Blog – Joe's Tech Blog

I Miss vCenter — So I’m Building My Own (in AWS)

Joseph Klimczak December 31, 2025 No Comments

I’ve been living in AWS long enough that I’m supposed to have moved on.

I can design multi-account landing zones, argue about Transit Gateways vs. VPC peering, and recite IAM best practices in my sleep. I understand why cloud-native patterns exist. I even agree with most of them.

But if I’m being honest?

I miss vCenter.

The Comfort of a Single Pane of Glass

Back in the vSphere days, vCenter was home base. One UI. One mental model. One place where I could:

See all my workloads
Understand capacity at a glance
Migrate compute without rewriting the world
Apply policies consistently
Fix problems visually instead of spelunking through APIs

Yes, it was centralized. Yes, it had limitations. Yes, it could be fragile.

But it was coherent.

In AWS, coherence is… optional.

AWS Is Powerful — But Fragmented

Don’t get me wrong: AWS is incredible. The primitives are flexible, scalable, and battle-tested. But as an operator, the experience is scattered:

EC2 over here
ASGs over there
Load balancers somewhere else
Metrics in CloudWatch
Config in tags (maybe)
Inventory split across accounts and regions

The AWS Console isn’t lying to you — but it also isn’t telling you the whole story in one place.

Instead of operating infrastructure, I often feel like I’m assembling context.

What vCenter Got Right

vCenter wasn’t just a hypervisor manager. It was an operations platform:

Strong inventory model
Clear parent/child relationships
First-class lifecycle concepts
Human-readable abstractions
Predictable workflows

You didn’t need five services and a wiki page just to answer:

“What’s running where, and why?”

So… I’m Building My Own vCenter (Sort Of)

I’m not trying to recreate vSphere in the cloud. That would miss the point.

What I am doing is building a control plane on top of AWS Using APIS that gives me back what I miss:

A unified inventory across accounts and regions
Opinionated metadata instead of tag chaos
Clear ownership and lifecycle states
Capacity and cost visibility that makes sense to humans
Operational workflows that don’t start with “open three consoles”

Think less “hypervisor replacement” and more operator experience layer.

AWS provides the raw materials. I’m just putting a dashboard, model, and brain on top of them.

Cloud-Native Doesn’t Have to Mean Operator-Hostile

Somewhere along the way, “cloud-native” became synonymous with:

More YAML
More dashboards
More glue code
More tribal knowledge

But abstraction isn’t the enemy. Bad abstraction is.

vCenter succeeded because it respected how humans think about systems. AWS succeeds because it gives you freedom. The gap between the two is where a lot of operator pain lives.

That gap is exactly what I’m trying to close.

This Is Not Nostalgia — It’s a Design Problem

I don’t miss vCenter because it was old.

I miss it because it solved real operational problems well.

If we can acknowledge that, we can stop pretending the current state is perfect — and start building better tools on top of the cloud we actually run.

So yes, I’m an AWS admin Now.

And yes, I miss vCenter.

That’s why I’m building my own. More to come

Blog

🛡 How to Turn an Alpine Linux Server into a Tailscale Gateway for Your LAN

Joseph Klimczak August 10, 2025 No Comments

Why a Tailscale Gateway?

Tailscale normally requires each device to run the Tailscale client. That works fine for laptops, phones, and servers, but what about devices like printers, cameras, or NAS boxes?

With a Subnet Router, a single Tailscale-connected server can act as a bridge to your entire LAN — so any device on your Tailscale network can reach those local-only devices securely.

What You’ll Need

A small Alpine Linux server (VM, bare metal, or Raspberry Pi)
An active Tailscale account
Access to your LAN network (e.g., 192.168.1.0/24)
Your Tailscale auth key (from the Tailscale admin panel)

Step 1: Update & Install Tailscale

First, update Alpine and install Tailscale:

apk update && apk upgrade
apk add tailscale tailscale-openrc

Step 2: Enable IP Forwarding

This allows the Alpine box to forward traffic between your Tailscale network and LAN.

