How Cronofy manages international device deployment and endpoint security without a dedicated IT team

The challenge

Cronofy is a scheduling infrastructure company headquartered in Nottingham, UK. Its API powers calendaring and interview scheduling workflows for thousands of businesses, including major HR and recruiting platforms. The company employs around 43 people, distributed primarily across the UK, with additional staff in Amsterdam, Germany, and Spain.

There is no dedicated IT team at Cronofy. When Chris Taylor joined as a Senior Site Reliability Engineer, the CTO, Gary Shutler, handed IT responsibilities to him alongside his SRE work, because Chris had the background and someone needed to own it. A second senior SRE shares the load. Their primary job is keeping the infrastructure that supports Cronofy's product and generates revenue up and running. IT has to work well enough in the background that it does not compete for that time.

Without an existing IT program in place, Cronofy had been leasing laptops through a third-party provider called Hoppy, which bundled with a mobile device management solution called Mirador. The arrangement offloaded some of the setup work, but it came with real costs. When a new hire joined in Spain, Chris configured a MacBook Pro in the UK and shipped it internationally. The shipment triggered import duties, and with an engineer-spec MacBook Pro worth over $2,000, those added taxes really increased the cost. Cronofy had to wire the new employee money so he could pay the customs bill before his laptop could be released.

"We had to transfer him a load of money so he could pay those taxes before his laptop could be delivered on his first day," Chris recalled. "We very much wanted to be done with all that sort of thing."

Finance eventually flagged the laptop rental model as too costly to continue. That conversation opened the door to a broader rethink: own devices outright, consolidate tools, and build an IT setup that could support a distributed team without requiring the SREs' sustained attention.

Once Cronofy started pulling on that thread, a second problem came into focus. Vulnerability management had no automation behind it. When a CVE was published, Chris would post in Slack asking employees to apply updates. Employees would defer, snooze the prompt, and defer again. The CEO and CTO would sometimes step in to reinforce the message, but it was still a manual process from start to finish. "It was very much a manual task to keep on top of people," Chris said.

It was at that point we decided: if we're going to change everything on the IT side of things, let's try and consolidate and make things as simple as possible.

Chris Taylor
Senior Site Reliability Engineer

The Solution

Choosing Iru

Cronofy evaluated three options. Jamf was the expected front-runner, but the evaluation quickly revealed it was not the right fit. Switching between multiple portals, a setup process that didn’t feel intuitive, and an early suggestion to bring in an implementation partner all pointed in the wrong direction. "This should be simple enough for me and one other person to just go through," Chris said. "Spend a day, maybe, getting things set up." Mosyle was also considered as a lower-cost option, but it lacked the depth Cronofy needed across vulnerability management and automated update enforcement. Iru offered a single place to view device status, vulnerabilities, and configuration, and the team was able to get everything running without outside help.

The simplicity of Iru really won us over, and the fact that it was just kind of a single pane of glass to view your device status, your vulnerabilities, and all that sort of stuff.

Chris Taylor
Senior Site Reliability Engineer

Zero-touch enrollment, from purchase to first boot

Cronofy's top requirement was straightforward: no more physically touching or pre-configuring devices before they reached employees.

Iru's integration with Apple Business Manager made that possible. The operations team now handles purchasing directly through the Apple Store. Devices flow automatically into Business Manager and then into Iru, without Chris needing to touch the hardware. When a new hire powers on their Mac device, Iru's Liftoff onboarding screen walks them through enrollment and installs core applications before they have even logged in.

We buy the Mac, it automatically goes into Business Manager, and then through to Iru. From there it just follows that normal onboarding process, which is a lot nicer from my point of view.

Chris Taylor
Senior Site Reliability Engineer

A new starter in London this week went through exactly that process. Chris received enrollment notifications confirming the device was configuring itself end-to-end – including Liftoff, app installs, policy enforcement – without him needing to intervene. Devices ship directly from Apple to the employee's location, which means no hardware crosses borders pre-configured and no import tax exposure.

App assignments are managed through a single blueprint using device tags. Devices are tagged by role and Iru uses those tags to determine which applications install automatically. It is a clean structure that has scaled without requiring changes as the team has grown.

