of a ‘black box’ in terms of how it operates and where buffers can come into play between a push of a policy change and execution on the device (again, read the full blog on Rudy’s site).

But What About Throttling, You Say?

Something that many frustrated IT Admins have suspected and/or complained about is the preception Microsoft throttles Intune changes to reduce load (either for the Azure cloud or the endpoint). Rudy’s post goes into this in some detail, explaining how the first changes are almost immediate and then subsequent rapid changes are bundled together and throttled:

  • Change #1 → WNS push almost immediate
  • Change #2 and #3 (<30 min later) → bundled, resolved when device responds to the same notification
  • Change #4 (>30 min later) → new WNS push delivered

Whilst this may make a lot of sense for Microsoft, for IT Admins that are perhaps making rapid changes to configurations it can be a source of intense frustration. Of course, in a perfect world IT Admins are cool, calm and collected at all times and make all of their policy configuration changes with a single update. However, that rarely matches the often frenetic pace which busy IT Admins are required to work at and knowing that changes are being bundled and throttled is often a suboptimal experience.

It does sound like there is some work being done by Microsoft to redesign this with something called “Fast Lane” that is broken down in the blog – check it out.

Final Thoughts

It can be very hard to change perceptions and the old adage of “perception vs reality” is very real when it comes to Intune sync speed. Dealing far more regularly with Jamf and macOS/iPadOS these days than Intune and Windows, I can say that in terms of speed of policy sync and responsiveness it really does feel like Jamf is a Ferarri and Intune can be a Bambina stuck in rush hour traffic.

However, Rudy’s blog goes a long way to showing that perception is often just that: perception. (Again, read the original post in its entirety – it’s definitely worth it)

Ultimately, it’s a great thing if Windows and Intune become increasingly more responsive as managing endpoints from the cloud is a good thing for everyone. With that, a final graphic from Rudy’s blog to visualise timings:

Categories
Apple

Video: PSSO + Passkeys With Chrome Browser On A Mac

I am always interested in the integration of identity, authentication and apps and Apple’s Platform SSO continues to evolve in a promising direction.

We work a lot with Microsoft’s EntraID and the PSSO integration is improving from an MSFT perspective too: macOS Platform Single Sign-on (PSSO) overview – Microsoft Entra ID | Microsoft Learn.

In the video above we showcase how you can sign into the Microsoft Azure portal with the Google Chrome browser (typically, Chrome does not support the MSFT SSO Extension on macOS). This is achieved via:

  • PSSO registration using a Passkey in Microsoft Authenticator that links the device and the EntraID credential
  • Opening an incognito window in Chrome and navigating to portal.azure.com
  • Selecting the Passkey from the Keychain
  • Using TouchID / Secure Enclave to authorise the use of the Passkey
  • Result: passwordless sign into portal.azure.com via a Passkey and PSSO in a Chrome web browser on macOS

A goal here is robust authentication methods that are non-phishable and reducing the reliance/frequency of entering passwords.

Reach out if you’re interested in knowing more on how to implement this.

Categories
Apple Security

Recap: Attending Jamf’s JNUC 25 in Denver, Colorado

I was fortunate to be in Denver, Colorado last week to attend Jamf’s annual JNUC event – this was the first time I have attended this event and I wanted to share a few thoughts below for others that did not attend.

As this blog is reasonably long here are some hyper links to the various sections if you want to jump around

Before getting into the content, I will share four photos from a short hike I did outside of Boulder in the foothills of The Rockies after the conference finished:

Top Takeaways

  • Meeting Jamf’s global execs and key leaders was very beneficial. From a partnership perspective this is helpful to establish the Cyclone brand and for us to be aligned with the vision from the key leaders.
  • Meeting other global Jamf partners and seeing where their business focus is was also illuminating. Whilst we share similar goals, how they have gone to market at times differs from our stratgegy in New Zealand so it was useful to have my thinking challenged in this space.
  • Jamf is a platform, not a point solution. From my days selling Microsoft 365 with Microsoft APAC, I know the value of being able to position a platform to a customer. Jamf are clearly very focused on expanding beyond being a premium MDM for Apple devices, and wrapping very capable security, IdP and education focused solutions around the core MDM offerings
  • Automation: a big push from Jamf for partners to automate deployment and management as much as possible to achieve scale and financial efficiencies to be competitive with solutions.
  • A continued energy directed towards MSP: new tools, better billing engines, faster quoting tools – much was unveiled to make life easier for MSP to transact and deliver Jamf solutions (a very welcome message from my perspective)

Keynotes

Opening Keynote

Commercial – State of the Union

Things that stood out from the Keynote to me included:

  • A big push for use of Jamf Blueprints – a smarter way to group and manage configuration profiles
    • 12 additional Declarations and 34 Configuration Profiiles released at the event
  • SSO in Jamf Account across the different Jamf consoles – faster switching
  • AI Assistant – big push e.g. using AI asisstant to search for redundacies or conflicts in deployed configuration profiles and to provide a remediation plan automatically.
  • A live demo of Compliance Benchmarks for CIS L1 and L2 as well as NIST standards – all deliverable via Jamf Blueprints
    • when new versions of macOS are released, the benchmarks can be updated automatically and the correct configurations flow to devices seamlessly
  • Very smart security via the macOS Telemetry Framework that Jamf Protect and Jamf Security Cloud can pick up on – Jamf Mac endpoint telemetry explained

Education – State of the Union

Things that stood out from the Keynote to me included:

  • A big push for enhanced value through Jamf managed Shared iPad mode
  • A live demo of Jamf School showing how Blueprints can work (coming in 2026)
  • A live demo of Platform SSO (PSSO) – easy to deploy, great for multi-user devices
    • It was clear that Jamf was not threatend by PSSO native integrations and the impact this may have on Jamf Connect. They actively encouraged customers and partners to migrate to PSSO
  • A live demo of Jamf School at Home
    • The use of the Jamf Parent app for managing iPads – I really liked this and the functionality was largely new to me.

Overall, the keynotes were mostly useful – there was some very good annoucements in the Commercial keynote and from the Education keynote I was particularly interested in the announcement of the acquistion of Identity Automation and how this can allow a seamless single sign on experience into apps such as Canva and Seesaw when deployed onto iPads managed in Shared iPad mode showing a clear time saving for students in a classroom by removing the need to sign into each app individually with a school email address and password.

Product Innovation

Unsurprisingly, Jamf used the JNUC platform to announce a lot of innovation and new products, some targeted at making the life of MSP easier (yay) other functionality was more for end customers to benefit from directly.

Michael Covington (VP Portfolio Strategy) shared some interesting insights to partners during the pre-event Global Partner Summit, including:

  • Endpoint teams are being asked to do more – some are being measured on how happy their end users are with their devices (clearly, this leans into Apple’s wider strategy of “Employee Choice”)
  • Customer tool consolidation is a big focus: not using separate consoles for different platforms and leveraging AI assistants wherever possible to accelerate routine tasks
  • Jamf view themselves as a platform company now – being a point solution (e.g. best in breed MDM) is not longer a viable solution. Jamf see their platform being:
    • Users (IdPm integration)
    • Endpoints (MDM, Security)
    • Applications (tailored tools for end users e.g. teachers/students/parents, and IT to manage endpoints)

I won’t go into all the partner tools that have been developed and made available but if you are a Jamf partner, check out the Partner Hub and look for the MSP Toolkit as a starting point.

One thing I did enjoy from multiple sessions at Jamf was the willingness of the presenters to do live demos. Most worked flawlessly, some hit a few delays and one didn’t work at all – but that’s the reality. I like to see tech companies backing themselves and their products and being confident to deliver live demos to large audiences.

Mike Vanderlinder (Senior Product Manager) shared some interesting insights into SMB and the focus that Jamf have on that segment (as do Apple themselves, interestingly):

  • 27% computers in SMB are Mac
  • 43% expect Mac use to increase
  • 36% SMB lack dedicated IT Support
  • 25,000+ Jamf existing SMB customers

There is a paradox in trying to serve the SMB segment: how to balance employee experience vs delivering a full feature set.

