Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center
The challenge
Octopus Money provides one-to-one financial advice and coaching to individuals and employees across the UK. The business is FCA-regulated, ISO 27001 certified, and GDPR-scoped carrying the full compliance weight of a regulated financial services firm, where the protection of data isn't optional, it's a legal and regulatory obligation.
Luke Spray joined as the company's first internal Information Security hire. Being the first dedicated Information Security hire in a regulated, growing financial services firm meant a fleet of more than 200 Mac computers and a security posture that depended entirely on him to enforce.
The controls Octopus Money needed were in place. In practice, every one of them ran on manual input. ISO 27001 evidence, CIS-aligned baselines, vulnerability response, patch deployment, and onboarding all sat on Luke's calendar. "It just wasn't scalable for us to look after," he said.
The previous MDM compounded the load. Patching would stall mid-flight, leave end users to reboot their machines to recover and not even finish the needed patches. Onboarding took twenty to thirty minutes of manual department selection and configuration per new hire. CIS Level 1 had to be assembled policy-by-policy. For a small function inside a regulated business, that was not a steady state Luke could hold.
The solution
Choosing Iru
Luke had used Iru at previous companies and knew the pattern: consolidate device management, automated patching, vulnerability response, and EDR into a single console, then let the automation carry the load. With Iru's migration agent, the move happened fast. The build-out happened faster.
Configured in a day, not a quarter
The full Iru estate was stood up start to finish in a single working day.
When we onboarded Iru, within a day I had it all configured. That was start to finish: all the auto apps, all the patch management, all the vulnerability management stuff. It was literally in a day when I was already enrolling devices.
Luke Spray
Information Security Manager, Octopus Money
Information Security could stand the platform up between other work, no deployment project, no consultancy engagement, no quarter-long rollout.
Click-and-go security baselines
Rolling out CIS Level 1 benchmarks across the estate had been a manual policy-by-policy build in the previous MDM. In Iru, Luke applied the benchmark to the estate with a single click.
One of the things I wanted to do when I joined was roll out CIS Level 1 compliance policies to all of our devices. In our last MDM, that was really manual... In Iru, you can literally start the benchmark by clicking CIS Level 1, it sets it all up for you. So it's night and day difference.
Luke Spray
Information Security Manager, Octopus Money
The security baseline that used to be a configuration project now lands as one configuration.
Aggressive automated patching, driven by CVSS
In the previous MDM, patches would stall mid-deploy and leave end users to reboot their machines to recover. There was little to no visibility for the user about what was being patched or when. Luke rebuilt the model in Iru around CVSS severity. Anything scored above 8 ships immediately. Lower-severity updates ride a longer window, and end users can see what's being patched and when. According to Luke, "it's been really successful."
Across the estate, Auto Apps now covers roughly 80% of automated patching out of the box. For the rest, mostly developer dependencies installed through Homebrew, Iru still surfaces the vulnerabilities. Luke runs a monthly cadence with developers to update Brew packages on a predictable schedule.
Results
Within roughly six weeks Luke migrated more than 200 devices off the previous MDM and into Iru, including patch management, vulnerability response, EDR, and MDM, with no extended business disruption. Onboarding compressed from twenty to thirty minutes per new hire down to ten, with new joiners authenticated through Google Workspace and dropped into the correct Blueprint automatically, app list, dock, and wallpaper provisioned along the way.
In our last MDM, onboarding the laptop took about 20 to 30 minutes at times. With Iru, we got it down to 10... For the onboarding experience, where the new joiner is already going through so much, being able to get the laptop ready in 10 minutes and have them start absorbing other information is so important.
Luke Spray
Information Security Manager, Octopus Money
Offboarding devices now runs end-to-end without a human in the loop. The HRIS system feeds a SaaS management tool, which fires the offboarding sequence on the leaver's exit date, revoking Google Workspace and Slack access, then calling Iru's API to lock the device with a return-the-laptop message and set a device PIN. At 5 PM on a leaver's last day, the device is locked and Luke isn't checking.
EU data residency, a hard requirement for the firm was met out of the box on Iru's AWS EU region. The single-plan pricing model meant features like SAML and SCIM provisioning came in the box, not behind an enterprise upsell.
Using Iru MCP, reporting evidence now falls out of the platform. Patching and version compliance stats pull directly into reporting, supporting FCA, ISO 27001, and GDPR posture without bespoke prep. Compliance is a byproduct of the automation, not a project on top of it.
Looking ahead
With the Mac fleet running on automation, Luke is extending the same operating model to Windows on the same Iru console opening up potential device options for users with Windows only tooling without standing up a second MDM.
Automation continues to thicken the offboarding evidence trail across HR, identity, and device. The platform is configured for the next stage of headcount growth without adding to the IT function that runs it.
About Octopus Money
Octopus Money is the financial-advice arm of the Octopus group, the family of companies that includes Octopus Energy. The business provides one-to-one financial guidance to UK households and is FCA-authorised, ISO 27001 certified, and GDPR-scoped, with customer data hosted inside the European Union.