Enforced updates and automated vulnerability response

The previous approach to vulnerability management – a Slack message and waiting on employees to act – has been replaced entirely.

Cronofy now uses Iru's managed software updates to enforce macOS version compliance with a defined grace period. Chris recently shortened that window from two weeks to one after observing that employees were consistently waiting until the forced deadline before acting.

People were very much like: 'There's an update — not now.' And they would just keep doing that for two weeks. Now they can only do it for a week.

Chris Taylor
Senior Site Reliability Engineer

For application vulnerabilities, Cronofy has deployed Iru's Vulnerability Response with enforcement timelines tied directly to severity. Critical vulnerabilities are patched within one day, high severity within two days, and medium and below within one week. When a CVE is identified in an application covered by Iru's auto-app catalog, remediation happens automatically within the enforcement window, no manual intervention, no employee prompt to ignore.

Browsers generate the most vulnerability activity in Cronofy's environment. Firefox in particular has seen several critical CVEs recently. Before Iru, each one required a Slack post and manual follow-through across the fleet. Now they are remediated automatically, and Chris monitors status through Slack notifications configured for the IT admin team. For vulnerabilities tied to zero-day attacks, he wants them patched within a day of disclosure, and the enforcement windows make that the default.

Self Service handles employee-facing notifications without requiring the IT team to send individual reminders. The fleet stays current because the system enforces it, not because someone is following up.

Compliance evidence without additional overhead

Cronofy holds SOC 2 certification and is currently working through audits for ISO 27001 and ISO 27018. Getting there started with building a security baseline that could satisfy those programs from the start.

During the Iru trial, Chris reviewed the built-in CIS templates, evaluated several levels, and handpicked specific controls to match what Mirador had enforced and what the certifications required. The resulting configuration enforces FileVault disk encryption, secure passcode requirements, automatic screen lock after idle periods, device firewall, blocked USB storage access, and ensures macOS update enforcement cannot be disabled by end users. EDR is deployed automatically across the fleet as part of the standard configuration.

When the internal compliance project manager assigns endpoint controls to Chris, he pulls exports and screenshots directly from Iru. Because the controls are enforced by policy across the fleet, the evidence reflects actual device state rather than a point-in-time sample.

The evidence collection part on the Iru side of things is quite straightforward, because it is just literally showing the configuration for a library item, or that all of the devices have had the blueprint correctly applied to them.

Chris Taylor
Senior Site Reliability Engineer

Results

For months, the answer to "what's one thing we could change to make your life better" in Chris's 1-on-1s with Cronofy's CTO was always some version of: internal IT is taking up too much of my time. That answer does not come up anymore.

"Since we've had Iru in place, internal IT is no longer so much of a time sink," says Chris.

Every new hire, anywhere in Europe, now gets the same first-day experience: a fully configured Mac device, shipped directly from Apple, ready to use. Chris's role in onboarding is limited to assigning the device in Iru and adding the appropriate tag before the start date. The customs bill, the manual setup, the cross-border shipping, none of that happens anymore.

Security enforcement has followed the same trajectory. Patching that once required Slack reminders, executive reinforcement, and manual follow-through now happens automatically within the windows Chris configured. The fleet stays current not because employees act on prompts, but because Iru enforces the policy regardless. Under normal conditions, Chris logs in roughly once a week to review alerts, check vulnerability status, and make minor adjustments. Only two people hold admin access. There is no IT backlog, no chasing, no fire-fighting.

Looking Ahead

With the core program running, Cronofy is focused on what comes next: pushing further on compliance.

Cronofy is actively working through ISO 27001 and ISO 27018 audits. Evidence collection today is a manual process, meaning screenshots of configuration states and blueprint applications. So, Chris plans to explore Iru's Compliance Automation over the next year, with the goal of shifting from point-in-time evidence collection to a continuous, policy-driven posture.

For Cronofy's engineers whose first priority is building and maintaining the infrastructure that thousands of businesses rely on to schedule their work, every hour saved on device configuration and patching is an hour back on the application their customers depend on.

About Cronofy

Cronofy is a scheduling infrastructure company headquartered in Nottingham, UK, with employees distributed across Europe. Its API powers scheduling and calendar integration for thousands of businesses globally, including major HR and recruiting platforms.