Hello, and welcome to the let's Talk. Azure podcast with your host Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals.
It's episode 18 of season five. Sam and I had a recent discussion around managing macOS using Microsoft solutions. Here are a few things we covered. How is macOS different to other operating systems to manage? What Microsoft tooling can you use to manage them? What licenses do you need, and are there any new features for macOS you should know about?
We've noticed a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show. It's a really great episode, so let's dive in. Hey, Alan, how are you doing this week? Hey, Sam. Not doing too bad. How are you?
Yeah, good, thank you. My adventures with co pilot continue this week. I feel like I am, I don't know, almost forcing it to bend to my will with prompt engineering. I don't know what it is about working with a large language model, but I kind of find the more specific I am with it. I sort of feel sorry for it, if that makes sense. Right. It's like, do this thing with this specific set of data in this specific way. Oh, and don't sound too happy or unprofessional or professional or etc. Etc. Right. Do you find that your prompts just sort of spiral out of control sometimes?
Yeah. Yeah. I mean, when previously I was using chat for a few things, it was like that. But, yeah, in my normal day to day work, yeah, definitely starting to streamline them a little bit more or at least try different things to get that, I guess, that prompt right and understand it kind of thing.
Yeah. I do feel like the sort of reward, the feedback and like the, I don't know, the thrill of the chase, basically. Right. Like when you nail the prompt and you're like, you know, it's like almost magic, and it's sort of, it's just generating all this, you know, relatively accurate content that you can then use, and you're like, well, that's a lot easier than actually working out. You know, how to. For me, it's more about structure of, you know, output, if that makes sense. I find that it can structure responses really well, you know.
Yeah, that's probably one of the things that I struggle with is getting started with some of the stuff and, you know, how, which way to put it, kind of thing. You're right. Even if it gives you 8% of the content and the structure, at least then you can add the rest to make it exactly what you need.
Yeah, because when I'm talking with other people, they sort of say, well, do you have to go and double check it and everything? But yes, you do, because you have to check for hallucinations and any other inaccuracies. But I just find that. I don't know, I suppose if you're only generating small amounts of content, the prompt engineering can take longer than actually writing it itself. Right. When you've got larger bulks of text, it's really efficient at that point.
Yeah. I think you've also got to remember that even when you write your own pieces of documents and things like that, you still got to check it yourself because sometimes it makes no sense. You hallucinate yourself. You know, the AI that's within us. Alan, are you admitting something on the podcast? Are you actually real? Well. That'S, that's how I don't react anyway. Right. Let's get on to, let's go on to our topic this week. What are we talking about, Alan?
So we're going to attempt to talk about managing macOS generally kind of thing, why it's different and things like that, but also how we can use Microsoft tooling to do that management kind of thing. We've talked about Windows previously. I think we've probably talked about managing, and maybe not in great detail, but we've talked about managing mobile phones, Android and iOS. But Mac OS seems to be, you know, the, the one that's, you know, alongside Windows from a main, you know, main pc main, your main device a user might use for their day to day. So I think it's worth sort of capturing how you can manage them. It's not just they're in the wild and you don't. You can't do anything about them kind of thing. You know, they are, you know, they are more expensive. They can be more expensive devices, so put an extra protection on them because I guess they're more, more appealing to go missing in some scenarios.
I love it. That's fair to say. I've seen the crazy costs of them. So.
Yeah, well, I think even in larger enterprises, some relatively decent sized organizations are Mac only anyway. But I would venture to say that even in large corporate enterprises that are mainly windows first, I bet there's a design department or a marketing department that wants to, for whichever reason, or maybe even development potentially might want to start looking, you know, at utilizing Mac devices. And I suppose. How have organizations handled that previously, Alan? Have they just sort of ignored them? You know, just kept them disconnected from everything? You know, what's the sort of the bad practice that's happened there?