Edit /etc/sysctl.conf:

nano /etc/sysctl.conf

Add:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Apply:

sysctl -p

Step 3: Start Tailscale & Advertise Routes

Start the Tailscale service:

rc-update add tailscaled default
rc-service tailscaled start

Now bring Tailscale online, advertising your LAN subnet:

tailscale up \
  --auth-key=tskey-auth-XXXXXXX \
  --advertise-routes=192.168.1.0/24 \
  --accept-routes

Step 4: Approve Routes in Tailscale Admin

Log in to Tailscale Admin Routes and enable the route for 192.168.1.0/24.

Step 5: (Optional) Adjust Firewall Rules

If Alpine’s firewall is active, you’ll need to allow forwarding:

apk add iptables
iptables -A FORWARD -i tailscale0 -j ACCEPT
iptables -A FORWARD -o tailscale0 -j ACCEPT
/etc/init.d/iptables save

Done! 🎉

Now, any device on your Tailscale network can securely reach devices on your LAN without needing a VPN client installed.

Example:

From your laptop on Tailscale, you can hit http://192.168.1.50 to access your NAS dashboard — even from across the world.

Why This Rocks

Zero Trust Security — Every connection is authenticated via your Tailscale identity provider.
No Port Forwarding — Works through NAT and firewalls.
Cross-Platform — Works for Windows, macOS, Linux, iOS, Android, and even cloud VMs.

💡 Pro tip: Combine this with Tailscale ACLs to restrict who can access which LAN devices.

Blog

CrowdStrike MacOS Workspace One Setup

Joseph Klimczak June 16, 2025 No Comments

After weeks of troubleshooting Verese issues I thought it would be good to document a working process. Hopefully this helps not go through some of the pain that I have been through due to some of corks.

I have a few profile to enable CrowdStrike with no user interaction needed.

macOS - CrowdStrike - Content Filter

Filter Name: falcon
Identifier: com.crowdstrike.falcon.App
Organization: CrowdStrike, Inc.
Filter Socket Traffic: Enabled
Socket Filter Bundle ID: com.crowdstrike.falcon.Agent
Socket Requirement: identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = X9E956P446
Filter Grade: Inspector

macOS – CrowdStrike – Login and Background Items

Rule Type: BundleIdentifier
Rule Value: com.crowdstrike.falcon.UserAgent
Team Identifier: X9E956P446

macOS - CrowdStrike - Notification Settings
App Bundle ID: com.crowdstrike.falcon.UserAgent
Allow notifications: Enable
Show in Notification Center: Enable
Show in Lock Screen: Enable
Allow badging: Enable
Allow sounds: Enable
Allow critical alert notifications: Enable
Alert Type: Temporary Banner

macOS – CrowdStrike – System Extension

Allowed System Extension Types
Team Identifier: X9E956P446
Endpoint Security & Network Enable

Allowed System Extensions
Team Identifier: X9E956P446
Bundle Identifier: com.crowdstrike.falcon.Agent

Now this is what gave me and so many people issue. I dont know if this is a bug or undocumented need for Workspace one and Crowd Strike Profile.

In this order Create a MacOS – Crowdstrike – Privacy Preference in this order

Identifier: com.crowdstrike.falcon.Agent
Identifier Type Bundle ID
Code Requirement: identifier "com.crowdstrike.falcon.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
Comment: agent
System Policy All Files: Allow
System Policy Sys Admin Files: Allow

Now add a second Prefrences inside the same one for Falcon App

Identifier: com.crowdstrike.falcon.App
Identifier Type Bundle ID
Code Requirement: identifier "com.crowdstrike.falcon.App" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = X9E956P446
Comment: app
System Policy All Files: Allow
System Policy Sys Admin Files: Allow

I hope this helps save you time: The big issue was not having something in the comments. Once that was added the rest your app should not go green in some cases I need to reboot

Bonus: Install Script

Post Install Script
#!/bin/bash
sudo /Applications/Falcon.app/Contents/Resources/falconctl license "Your Key"

Blog WorkSpace One

Omnissa Pass

Joseph Klimczak April 21, 2025 No Comments

Omnissa Pass: Elevating Enterprise Authentication with Passwordless Security

In today’s digital landscape, traditional passwords have become a significant vulnerability, often leading to security breaches and user frustration. Recognizing this challenge, Omnissa introduces Omnissa Pass, a cutting-edge multi-factor authentication (MFA) solution designed to enhance security while simplifying the user experience.

