Umbra Group / Studio / Endpoints & Backup
← Money v1.0 · Endpoints
Studio Infra Kit · Endpoints Runbook

Endpoints,
backup, power.

The physical layer the rest of the Studio runs on. Hardened workstation, MDM-managed devices, 3-2-1 backup, segmented network, and a power chain that survives a 30-minute outage — so a stolen laptop or a thunderstorm is an inconvenience, not an extinction-level event.

Companion to USI-RB-01 §04 (Phase 1 abridged) and USO-ST-05 (the operational hardware logic). This runbook is the deep-dive: FileVault, Jamf, Synology, UniFi, UPS, and the quarterly restore drill that proves it all works.

Doc-IDUSI-RB-05
LayerEndpoints
Duration~6 hours
StatusLive
01

How to use this runbook.

An endpoint is anything physical that can be lost, stolen, dropped, or fried. The job of this runbook is to make the loss of any single endpoint a same-day recovery instead of a multi-week rebuild.

Build the stack once at Day 0 (~6 hours). After that, the recurring cost is one quarterly restore drill (§09) and a monthly check that backups are still running (§11). Anything else means a tool is failing silently — investigate.

The order matters — Workstation hardening before Jamf (so MDM has a hardened device to enroll), Jamf before Backup (so MDM can enforce the backup config), Backup before NAS (so the NAS isn't the only copy of anything), Network before UPS (so UPS protects what matters).

02

The endpoint stack.

Five physical layers, each with one tool. Total fixed cost is microscopic against the value of what they protect.

LayerTool / HardwareRoleCost
WorkstationMacBook Pro 14" / 16" (M-series)Primary device. Encrypted, MDM-enrolled.$2-3K (one-time)
MDMJamf NowDevice inventory, profile push, remote lock/wipe.Free (≤ 3 devices)
BackupiCloud + Time Machine + Backblaze B23-2-1 redundancy across vendors and media.~$15 / mo
NASSynology DS224+ (2× 8TB SHR)Local Time Machine target + Drive cache + media.~$700 (one-time)
NetworkUniFi Express + UAP-AC-LiteSegmented VLANs (work, IoT, guest) + remote-managed.~$250 (one-time)
PowerAPC Back-UPS Pro 150030 min runtime for NAS + network gear during outage.~$220 (one-time)

Recurring cost: ~$15/mo until the team grows past 3 devices (then Jamf jumps to $4/device/mo). One-time hardware: ~$1,200 plus the workstation. Backups absorb the bulk of recurring spend — cheap insurance.

03

Workstation hardening.

~60 minutes

Before MDM enrolls a device, the device should already be safe. Hardening at first boot means MDM has a known-good baseline to enforce.

Step 01First boot & account.~15 min
  1. Sign in with the Workspace identity (abe@umbra.group).
  2. Skip Apple ID temporarily if iCloud is going to be the personal-tier account; sign back in to a separate Apple ID configured for Studio use only.
  3. Set computer name: studio-mbp-01 (predictable inventory naming).
  4. Enable FileVault — required, no exceptions. Save the recovery key to 1Password → recovery vault.
Step 02macOS security settings.~20 min
  • System Settings → General → Software Update: enable automatic install of macOS & security responses.
  • System Settings → Privacy & Security → FileVault: ON.
  • Privacy & Security → Firewall: ON, with stealth mode.
  • Privacy & Security → Lockdown Mode: leave OFF unless travelling to a high-risk location.
  • Lock Screen: require password immediately after sleep / screen saver. Screen saver after 5 min.
  • Touch ID: enrolled. YubiKey: kept as the primary 2FA path for SaaS, not local login.
  • Find My Mac: ON.
Step 03Browser & baseline apps.~25 min

Install only what's needed. Less surface = less to harden.

  • Browser: Chrome (synced to Workspace profile only) + Safari (kept fresh as a clean fallback).
  • 1Password 8: signed into the Studio account.
  • Tailscale: signed in via Workspace SSO.
  • Slack, Notion, Linear, Superhuman, Loom, Figma desktop apps.
  • Mercury & Wave are browser-only — no desktop client.
  • Cursor or VS Code (the IDE you use): default project folder set to ~/Code/.

No third-party menubar utilities, no demo apps, no "I'll uninstall this later". The first 60 min sets the precedent.

§ §03 gate
Reboot. Confirm FileVault prompts before login, password is required immediately on wake, and the Studio identity holds across all the installed apps. If any one of those is wrong, fix before MDM enrollment.
04

Jamf Now MDM.

~75 minutes

Jamf Now is chosen for two reasons: free for the first 3 devices, and the simplest macOS-native MDM available. When the Studio grows past 3 endpoints, the same configuration ports to Jamf Pro or Mosyle without a re-enroll.