I think so. I've kind of been in this scenario previously from a few, few jobs ago before you know, consultancy and maybe not actually having management of you know, or dealing with the Macs themselves directly, but they tend to be kind of in this kind of thing where I said they're in the world. You know, they are kind of left to their, to their, you know, to themselves. But you can, we have seen organization connect them to active directory because they can do that sort of authentication so they can at least talk to other services on the network. But it doesn't really manage them. It's just, you know, it's just providing an authentication, authentication mechanism for you to be able to authenticate with your account to you know, SMB shares or things like that that's on the network that maybe you need access to. So that's really kind of the only thing that I've seen them being used for. And this, this was probably, this is some time ago. So you know, the world has changed since then and it is easier to manage them in different ways. So yeah, really I think it's just been either you know, the user gets the Mac, they manage it, maybe it check it and put some base config on it. Maybe in some organizations they actually put some admin. I think you can do an admin account can't you? And maybe just a standard user account on there and the user uses the standard user. But again there's never really any remote sort of way to manage them outside of other tooling like teamview or something like that to jump onto the machine itself. But you know if the passwords forgotten then it's kind of gone from that scenario. Or if you want to do config changes you know, they have to be done manually on the endpoints. But like you said Sam, if there's only a handful of them in an organization then maybe that's not, that's okay to sort of manage that. But like you said, if some organizations have got them, you know, across the, across the, you know, across the organization and high numbers, then central management probably should be considered.
Yeah, and I assume my assumption is that it wouldn't take that large amount of devices because of like how devices are used now. You know, hybrid remote working access to the, you know, I assume when you were more involved with it it was on site, you could literally walk over to it and work on it potentially. So I'm guessing that sort of explosion in remote, remote working. I wonder what the tipping point is. But then I suppose we'll come on to Microsoft solutions. But if you do have to go and acquire some sort of third party tooling, you know, just the base cost of that tooling plus any configuration and implementation could be, could be expensive. So it must be a challenge to decide at what point you start that centralized management.
Yeah, I guess it, like I said, it's kind of that thing of one making sure they're secure. But also you might have compliance with regulatory compliance, you know, requirements for maybe a business that you work for or, you know, are partnering with or you know, is an external organization that you deal with and they have some requirements for you to have some restrictions on them and you've in effect got approved that as well. Yeah, and also keep up to date. You know, that the config, you know, what changes cause, you know, with new versions of the. Is it every year they bring a new os out for Mac, new major.
Yeah. Os release. Yeah, yeah. So there's always new changes and things like that that then you might need to lock down because you don't want users to use them because it might be more from a consumer sort of benefit and things like that or new capability that can then secure your access to various things. Okay.
So, yeah, so Alan, you know, I suppose a lot of people that are listening might be more windows focused. So, you know, how do you manage Apple devices with an MDM and how is it different?
So, because, not necessarily because, but as sort of apple products have been very containerized, isolated, not very open for users to be able to make changes to them. I mean if you think about iOS and Android, I mean that is one extreme to the other in some form. IOS having very specific things that you can and can't do to it even from application creation, things like that, what you can and can't do on them. It's very containerized. Everything in effect goes through the Apple network to get your notifications and things like that. It's just how they've configured that. And then you have Android that is fairly open and there's multiple versions of every operating system, things like that. But yeah, with macOS it's the same thing. It's very containerized, it's very restrictive about what you can and can't do with it, which is good because you know exactly what you can and can't do with it where, you know, some other ones, it's a gray area. Might depend on what type of device you have, things like that. But because it's kind of secured, you know, most, you know, when you turn on a Mac or an Apple device, it automatically connects to the, the Apple network, Apple relay and then checks to see whether this device is managed or it's been stolen or anything like that. So you always have to go through that network and in effect connect to it. So that's one of the differences. So when doing that, when you have an MDM to do, you have to, in effect, get the MDM to sign up to that relay service. So that means that once you connect to that, then your MDm can then communicate with that relay service and then send policy config, etc. Down, you know, to your devices. That's where it's really different because, you know, with, with windows, with Android, you know, you don't necessarily have to do that. You just have to, you know, it just connects on the Internet to the Microsoft system and then, you know, and then you start, you know, being managed in effect. So that's one sort of key or one or two key differences there. And with that sort of restriction, you know, you have to make sure you've got all of that stuff in place first. And I guess generally with an MDM is slightly different because everything is containerized. So the settings are quite, when you come from windows, it's quite a different sort of setup in that sense. It's very, like I said, it's very modular with what you can change and things like that. But again, that's quite good because you understand exactly what everything does on there. So, yeah, I think that's generally kind of it. The other things is you can have the ability to do zero touch deployment that's using things like the Apple automated device enrollment and the Apple business manager side of things. And there is also direct enrollment around that. So there is those options, well, as well as just, you know, just signing up to your MDM, using their product to start that enrollment.