🔐 What is Omnissa Pass?

Omnissa Pass is a mobile application that provides secure, passwordless authentication for enterprise applications and services. By leveraging FIDO2 passkeys, it offers a modern approach to authentication, eliminating the need for passwords and reducing the risk of credential theft. Users can authenticate using biometric methods or device-based credentials, ensuring both security and convenience.

🚀 Key Features

Passwordless Authentication: Utilizes FIDO2 passkeys to enable secure, password-free logins.
Multi-Factor Authentication (MFA): Combines device-based credentials with biometric verification for enhanced security.
Device Compliance Checks: Integrates with Omnissa Access to ensure that only compliant devices can authenticate, enforcing organizational security policies.
Seamless Integration: Works across various platforms and integrates with existing enterprise systems, facilitating a smooth transition to passwordless authentication.

📱 Availability

Omnissa Pass is available for download on major mobile platforms:

iOS: Download from the App Store
Android: Download from Google Play

🛡️ Enhancing Security with Omnissa Access

When paired with Omnissa Access, organizations can enforce strict access controls based on device compliance and user authentication. This integration ensures that only authorized users on compliant devices can access sensitive corporate resources, aligning with Zero Trust security principles.

🌐 Embracing the Future of Authentication

By adopting Omnissa Pass, enterprises can:

Reduce Security Risks: Eliminate vulnerabilities associated with traditional passwords.
Improve User Experience: Offer a seamless and intuitive authentication process.
Ensure Compliance: Meet regulatory requirements with robust security measures.

Transitioning to passwordless authentication with Omnissa Pass not only strengthens security but also enhances overall user satisfaction.

For more information and to explore how Omnissa Pass can benefit your organization, visit the Omnissa Tech Zone.

Blog WorkSpace One

Fetch – Windows Application Lifecycle Tool for Workspace ONE UEM Omnissa

Joseph Klimczak March 26, 2025 No Comments

Fetch Review: Simplifying Windows Application Management

Hi there folks!

After spending some time with Fetch, I’m excited to share my review of this innovative tool that addresses one of the biggest challenges in Windows Desktop management—Application Management.

The Challenge of Application Management

Workspace ONE Administrators know how complex and time-consuming it can be to make applications available on managed devices. Traditionally, the process involves manually downloading installers, preparing binaries, and creating detailed application entries within Workspace ONE UEM. This often leads to delays and inconsistencies in deployments.

What is Fetch?

Fetch is a Windows application designed to streamline and automate the deployment of native Windows applications within Workspace ONE. By automating the process of downloading installers, uploading binaries, and creating Native Windows Application entries complete with all required metadata, Fetch drastically reduces the manual workload and potential for errors.

With a robust database boasting over 7,000+ unique applications and a staggering 62,000+ application versions, Fetch offers an extensive resource that simplifies the deployment process.

Below is a snapshot of the tool in action:

Key Workflows Offered by Fetch

Fetch enhances the application management process with four main workflows:

1. Application Search and Creation:

• Simply search for an application by name and automatically generate its corresponding Native App entry in Workspace ONE UEM.

2. Software Asset Management Integration:

• Upload a Software Asset Management or Application Report (like the Installed Apps report from Workspace ONE Intelligence, Software Deployment Report from SCCM, or a Powershell report of network devices). Fetch checks its extensive database for matching applications, then assists in creating the corresponding Native App in UEM.

3. Application Version Management:

• Interrogate your current Workspace ONE UEM environment to discover if updated versions of applications are available. Fetch then enables you to upload and create the updated application version seamlessly.

4. Manifest-Based Deployment:

• Upload a manifest (template) containing details of your organization’s existing Native Windows Applications along with your installer files. Fill in the necessary metadata, and Fetch processes the manifest to upload the installers and create the apps in UEM accordingly.

The Verdict

As a reviewer, I found that Fetch effectively addresses many of the hurdles traditionally faced by Workspace ONE Administrators. Its automation of repetitive tasks not only saves time but also reduces the likelihood of manual errors, ensuring that application deployments are both consistent and efficient. The extensive database is a clear highlight, providing a strong foundation that supports a wide array of applications and versions.