Step 01Provision the tenant.~20 min
  1. Sign up at jamfnow.com with abe@umbra.group.
  2. Verify Apple Push Notification Service (APNs) cert — Jamf walks the wizard. Save the cert renewal date in calendar (annual).
  3. Connect Apple Business Manager (ABM) if the workstation was bought via Apple Business or a reseller; otherwise enroll manually in Step 03.
Step 02Build the Studio Blueprint.~30 min

A Blueprint is Jamf's name for a profile bundle. Build one called Studio · Default with these payloads:

  • Passcode policy: minimum 12 chars, mixed case + number, max 60-day age, 5 failed attempts then erase.
  • FileVault: enforced. Recovery key escrowed to Jamf.
  • Firewall: on, stealth mode.
  • Software Updates: auto-install macOS within 7 days of release.
  • Restrictions: disable AirDrop on untrusted networks; require encryption for backups.
  • Wi-Fi: auto-join Studio network with cert-based auth (see USI-RB-05 §07).
  • VPN: Tailscale config delivered.
  • Apps: auto-install 1Password, Slack, Notion, Tailscale.
Step 03Enroll the workstation.~15 min
  1. From Jamf Now: Enroll a Device → Send enrollment email to the device's primary user.
  2. On the workstation, click the link in the email and download the enrollment profile.
  3. System Settings → Privacy & Security → Profiles: confirm the Studio Default profile is installed.
  4. Wait 5 minutes for the Blueprint payloads to apply, then verify each one in System Settings.
Step 04Test remote actions.~10 min
  • From Jamf, push a Lock command. Confirm device locks within 60 seconds.
  • From Jamf, fetch device inventory. Confirm OS version, serial, FileVault status all populate.
  • Do not test Wipe in production — trust the docs and test it during the §09 quarterly drill on a spare or via VM.
§ Loss
If a workstation is lost or stolen: within 60 minutes — Jamf Lock + Find My + change Workspace password + revoke 1Password device + revoke Tailscale device. The recovery key is in 1Password → recovery vault for legitimate reinstallation; the lost device is wiped on next network connect.
05

The 3-2-1 backup.

~60 minutes

Three copies of every important file. Two different media. One off-site. Three vendors so a single account compromise doesn't take everything.

Copy 1 · Hot
iCloud Drive
Continuous sync of ~/Documents and ~/Desktop for active work. Versioned, accessible from any signed-in device. Apple-managed.
Copy 2 · Local
Time Machine
Hourly snapshots of the entire system, backed to the Synology NAS over Tailscale. Bootable restore if the workstation dies.
Copy 3 · Off-site
Backblaze B2
Encrypted continuous backup of the workstation + a weekly Synology Hyper Backup to the same B2 bucket. Independent vendor, geographically remote.
Step 01iCloud Drive setup.~10 min
  1. System Settings → Apple ID → iCloud: enable iCloud Drive.
  2. Toggle Desktop & Documents Folders ON.
  3. Optimize Mac Storage: ON. Local cache for active files; archived to iCloud.
  4. Confirm storage tier — 2TB plan is the right default for the Studio.
Step 02Time Machine to Synology.~15 min
  1. On the Synology, create a shared folder TimeMachine with quota = 2× workstation disk size.
  2. In Synology Control Panel → File Services, enable SMB and bonjour Time Machine advertising.
  3. On the workstation: System Settings → General → Time Machine → Add Backup Disk.
  4. Select the Synology over Tailscale (NAS hostname over the mesh).
  5. First backup will take hours; let it finish overnight on AC power.
Step 03Backblaze B2 continuous.~25 min
  1. Sign up for Backblaze with billing@umbra.group.
  2. Install the Backblaze Personal Backup client OR set up restic/rclone to push to a B2 bucket. The Studio default is Backblaze Computer Backup ($9/mo unlimited) for the workstation.
  3. Set encryption passphrase (32+ chars, stored in 1Password recovery vault). Without this passphrase no recovery is possible.
  4. Exclude folders that don't need cloud copy: ~/Library/Caches, build artifacts, Docker images.
  5. Confirm first full backup completes within 7 days (depends on upload speed).
Step 04Synology Hyper Backup → B2.~10 min
  1. On Synology: Hyper Backup → Backup Task → Backblaze B2.
  2. Select shared folders to back up (everything except TimeMachine — that's already covered).
  3. Schedule: weekly on Sunday at 02:00.
  4. Retention: keep all weekly backups for 90 days, then monthly for 12 months.
  5. Encrypt the backup with a different passphrase than the workstation's, stored in 1Password.
§ §05 gate
Confirm all three copies show recent activity within 48 hours of setup. iCloud should sync within minutes, Time Machine should snapshot hourly, Backblaze should show "completed" on the most recent run. If any one is failing silently, the whole 3-2-1 collapses to a 2-1-0.
06

Synology NAS.

