This is part 2 of 3 in the series, “User Initiated Technology: Why Warby Parker Built a Culture of Self-Service” based on a talk I gave during the 2018 MacAdmins Conference at Penn State University. You can find part one here.

Self-service @ Warby Parker

Here are some of the ways we’re using self-service at Warby Parker:

Accessories Shelf

We allow our users to help themselves to commonly used peripherals. Our users are empowered to cater to their own working style with our diverse array of options.

Just-in-time provisioning

Using Google Groups and Okta, we allow users to request access to things like distribution groups, Team Drives and apps. This puts access control in the hands of business owners and prevents our help desk team from arbitrarily granting access. This is completely managed by our users.

Software Catalog

Using a software catalog, we allow our users to install prepackaged software without dictating what software is required on a user’s machine. I no longer need to preinstall tens of software titles upon device deployment.

We also extend this platform by providing scripted quick fixes to users so that they can obtain fixes to common problems without having to reach out for help. Things like resetting the time-zone based on location, resetting the print system, and flushing the DNS cache. We disguise these fixes in more user friendly terms so users aren’t required to know the ins-and-outs of their systems and can just get back moving.

User-driven Deployments

We empower our users to self start and customize their machines from the moment they receive it using Apple’s Device Enrollment Program or Windows Autopilot.

LDAP Account Management Portal

We’ve built a custom portal to allow users to unlock or recover their LDAP accounts. We found that this reduces a significant number of incoming requests into the help desk.

Recycling

We allow our users to recycle non-working or unneeded technology in recycling bins that are placed around our offices. In conjunction with our accessories shelf, users have no need to alert IT if they spill coffee on a keyboard; just dispose of the old one, take a new one. We have a great partnership with a local recycling company that meets both Department of Defense and NIST storage disposal standards.

Loaner Computers

We allow our users to help themselves to loaner Chromebooks. They can feel free to take and return as-needed. These devices are configured to return to an expected state and erase all data upon logout, so we don’t need to worry about data leaks.

Just-in-time Admin Escalation

We understand that in order to keep our users empowered we need to give them more control over their machines. Our struggle with this was coming to a middle-ground between user-empowerment and endpoint security. Our solution was developing a process that temporarily escalated users to an administrator for a certain period before reverting them back to standard users. This is typically enough time to perform minor configuration changes or install individual pieces of software. Our security team is happy knowing that users do not have administrator access 100% of the time. Also, as a mental gymnastic, we’ve found that users are more cautious about performing admin required changes due to the additional steps required.

Here’s some starter code you can use to start creating something similar in your environment:

	#!/bin/bash
	# Get username of current logged in user
	# This method breaks if you allow multiple accounts logged in.
	USERNAME=$(ls -l /dev/console | awk '{print $3}')
	membership=$(dsmemberutil checkmembership -U $USERNAME -G admin)
	if [ "$membership" == "user is not a member of the group" ];
	then
	if ! launchctl list|grep -q com.apple.atrun; then launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist; fi
	/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
	echo dseditgroup -o edit -d $USERNAME -t user admin|at now +2 minutes &>/dev/null
	/Library/Application\ Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -title "Self Service" -heading "You're now an admin. Go, go, go!" -button1 "Ok"
	fi

view raw escalateviaSelfService.sh hosted with ❤ by GitHub

At the very same conference, Rich Trouton also debuted his solution to the same problem. I highly recommend you check it out at the link below!

https://github.com/SAP/macOS-enterprise-privileges

Knowledge Base

Knowledge bases are more important than you think. We rely heavily on ours to allow our users to stay informed so that they can solve problems on their own. We place a significant emphasis on documenting during our project process to ensure that every product released has sufficient documentation to common problems or guides to get started.

When writing a knowledge base it’s important to realize that not everyone has the same learning style, so it’s best to have a combination of text and video based tutorials.

Hardware Purchasing

We found it pretty difficult to manage the purchasing of one-off peripherals as our store count increased. Anytime a store needed more Lightning to USB or HDMI cables we’d receive a ticket and have to coordinate the purchase and shipment of that product to the store. After working with our VAR, we established a custom purchasing portal for our store managers. They were thrilled at the added ability to purchase hardware on their own. We even had the ability to implement spending limits to ensure stores weren’t over-consuming.

Deployment WebApp

This is a work-in-progress. We are building a web app that allows users to scope their own devices in Jamf Pro after deployment. We found that when using Prestage Enrollments that the overhead of us assigning devices to the correct building & department was too cumbersome. This web app will allow users to navigate to a website, authenticate, and fill out the fields required for proper scoping. The app would then communicate in the back-end with the JSS via their API. I hope to have some exciting updates on this in a future blog post. I am building this web app in Python with Flask.