If you’re looking for a tool that simplifies and accelerates Windows application management, I highly recommend giving Fetch a try. For more detailed instructions and to download the tool, check out the documentation and download Fetch.

Happy managing!

Blog WorkSpace One

Windows Server Management is coming to Workspace ONE UEM

Joseph Klimczak January 28, 2025 No Comments

Omnissa is enhancing Workspace ONE UEM with Windows Server support, enabling seamless management of all Windows computing devices. With a beta launch on the horizon, users can expect robust features like enrollment, software distribution, and server-specific analytics. Join our upcoming webinar for in-depth insights and to participate in the beta!

As an extension of the robust Windows Desktop functionality, Omnissa is introducing Windows Server support. Windows Server will be added to the long list of Workspace ONE UEM computing devices–first in beta introduction, with general availability to follow.

Soon you will be able to manage all Windows computers via Workspace ONE UEM. Below is a high-level overview, as well as an invitation to a webinar where more details will be discussed.

Find out more in [THIS] Techzone post by Jo Harder.

Blog

Health & Environment

Joseph Klimczak December 23, 2024 No Comments

Introducing the Health & Environment Tile in the New Omnissa Cloud Services Portal

The Omnissa Cloud Services Portal is evolving, and one of the most exciting updates is the addition of the Health & Environment tile. This new feature is designed to streamline critical processes, centralize management tasks, and provide a comprehensive view of your Workspace ONE Cloud Managed Hosting environment.

What Does the Health & Environment Tile Offer?

The Health & Environment tile brings together several key services that were previously spread across platforms, including My.WorkspaceONE.com. As part of the broader transition to the Omnissa Cloud Services Portal under Omnissa Connect, this tile will enable you to:

1. Schedule UEM Upgrades

Effortlessly manage upgrades for your Workspace ONE Cloud Managed Hosting environment. The scheduling tool ensures minimal downtime and keeps your environment up-to-date with the latest features and security updates.

2. Sign and Renew Certificates

Certificate management is now more accessible than ever. Whether you need to sign or renew certificates for your environment, this tool simplifies the process, ensuring compliance and operational continuity.

3. Monitor Omnissa Products and Services

Stay informed about the status of all Omnissa products and services in one centralized dashboard. Whether you’re tracking performance metrics or troubleshooting potential issues, the Health & Environment tile provides real-time insights to keep your operations running smoothly.

Transition to Omnissa Connect

The integration of these features into the Omnissa Cloud Services Portal is part of a larger effort under Omnissa Connect. This initiative focuses on creating a seamless user experience by consolidating tools and services into a unified platform. As more features transition from My.WorkspaceONE.com to the Cloud Services Portal, you’ll enjoy a cohesive and efficient management experience.

Why It Matters

The Health & Environment tile is more than just a new feature—it’s a step forward in simplifying cloud service management. By centralizing tools and services in one portal, Omnissa is reducing complexity and empowering users to take control of their environments with ease.

Stay tuned as more features make their way into the Omnissa Cloud Services Portal, further enhancing your ability to manage and optimize your Workspace ONE environment.

Ready to explore the new Health & Environment tile? Log in to the Omnissa Cloud Services Portal today and experience the next generation of cloud service management!

Blog How 2 Docs WorkSpace One

How to Disable Windows Recall in Workspace ONE: A Step-by-Step Guide

Joseph Klimczak October 4, 2024 No Comments

Here is the updated blog post with the custom XML code:

Securing Your Windows PCs Against Recall Using Workspace ONE UEM

With the introduction of Windows 11 Copilot+ machines, Microsoft introduced a feature called Recall, designed to create an explorable timeline of your PC’s past actions. While useful for users, Recall has raised privacy concerns, particularly due to its ability to capture sensitive data like passwords and MFA codes.

Why Disable Recall?

Recall captures screenshots of a user’s activity, posing security risks. If malicious actors exploit this, sensitive information could be exposed. This poses a substantial concern for IT admins responsible for securing corporate networks and personal data.

Disabling Recall in Workspace ONE UEM

Step 1: Create a Windows Profile

• Navigate to Devices > Profiles & Resources.

• Select Add Profile, choose Windows Desktop, and configure general settings like profile name and target devices.