~75 minutes

The Synology DS224+ is the local hub: Time Machine target, file cache, and a few useful side roles. Modest hardware; massive value over its lifetime.

Step 01Hardware & first boot.~30 min
  1. Install two drives (8TB WD Red Plus or Seagate IronWolf, NAS-rated). Configure as SHR with 1-disk redundancy.
  2. Connect via Ethernet to the UniFi switch. NAS gets a static lease.
  3. Run DSM setup: hostname studio-nas-01, admin user nasadmin (not admin; rename the default).
  4. Apply all DSM updates. Enable auto-update for security DSM patches.
Step 02Tailscale on the NAS.~15 min
  1. Install Tailscale via Synology Package Center (community Tailscale package or via SSH).
  2. Authenticate as abe@umbra.group; tag the device tag:studio-nas (matches the ACL from USI-RB-02 §06).
  3. Disable port-forwarding on the router. The NAS is reachable only over Tailscale.
  4. Test from the workstation: ping studio-nas-01 over Tailscale should resolve.
Step 03Shared folders.~15 min

Create five shared folders, each with a clear purpose:

FolderPurposeBacked up to B2?
TimeMachineWorkstation Time Machine target.No (workstation also covered by Backblaze)
ArchiveCold storage for completed engagements.Yes
MediaSource files, large recordings, video, design exports.Yes
DatasetsR&D datasets, eval corpora, large embeddings.Yes
SnapshotsQuarterly Airtable + Wave + Sign exports.Yes
Step 04Snapshot Replication.~15 min
  • Install Snapshot Replication from Package Center.
  • Schedule: hourly snapshots, retain last 24h hourly + 14 daily + 8 weekly.
  • Enable for all five shared folders.
  • Snapshots are immutable — first line of defense against ransomware encrypting the NAS.
§ Don't
Don't expose the NAS to the public internet. No QuickConnect, no DDNS, no port-forwarding. Reachable only via Tailscale. Every public-facing Synology that gets ransomwared learns the same lesson the same way.
07

UniFi network.

~60 minutes

A small UniFi setup gets you VLAN segmentation, remote management, and clean DHCP — everything the Studio needs and nothing it doesn't.

Step 01Gateway & controller.~25 min
  1. Hardware: UniFi Express (acts as gateway + AP) or Cloud Gateway Ultra + UAP-AC-Lite if more coverage needed.
  2. Adopt via UniFi mobile app. Sign in with the Workspace identity (UI account federated, NOT a separate ubnt.com personal).
  3. Update firmware to latest stable.
  4. Set timezone, NTP, admin name. Disable the legacy admin user.
Step 02Three VLANs.~20 min

Segment the home/office network into three. The boring parts of the internet stay on their own subnet.

VLANSSIDMembersInter-VLAN routing
10 · StudioUmbra-StudioWorkstation, NAS, phone, primary printer.Allowed to NAS only via Tailscale (not LAN-routed).
20 · IoTUmbra-IoTSmart-home devices, TVs, accessories.Internet-only, blocked from Studio VLAN.
30 · GuestUmbra-GuestVisitors, contractors not yet enrolled.Internet-only, fully isolated.
Step 03Wi-Fi hardening.~10 min
  • WPA3 only on Studio SSID. WPA2/3 mixed on IoT (some devices won't speak WPA3).
  • Hide nothing. SSID hiding is theatre and breaks roaming.
  • Enable PMF (Protected Management Frames) on Studio SSID.
  • Disable WPS everywhere.
  • Static DHCP reservations for NAS, printer, and workstation. Predictable IPs help debugging.
Step 04Remote management & monitoring.~5 min
  • Enable UniFi Site Manager remote access. Required for triaging from a coffee shop.
  • Enable Critical Notifications → email to security@umbra.group.
  • Enable Threat Management (IDS/IPS) on the gateway. Tune false positives over the first week.
§ §07 gate
From a phone on Guest VLAN, attempt to reach the NAS web UI. If you can reach it, the VLAN isolation isn't enforcing. Fix the firewall rules before any contractor connects.
08

UPS & power.

~30 minutes

A 30-minute UPS is the difference between "the power blipped" and "the NAS is now corrupted." Cheap, mechanical, end-to-end the most reliable layer in the stack.

What plugs into the UPS

  1. NAS — the most important thing to shut down cleanly. Connected via USB so DSM can trigger graceful shutdown.
  2. UniFi gateway + switch + AP — so remote access still works during a brief outage and a graceful shutdown is possible.
  3. Cable modem / fiber ONT — the internet itself, so above is reachable.
  4. Workstation charger (if desktop) or just the laptop (if portable; the laptop is its own UPS).