Okay, nice. Yeah. So do you want to talk about maybe Apple business manager and how that sort of side functions?
Yeah. Okay, so I'll kind of talk about Apple business manager in itself first. So Apple business Madrid is kind of as it, as it sounds, it's the sort of the management portal, management solution for your organization. So when you set it up, you have to give a lot of information about your organization so it can be created. There's a lot of verification there to prove that you are that organization, once that's configured, there's like two or three parts. There's probably two parts to it, at least. Now we'll call it three parts. Actually. One part is you can have local users in there so you can create users there that then can be used to sign to create your organization's Apple ids so that you can manage them from that portal. One part of that is you can actually federate with, with entra. And then do you know, you use your entry ids to sign in to Apple, Apple ID. You know, use them as Apple ids. That's one part. Another part is the volume purchasing program, VPp. And that is where you can purchase software to be installed from the Apple Store. And you can purchase licenses even if they're free in effect, but you can push them in there and you can send to users and then you can use an MDM to then deploy them to the, to the devices with their license. So there's that part, that's where you'd purchase say 100 licenses of, I know, Adobe Acrobat writer kind of thing. Or another solution there. And then kind of third part to it is that you can, man, you can get your devices added to the apple bismarck and they become your devices. So it's almost like in the Windows world, the Windows autopilot device list, your list of your endpoints, in effect. So a similar thing to Windows in that your, where you purchase your, if you purchase directly from Apple, then they can automatically go into there providing you buy it through your business account. And if you've got a supplier and they support it, then you can get them to, when you purchase them, they can then add it to your account. So then all your, your serial numbers and that turn up in, in your, in your device. Once, once they're in there, you can then add within your mdm. You can then say, give, get a, give the Apple business manager a token. Is it the way around? No, it's the other way around. In the Apple business manager, I think you, you get a token for your mdm. You give it a name and you get this token, you put it into your mdm. And then you can then assign those devices or subset of those devices to the MDM, which then means that when they go through their initial logon, they then go, hey, I may we use Contoso. We're a contoso device. You need to sign in to it with your, with your, your Apple ID or you have to do your authentication, whichever that might be in the Microsoft, you know, solution area, that's going to be, you know, an enter id sign in it then enrolls into the MDm. And then once it's enrolled, you get to the, you know, the, the home page, then it will start then deploying software, deploying config and things like that. And one of the great things about the auto enrollment side of things. So the sort of that intune, not intune, but the MDM and Apple business manager part, it, that's what the Apple automated device enrollment part is. So the ad, I think they called it was called something else before. I can't remember what it was. That's that, that, you know, enrollment part. So now that's all enrolled. One great thing about it is that if for any reason you reset it and then it got, or it got stolen or lost, if someone tries to rebuild it, you know, reset the device, put, you know, wipe it completely and put the, the firmware back on so it's completely clean of anything that was previously there. Because it talks back to Apple at the start, it knows it's still a contoso device. So it comes up and says, right, putting your contoso details in. So it has got a security mechanism in there which is slightly different to the Windows autopilot part, but no one can use that device unless an admin removes it from the Apple business manager to allow it to be used for another device to be used by someone else. That's really powerful there as well. So that's probably a high level part to how you, how you sort of do that. Auto enrollment, you know, zero touch enrollment using Apple Biz manager and the, you know, the automated device enrollment.
Cool. So what Microsoft technology integrates with Apple Business manager to sort of manage macOS devices?
Yes, I kind of said it unintentionally, but the main MDM is intune. It's got the full functionality there for that integration for managing the licenses and that it's also got, as we kind of mentioned, you know, enter id is quite key for managing your Apple ids so you can keep them there because generally what might happen is, I think I didn't say this before, but a user might set up an account, they may have a license against them and then they leave the organization and then no one can have access to that account or a device might be activated, activation locked against that account and no one knows the password or recovery. So you managing it through Apple business manager in making them use their enter id accounts is a bonus there. But yeah, intune is the main MDM that we can use. It supports all of that automated integration with Apple business manager. Relatively simple to set up, providing you've got, you create that connection to the network, to the Apple relay, which is an APN, which is an Apple. I don't know why it's called APN. It's an Apple MDM push certificate. So it connects their apN. So once you've got that in place, then you can start managing it. Then you create enrollment tokens and things like that to then create that connection for the auto enrollment and the VPP tokens to get the licensing and things like that pushed down. So then you can deploy the applications silently to the endpoints. So yeah, that's probably the, the two technologies. I mean, you. Yeah, full macOS, there's other technology that you could use but not refund management because you've got defend for endpoint that you can, you can deploy as well onto there.