Step 2: Add Custom XML to Disable Recall

You will need to create a custom XML profile using SyncML commands that disable the Recall feature on managed Windows devices. Insert the following SyncML commands:

To Disable Recall:

<Replace>
  <CmdID>34e7f8c0-1dd4-42ed-bbcc-07da966bc0e0</CmdID>
  <Item>
    <Target>
        <LocURI>./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Data>1</Data>
  </Item>
</Replace>

To Re-enable Recall on Profile Removal:

<Delete>
  <CmdID>34e7f8c0-1dd4-42ed-bbcc-07da966bc0e0</CmdID>
  <Item>
    <Target>
        <LocURI>./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Data>1</Data>
  </Item>
</Delete>

These commands ensure that Recall is disabled on the initial profile installation and that it will revert to default behavior if the profile is removed.

Step 3: Publish the Profile

Save and publish the profile to all applicable devices. Ensure the affected devices are listed as expected. A reboot might be necessary for the changes to take full effect.

Conclusion

Until Microsoft addresses Recall’s security flaws, disabling this feature using Workspace ONE UEM is a crucial step for organizations prioritizing privacy and security. By following the steps outlined here, IT administrators can ensure their managed devices are protected from potential security risks posed by Recall.

Blog

WSO Tunnel VPN Profile 2.0

Joseph Klimczak July 13, 2024 No Comments

This is for UEM 24.x.x

The Old Way was custom XML

The new way

Some of my Key XML Configs

`StartTunnelPreLogon`	true/false
`ToggleTunnelFeature`	true/false
`OnDemand`	true/false
`TrustedNetworkProbeUrl`	https://internal.yourdomain.com

Conclusion:

We have covered the key configurations for Workspace ONE Tunnel on Windows Desktop

Blog How 2 Docs Sec Ops WorkSpace One

Session Management IS BACK

Joseph Klimczak July 2, 2024 No Comments

Optimizing Admin Experience: Changing the Timeout Time on Workspace ONE

In today’s fast-paced digital landscape, ensuring a seamless and efficient user experience is paramount. Workspace ONE, a comprehensive digital workspace platform, allows organizations to manage and secure any app on any device. One critical aspect of user experience in Workspace ONE is the session timeout setting. By customizing the timeout duration, administrators can strike a balance between security and convenience. Here’s how you can change the timeout time on Workspace ONE to optimize your organization’s workflow.

Why Adjust the Timeout Time?

Enhanced Security: Shorter timeout periods can help protect sensitive information by ensuring that unattended sessions are automatically logged out, reducing the risk of unauthorized access.
User Convenience: On the flip side, longer timeout periods can enhance user productivity by minimizing disruptions and the need to frequently log back in.
Compliance: Adjusting the timeout duration can also help meet specific compliance requirements that mandate certain session management practices.

Steps to Change the Timeout Time in Workspace ONE

Changing the session timeout setting in Workspace ONE is a straightforward process. Follow these steps to configure the timeout duration according to your organization’s needs:

Access the Workspace ONE UEM Console:
Log in to your Workspace ONE UEM console with administrative credentials.
Navigate to the Appropriate Settings:
Go to Groups & Settings > All Settings > Admin > Console Security > Session Management
Modify Session Timeout:
Locate the Idle Session Timeout. This setting controls the duration of inactivity before a session is automatically logged out.
Set the Desired Timeout Duration:
Enter the desired timeout duration in minutes. For example, setting it to 15 minutes will log users out after 15 minutes of inactivity.
Save the Changes:
Click Save to apply the changes. The new timeout setting will be enforced across all devices managed by Workspace ONE.

Best Practices for Setting Timeout Duration

Assess User Needs:
Consider the typical workflow and needs of your users. For instance, customer-facing roles might benefit from longer timeout periods, while roles dealing with highly sensitive data might require shorter durations.
Balance Security and Convenience:
Aim for a timeout period that provides a reasonable balance between security and user convenience. Common timeout durations range from 5 to 30 minutes.
Regular Review:
Periodically review and adjust the timeout settings as needed to ensure they remain aligned with evolving security policies and user requirements.

Conclusion

Customizing the timeout time in Workspace ONE is a simple yet effective way to enhance both security and admin experience.