DSM ↔ UPS

  1. USB cable from the APC to the Synology.
  2. DSM → Control Panel → Hardware & Power → UPS: enable.
  3. Set DSM to enter Safe Mode after 10 min on battery.
  4. Set DSM to shutdown after 25 min on battery (5 min buffer before the UPS dies).

What stays on a regular outlet

Monitors, lamps, peripherals. Save the UPS budget for what matters.

§ Battery
UPS batteries last 3-5 years. Schedule a replacement every 4 years; the symptom of an expired battery is a UPS that beeps and dies in 2 minutes instead of 30. Test runtime annually as part of the §09 drill.
09

Restore drills.

~120 minutes per quarter

A backup that has never been restored is not a backup; it's wishful thinking. Once a quarter, run the full drill. The first one will surface 2-3 things that don't work; subsequent ones go fast.

Quarterly drill checklist

  1. iCloud restore. Pick a file from ~/Documents last modified 60+ days ago. Confirm version history shows changes back to creation.
  2. Time Machine restore. Migration Assistant from the Synology NAS into a fresh user account on a spare device or VM. Confirm boot, app launch, and recent file presence.
  3. Backblaze restore. Pick a single file via the web UI; download. Pick a folder; download as zip. Confirm the encryption passphrase still works.
  4. Synology Hyper Backup restore. Restore a single file from a 60-day-old snapshot to a temp location.
  5. Snapshot Replication restore. Browse hourly snapshots, restore a file from a snapshot >7 days old.
  6. UPS runtime test. Pull mains power. Confirm UPS battery holds for >25 min before DSM begins shutdown.
  7. Lost-device drill. Pretend the workstation is stolen. From a separate device, walk the §04 callout checklist. Time the full revoke.

Document the drill

Each drill produces a one-page log appended to studio-shared/Endpoints/Drills/{YYYY-Qn}.md:

  • Date, who ran it, total elapsed.
  • Each step: pass / fail / partial.
  • Anything that broke + what was fixed.
  • Action items for next quarter.
§ Failure mode
If a drill fails and you don't have time to fix it that day, schedule the fix within 7 days. A known broken backup that's documented is fine. A broken backup that's been "we'll fix it next quarter" is the silent failure that turns a survivable incident into a catastrophe.
10

Decommission & disposal.

Devices leave the Studio for one of three reasons: replaced, sold, or destroyed. Each path has the same first step: prove the device no longer holds Studio data.

Step-by-step

  1. Sign out of every Studio identity: Workspace, 1Password, Slack, Tailscale, GitHub, etc. Each sign-out should be reflected in the corresponding admin console.
  2. Wipe via Jamf (preferred) or via macOS Erase All Content and Settings. Confirm FileVault was enabled at wipe time — this guarantees data destruction even if the SSD is recovered.
  3. Remove from Jamf inventory after the wipe completes.
  4. Remove from Apple Business Manager / Find My.
  5. Document the decommission in studio-shared/Endpoints/Decom/{YYYY-MM}-{hostname}.md: serial, date wiped, disposal method, recipient (if sold/donated).

Disposal options

  • Trade-in to Apple — cleanest for a working device.
  • Donate to a vetted recipient after wipe + reset. Get a written receipt.
  • Physical destruction (drill the SSD, shear the logic board) for any device that ever held production client data + can't be wiped to known-good. Photo evidence kept in the decom log.
  • Certified e-waste recycler — default for any other end-of-life path.
11

Endpoint checklist.

Daily · 0 min

  1. Nothing — this is the whole point of automation.

Weekly · 5 min · Friday

  1. Open Backblaze; confirm last backup is <48h old.
  2. Open Synology DSM; confirm Snapshot Replication ran in the last 24h and no shared folder is >90% full.
  3. Glance at Jamf inventory: every device checked in within the last 7 days.

Monthly · 20 min

  1. Apply any pending macOS update on the workstation.
  2. Apply any pending DSM update on the Synology (off-hours).
  3. Apply any pending UniFi firmware update.
  4. Skim the Jamf compliance dashboard; remediate any orange item.
  5. Skim Backblaze; confirm storage growth is sane.

Quarterly · 2 hours

  1. Run the full restore drill per §09.
  2. UPS battery runtime test.
  3. Audit Jamf Blueprint against the latest USI-RB-05 §04 list; update payloads as needed.

Annual · half-day

  1. Renew Jamf APNs cert.
  2. Replace UPS battery on the 4-year mark.
  3. Re-evaluate workstation: is it 3+ years old? Schedule replacement.
  4. Re-print Emergency Kit, including all device-recovery codes & encryption passphrases.
§ Bottom line
Endpoints are quiet until they aren't. A 2-hour quarterly drill is the price of being able to lose a workstation on a Tuesday and be fully productive again by Wednesday afternoon. Treat the drills as non-negotiable; treat the green dashboards as the goal.