  • SMB Solutions: tend to be limited features to keep it simple to manage and quick to deliver
  • Enterprise Solutions: tend to be feature rich but more complex to deliver

To address this, Jamf are releasing new tools to reduce the initial provisioning friction, simplify integration setup and ease the learning curve making for a better end user experience overall.

Platform SSO: The Next Frontier

Adam Derrick (Jamf Solutions Engineer) presented this session to a packed audience.

This session demo’ed Simplified Setup, a feature that Apple announced with the launch of macOS 26 Tahoe (see here for technical deployment docs). There is a blog explaining this here and right now only Okta IdP supports this, but essentially it shifts the authentication into the OOBE stages rather than requiring a user to complete the authentication once they reach the active desktop. It makes for a very strong OOBE for the end user, but feels like it’s not quite fully polished yet given most IdP have not adopted it yet.

Jamf are keeping all their PSSO documentation updated here: www.jamf.it/psso

There was discussion around the different authentication methods available for PSSO:

  • Password Sync
  • Secure Enclave Key
  • Smart Card / Yubikey
  • Tap to login (new contactless authentication via iPhone/Apple Watch on macOS 26)

The general consensus still appears to be that using Secure Enclave is the way to go. This leverages Apple’s Secure Enclave to store hardware bound non-exportable authenticaatiotn keys and users authenticate using a key that never leaves the Mac’s hardware. Right now, this is only supported by Microsoft’s Entra ID.

Apple’s Authenticated Guest Mode also featured with full Jamf support – I can see a lot of value in this for computer labs, or retail / hospitality where users are needing to quickly sign in/out of a Mac

  • Login to Mac with account credentials from IdP
  • Sign in to apps and websites
  • User data is erased after logout
  • Auto advance to streamline process

Enterprise Security Standards in Action – Future of Identity Integrations with SSF and CAEP

This session had a number of presenters:

  • Matt Vlasach – VP of product Jamf
  • Mike Kiser Director of Strategy Sailpoint
  • Atul Tulshibagwale – CTO of Sgnl
  • Dan Hefley – Product Manager at Okta

This was a super interesting session for me as it was all new, but appeared very similar to what Microsoft have developed with their Conditional Access inside of Entra ID.

SSF = Shared Signals Framework

CAEP = Continuous Access Evaluation Framework

A good starting point to learn more is here: Shared Signals Framework and Continuous Access Evaluation Protocol, with the idea being that if you can source real time signals from multiple sources using a shared framework, you can make better decisions around device compliance and take appropriate actions as a result.

  • If this….
    • Account compromised
    • Endpoint infected
    • User account is disabled
    • Compliance level changes
  • Then that….
    • Restrict access
    • Revoke sessions
    • Stepup authentication
    • Wipe device

The working group collaboratively created the SSF framework (Shared Signals Working Group – OpenID Foundation) and Jamf have done significant work to embrace this: Shared Signals Framework and Continuous Access Evaluation Protocol

For organisations working in heavily regulated industries I can see the adoption of a solution based on SSF and CAEP as a natural progression to integrate robust device compliance with restrictions to corporate data.

Apple Platform Security

This session was mainly presented by Dan Flynn a security engineer from Apple and was excellent. His focus was very much showcasing the built in security functionality in macOS that MDM and security platforms can adopt. Matt Vlasach from Jamf then showcased how Jamf are leveraging this native “security by default” approach from Apple through their MDM and security products.

One feature that Matt did demonstrate was the ability to do “set and forget” OS updates inside of Jamf now. In other words, rather than needing to define a specific date when updates need to be applied by Apple’s Declarative Device Management (e.g. 30th November), you can now define the number of days post-update release to apply.