 

Impact @ Warby Parker

To know if your self-service program is a success, you need some way to measure that success. Since moving to a self-service IT philosophy at Warby Parker, we’ve noticed some interesting things.

User relationship

The nature of our relationship with our users began to change. Our sessions became less transactional and more educational. We stopped being asked to fix a device when the user was away for lunch. Our relationships became deeper and we began to learn what projects our users were working on. This gave us the insight to make technological recommendations to help them achieve their goals. Our relationship morphed into a partnership.

How did we measure this? Well, we asked our employees how they felt! Here are some of their responses:

---

“Coming from a white glove environment, having the ability to self-service is infinitely more enjoyable. Not only from a technical perspective, but being able to grab cables/accessories whenever I need makes it easy to fully customize my setup without needing to constantly bug tech services. All the while knowing that you guys are there to help whenever necessary!” – Inventory Control Analyst

---

“When I’ve received other computers that are simply handed off to me, they feel like a piece of company equipment. When unboxing a computer on my own, it feels like my own.” – Technical Product Manager

---

“Our self-service accessory station allows me to obtain the peripherals I need for the dev projects I’m working on. I do a lot of development on Raspberry Pi, so this makes it really easy to obtain input devices without interrupting anyone.” – Software Engineer

---

Engineer Productivity

We’ve  been fortunate enough to have been able to achieve so much with a lean team. We have self-service to thank for this. This is even more impressive when you see how our location and user-count has grown over time.

At the time of writing, we have over 95 stores and 1800 employees supported by only 5 engineers. For most organizations of this size, an IT to user ratio is typically 1:23; whereas we operate at 1:360.

Help Desk Tickets

We found that every time we implement a new self-service oriented process, we’d see an impact on our incoming ticket queue. We are measuring this by averaging the number of tickets each employee submits per month. We measure this way to compensate for the influx of tickets we receive for every new store opened, which is fairly frequent.

Below, you’ll see our “average tickets per employee” including key times when self-service projects were completed

Here’s some background to those key points:

• Okta requests: Implemented Okta’s Access Request Workflow
• Self-service accessories: Built shelf with accessory offerings for users to help themselves
• AD portal: Built custom portal for AD account management
• Gmail password recovery: Enabled password recovery

This is just a sample of some of the projects that have had an impact and we continue to think of more. We meet monthly and ask ourselves “What can we automate? What can be turned into self-service?”

This was our inspiration.

This book contains essays and articles from members of Google’s SRE team on how they run production systems. And we’ve found these principles just as applicable to our roles as Sysadmins. Here’s one topic that stood out:

Toil – The kind of work tied to running a production service that tends to be manual, repetitive, automatable, tactical, devoid of enduring value, and that scales linearly as a service grows.

We consider toil to be things like ordering hardware & software, answering help desk tickets, or handling walk-ups. So we made our goal to reduce each of these as much as possible. To decide where to begin, we needed data. We turned to the vast repository of information we already had, our help desk data.

When our users submit a service request, they have to answer two fundamental questions for us.

Why? – Why do you need our help?

Are they reaching out because there is something that they need, or is something not working?

From here, we can quickly identify opportunities to convert processes to self-service.  Does the user need something? I bet this can be solved with an entry in a service catalog. Does the user need a consultation? Sounds like they may need more training or better documentation. Is something configured incorrectly? Maybe they don’t have enough access to fix it themselves.

What? – What do you need help with?

Here is where we zero in on which component needs improvement. With this data, we can cross reference the Why? to find out where we need to spend our time.

Now that we’ve identified Where? & Why? we need to figure out How? we’re going to solve this.

Build or buy?

Here is where we begin to determine our solution. We embark on an analysis to understand if it’s more beneficial for us to build our own solution or buy an existing solution. Here’s a quick comparison:

Build

• Build the solution using internal engineering resources
• Responsible for maintenance throughout the life-cycle of the solution
• End solution is catered exactly to our needs

Buy

• Purchase an off-the-shelf solution
• Rely on vendor to improve and update product
• End solution is more of a one-size-fits all. We may have to adapt our vision to make it work

If we decide to buy, we embark on a thorough RFP process to find the best fit and most scalable solution to fit our needs.

Stay tuned for the final installment of this series, User Initiated Technology: Why Warby Parker Built a Culture of Self-Service: Part 3 of 3 where we explore how to execute a successful self-service program and where to take it from there.