Okay. Yeah. So what are the key things that you need to get started?
Yeah, so really it's to get started just managing Apple or Mac OS devices, then you need to create that Apple MDM push certificate. If that's all you're doing and you're not going to look at auto automatic device enrollment or the Apple business manager, then you don't necessarily need to. If you want to be able to silently install applications, then you do need Apple business manager, at least for the VPP partner. But also there's this term of a device being supervised. So it's probably worth talking about this because it's also for iOS devices. So if a device already been signed into gone past setup and then you enroll it into an MDM, then because of where the MDM has been installed, it doesn't have full access to the operating system. So there are some things that. So when it's installed as the user, rather than at the sort of device level, I guess its class is unsupervised. So you're able to deploy software, but the user has to say, yes, I want to install that, or yes, I accept that. And there's a few things, few configurations that it's unable to touch because it's not been, it's kind of in the user context and the user's not allowed to automatically touch some of those, those, those settings in effect, or doesn't have access to the APIs in the OS to manage it. When you push a, when a device is auto enrolled via the automated device enrollment via the Apple business manager, because it's done at the activation time, then it has full control across the operating system. So all APIs that are available to the MDM and then, you know, you're able to install software silently, make changes to different, you know, different parts or lock it down more. So there's one key benefit there from doing automatic. There are some, what should we say, some of some caveats to that, isn't there, around getting it into the Apple business manager side of things and what you have to do to be able to get into the supervised state, I suppose probably worth talking about. So if you want something to be in the supervised mode, then as I said, it's got to be done at that activation as the machine is being set up. So one, to get it into Apple business manager, if it's done by your supplier or by, you know, you've bought the device by Apple, then all it needs is a factory reset and then it will know that it's part of that MDm. But if it's been bought from the local Apple store or it's been repurposed, maybe from another. No, it's a, it's a. I can't think of the word now, a refurbished Mac. Then you have to use the configurator app and then you can manually sort of enroll it into Apple business manager and then it can be supervised. But again, as you do that, the device is white factory reset at that point. So yeah, moving into. Into a new. Well, moving into a new MDM because maybe you want to switch MDM or you're enrolling it again, so it is supervised, then the device has to be wiped. So there's a lot of, I suppose, disruption for the user at that point. So we do see organizations take the stance that new devices will be enrolled in the new way and then they're work on migrating the other ones as and when they can because users are, I guess, reluctant to have their device wiped because they've got, you know, set up how they want it kind of thing. Is that fair to say, Sam?
Yeah, you the gotcha really about, you know, having a current estate of Mac. Let's talk about like laptops and desktops, you know, because they were the tricky ones because iPhones and iPads were, you know, you've been able to self enroll those for a long time. Previous to Apple silicon and or and t two chips in Intel Macs, you can't self enroll those machines. It's once, once they're purchased through retail channels. So previous to those machines, I don't know how long. T two has been out for a long time. And Apple silicon is at what, generation three now? So generation four, actually? Well, no, they haven't hit Max yet, but. So generation three to generation four now. So I wouldn't suppose that would be an issue for enterprise or larger organizations because they generally tend to have, you know, refresh cycles that will support that. So that's the only thing that I would, you know, just. Just call out. And when you're ordering directly from Apple, you have to order through Apple business. There's a completely separate Apple store for business interactions versus Apple retail. If you purchase Apple Retail, you'll have to manually enroll using the configurator app for the iPhone to do it for Macs, basically. So there's extra work there that you've got to do. So if you want the, you know, if you want. The seamless user buys, you purchase a Mac through Apple business and it gets shipped directly to the user. And when they open the device, they connect it to Wifi, everything takes over. Your company details are then shown, then you need to purchase through those Apple business channels or a third party authorized reseller. Reseller.