In other words, if Apple release an update on 30th November, you can configure an OS update policy to say “allow users to manually update at any point after the release, but use DDM to force it after 14 days” – by stating the number of days (instead of a specific date) then you don’t need to continually manually configure the policy when new updates are released.

This reduces the overhead of managing OS updates significantly.

eSIM Best Practices for iPhone and iPad: Setting the gold standard in mobile security for 2026 and beyond with zero touch global deployment

I was interested to learn more about eSIM management – this ession was presented by 1Global who are a Mobile Virtual Network Operation (MVNO) and had a strong influence of their commerical offerings. Nevertheless, there were some great learnings in this space and seeing the industry shift towards eSIM only.

From Planning To Impact: Implementing Shared iPad with Purpose in Jamf School

This session was presented by Michael Thomson (Jamf Sales Engineer) and was excellent.

I have always felt that Shared iPad was not a great name for the functionality that Apple is offering here (unique user profiles stored on a single iPad vs a standard iPad simply being shared amongst users).

Michael did share a PDF of his session slides which you can access here – this goes into good detail on how local storage on an iPad can be intelligently configured to support a great end user experience in the classroom.

Categories
Apple

Key Features of macOS 26 Revealed at Apple WWDC

It’s that time of year when Apple run their World Wide Developers Conference (WWDC) and announce their roadmap for core software platforms such as macOS, iOS/iPadOS as well as WatchOS and VisionOS. 

​There was a lot to unpack so I’ve summarised the top 5 most impactful announcements from Apple below.

Major visual changes with Liquid Glass

Why it matters: Liquid Glass represents a universal design across all Apple platforms, bringing a consistency and familiarity to the user experience no matter which device is being used. Whilst UI changes tend to sit squarely in the personal preference category, Apple have clearly focused on this visual refresh as a significant development at WWDC25 (learn more).

New filesystem and windowing on iPadOS allows for genuine multi-tasking

Why it matters: Addressing one of the biggest complaints of iPad superusers, Apple has borrowed heavily from macOS to supercharge the filesystem and in particular, made working with mutiple app windows significantly easier. These changes will certainly tempt some Apple fans to leave their Mac behind and make their iPad the primary daily device of choice (learn more).

Renaming of all OS versions – aligning to the calendar year of release date

Why it matters: With the maturation of iPhone, iPad and Apple Watch in particular, it was becoming increasingly confusing to align the hardware model with the OS version e.g. an iPhone 16 Pro running iOS18. With this decision, all of Apple’s OS editions across all hardware will ‘reset’ to the calendar year of release as of 2026, meaning we will see the announcement of macOS 26, iOS 26, iPadOS 26, WatchOS 26 and VisionOS 26. Simple, right? (learn more).

macOS 26 (Tahoe) signals end of support for Intel Chipsets in Mac

Why it matters: Similar to Microsoft’s move to no longer support Windows 10, Apple is bringing the curtains down on feature updates to Intel based Macs (2019-20 vintage) with macOS 26 (however security updates will be provided for a further three years). This represents an important juncture and should be triggering refresh considerations for organisations still running Intel chipset Macs (learn more).

Apple Intelligence Update

Why it matters: Whilst Apple announced a slew of updates under the broader category of Apple Intelligence (e.g. live translations in Messages, Phones, FaceTime; improved Visual Intelligence with context aware prompts) it was most notable that the long talked about updates to a smarter Siri were delayed once again. Citing the need to hit a high quality bar before release, Apple indicated it would be available in ‘the coming year’, raising questions on whether Apple is lagging further behind competitors in the AI space (learn more). 

Bonus Techie Highlight: Device Management Migration and Authenticated Guest Mode

Why it matters: Often the major highlights from WWDC overshadow some of the more technical improvements being made by Apple. The introduction of authenticated guest mode allows users to quickly sign into a Mac with their organisational credentials (think Microsoft/Okta) or even using an NFC key stored in their iPhone wallet. This level of enterprise integration with Mac will help secure further credibility for macOS in larger organisations and the Device Management Migration announcements mean system administrators can more easily migrate devices from one MDM to another (learn more).