Yeah. Yeah, I did. Yeah, do. Yeah, thanks for that, Sam, because that's just so cleared up. What I was trying to say, I think. Sorry, Ellen. What? Sorry, say it again. I was just saying that. Thanks for. For sorting that. Well, clarifying that. That's kind of where I was going with it. Yeah, no, we're good. Yeah. It's not so much of an issue now.
No. And again, those other devices aren't like you said, you know, they're just on the clap, deemed as unsupervised, so you can still manage them. It's just not the. It's not the same experience in effect, is it? So it's fine. Yeah. So, Alan, what can you manage on the devices?
Yeah. Okay. So if anyone's used intune or an MDM before, generally you're going to kind of. These kind of be the standard things. So you can deploy. Deploy software, you can do device restrictions, that's, you know, setting passwords, device password limit, you know, length and things like that, restricting like airdrop and things like that. So you can reduce the amount of exposure to data, leaving, you know, the device. You can set up device compliance to make sure it's encrypted and things like that. Because then that signal can go to conditional access. So you can make sure that the device compliant before has access to any of the. Any of your resources can configure Wi Fi, VPN, Mac OS extensions. You can also add some organizational branding as part of the sort of enrollment process and you can manage some of the features as well on the endpoint. So like I said, you can turn off some of the things you can, you can turn off Bluetooth on it. But I think that's probably something that some organization probably definitely wouldn't do because we use Bluetooth mice and headsets and things like that. Alongside that you can do certificate deployment so you can deploy trusted certificates as well as if you've got a certificates authority, maybe it's an active directory one or maybe you're using the new cloud PKI. You could deploy stickers from those services and then onto the endpoint for user and device you can manage the sort of firewall configuration. I think the bits that you can do in this is more around per app. So allowing apps individually whether allowed out specifically and not say of course, but you can also manage the defender endpoint configuration on there exclusions, scans and things like that on there. So at a high level that's the kind of things you can do when doing applications. You can search for them in effect for the store. So you don't have to worry about knowing the Apple package ids. Just search it in the intune portal, select it and then you can say who gets deployed things like that. Or if it's been brought down by VPP, the volume purchasing program via Apple business manager then they appear as apps that you can then deploy.
Nice. All the things that you would essentially want or need to configure I think are pretty much covered there especially a lot more visibility than doing it manually.
Yeah, I think Microsoft have really pushed hard to get parity with, you know they're trying to get parity as much they can with Windows management. You know where, where there is parity because you know they are different operating systems so they have tried to, you know, bring everything that they possibly can to it. You know we've seen, you know, not say within intune but with other things, you know, other solutions like defend for cloud where it's not just about their products anymore, it's about everything so kind of thing. So. So yeah, I don't know. I am starting to see, I guess a few more organizations start to think of looking at whether Mac can not say replace but trying to work out the differences now or trying to do comparisons against JaMF now because JAMF's been a very key apple sort of MDM for iOS and Mac OS. But I think Microsoft have pushed as hard, hard to sort of get a lot of parity and use as much as they can from Apple to get access to all the APIs and things like that, to do that management side of things, they've definitely been closer in partnership around some of the new features they're bringing around. Single sign on and things like that as well.
Nice. Yeah. This is utilizing intune and sort of on the Windows side, there's many different actions that you can sort of target against a device. Do you have the same capability there with Mac? And if so, what can you do with it?
Yep. So you can, you can do remote actions kind of, I suppose in somewhat obviously that a lot of the ones you might see on the Windows devices are specific for Windows. BitLocker key rotation is definitely not going to be on Mac OS. Yeah. You can remote wipe the device so it resets itself, you can force the synchronization. One extra that is for, for Apple devices is you can actually disable that activation lock providing it supervised, so you can stop it from being locked to, you know, if a user leaves and things like that, you can remotely lock it. If it's been left unlocked or it maybe someone's identified it, might have been left on, left in a public area, they forgotten it and you can remotely lock it, you can rename the device, remotely restart it and you can retire it, which in effect removes it from the MDM. But I probably think you can't do that when it's fully, automatically device enrolled. That's more around when it's just supervised. Yeah, that's the key things that you can do remotely from it. If you've also got remote help from the intune suite, I think that also allows you to remotely, you know, jump onto that machine as well. So. Yeah.
Nice. Lots of, you know, administrative actions that you can take there. So Ellen, the big question that we ask every time, what's the licensing and cost associated?
So I'm not going to, I don't know what the costs are because these vary sort of location, things like that. But in effect, all I say all, all that you need is the user to have the minimum is an intune plan, one license, which most, I think it's fair to say most organizations that are in the Microsoft sort of 365 ecosystem more than likely have now. So because it's normally part of your M 365 e three, it's part of even se three. If you, if you're splitting it, if you're split, you're not having that sort of skew. And then it's in the height, then you know, it's in the e five s as well because it's part of the M 365 e three. So yeah you just need an intune plan one. It's probably recommended to probably have an entra plan one as well just so you can do that other integration and MFA in effect or single sign on stuff within some of it as well. But technically you could have entra free within tune plan one. So yeah it's relatively simple. It's not like I said I think I feel a lot of organizations have in tune today. I think it's been not say long enough but law or it feels like a lot of organizations are at least at that m 365 e three or business premium sort of level now.
To.
Be able to use some of that extra functionality because one because of the security perspective but this is really about device management and again this manages windows iOS and Android and Mac OS and I think there's some I think Linux and maybe Chromebook OS now as well so you get a lot more with that you know with that intune license anyway and I guess if you did want remote help which I did mention you can buy that on its own and with as part of the intune suite but that is an add on on top anyway for most organizations.
Okay great. Is there anything else Alan that you wanted to cover around Mac management? Anything else that's you know that we've.
Missed so it's not our news week I know but and it's this technically not management but it's kind of related. Microsoft announced I think a couple of days ago or this week at least that it's in public preview now of macOS and Android D having this platform SSO which means that in effect you can using the company portal app intune and the, let me just get the name of it, the Microsoft enterprise SSO plugin installed that in effect you can do single sign on into applications now as well as I think it might have only been websites you could single sign on into but this now allows you to do that across application well that support it. So Microsoft 365 outlook things like that now support it and as part of this as well it uses the Apple's secure enclave technology. So this is in effect making providing a equivalent to Windows hello where it's using a TPM to store your, your you know authentication or your, your token in effect to perform second MFA fishing resistant MFA and bringing that to Mac to macOS. So that's in public preview at the moment and I think like I said it was only announced a couple of days ago. In fact it's probably looking at this. The article was published a week ago. I think it was only officially announced sort of a couple of days ago, but yeah, that means then you can use your touch id potentially to then sign into your office applications. And M 365, which I think is very, very powerful.
Yeah, definitely wherever we can streamline that user authentication and also, you know, the vast amount of, you know, prompting and MFA ing that we do, you know, day to day. And if it's all integrated then, yeah, 100%. Because there's always been a bit of a disconnect really, around your sort of your entra identity versus the local user account on the machine because even though when it is supervised, there is still two logins that you have to manage there. So I haven't used this yet because this is. Yeah, as we say, like red hot new. It's going to be really interesting to see how it improves that situation.
Yeah, exactly. So, see, I thought it's worth bringing that up as we're sort of talking Mac, Mac OS from that. But, yeah, nothing else. I don't think for now there's probably more we could dive into. But I think from a first stab, first I, you know, first shot at this, this sort of topic, I think we've covered as much as we can in our 44, 45 minutes slot. Nice, Alan. Yeah, thanks for that.
Yeah. So some of the previous episodes or an episode people might want to listen to might be season four, episode eight, where I talked about zero touch deployment. So I kind of touch all of the different types at a high level if you want to know about some of the other ones that you can do. So, yeah. So what's next then, Sam?
Yeah, so next week I'm going to cover Azure AI search, which is a sort of a database, if you will, that allows you to build AI solutions which use retrieval and search, or it's more commonly referred to rag, which is effectively a way to store data which can be pulled from large language models and used for searching. So, yeah, it's a relatively new but also quite important in the world of AI and how people integrate their own large language models. So, yeah, I'll be covering that next week.
Okay, great. Sounds. Definitely sounds interesting. Okay, so did you enjoy this episode? If so. If so, do please consider leaving us a review on Apple Spotify. This really helps us reach out to more people like yourselves. If you do have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. Yeah. And if you've made it this far, thanks ever so much for listening. And we'll catch you on the next one. Yep. Thanks, all.