For Longevity Consulting, SOC 2 Was a Wake-Up Call. Rippling IT Was the Fix.

The Challenge

Longevity Consulting has been remote since day one. No central office for employees to report to, no help desk down the hall — just CTO Andy Phelps, a support ticket queue, and a patchwork of tools that had grown organically over two decades.

Before Rippling, the IT stack looked like this: Office 365 as the email system and identity provider, Microsoft Intune for Windows device management, Mosyle for Mac management, and a spreadsheet for tracking the laptop fleet. 

Onboarding a new employee meant ordering a device from Apple or Dell, shipping it to Andy's house, enrolling it manually in Autopilot or Apple Business Manager, configuring it, packaging it up, and dropping it off at a FedEx, sometimes after a two-hour trip to the nearest Apple Store. Offboarding was the same process in reverse, with worse packaging on the return trip.

The bigger problem wasn't the inefficiency so much as the exposure. In a fully remote environment with rotating contractors, a missed checkbox during offboarding is more than an operational gap. It's a security risk.

The catalyst came during a SOC 2 audit that Longevity Consulting needed to go through for a new contract. Andy spent weeks pulling screenshots from five or six different systems, working through checklists with auditors, and documenting processes that didn't always hold up to scrutiny.

The audit turned up several negative findings — things the company simply wasn't doing, not out of negligence, but because the toolset made them too difficult to enforce consistently. Most employees had been provisioned with local admin rights on their machines, for example, because managing permissions across a distributed team without the right tools was nearly impossible. The auditors flagged it, but Andy had already known it was a problem.

"We probably turned four or five negative findings from our SOC audit into positives just by moving to Rippling. It was that simple.”

The Results

Devices and warehousing

The first and most immediate impact was on device logistics. Longevity now maintains a standing inventory of 10-12 spare laptops in Rippling's warehouse rather than having to run a logistics operation out of Andy’s home.

 "My basement was the warehouse. My wife was very happy when all those laptops were finally gone."

When a new employee joins, Andy adds them to the platform, selects a device, and the laptop ships straight to the employee's door, fully pre-configured. No trip to the Apple Store. No FedEx run. 

The return process is equally streamlined. When employees leave, Rippling ships them a box with a prepaid label. They pack their device and drop it off. Andy never has to touch it, track it in a spreadsheet, or hope it doesn't come back in a manila envelope. (Which did happen once. It wasn’t in great shape.)

Before Rippling IT, Mac devices at Longevity were managed through Mosyle with no IdP at all. Windows machines ran through Intune and Entra. The two environments operated in parallel, creating inconsistencies that were especially painful during audits: different screens, different terminology, different explanations required for each.

Now everything runs through Rippling, with SSO enforced across core apps like Zoom, Box, Adobe, and Ubiquiti for physical office access. MFA is standardized across the board. 

And instead of provisioning every employee as a local admin — a legacy workaround that kept getting flagged in security reviews — Andy can issue standard accounts with a self-promotion feature that lets developers and engineers elevate their own privileges for a defined window of time.

"With Rippling, they can promote themselves for half an hour, get what they need done, and still remain secure."

But of all the things that Rippling IT has changed for Longevity, offboarding is where Andy points first.

When an employee leaves, Andy enters their termination date and time. Rippling handles the rest: disabling the Office 365 account, changing the password, removing MFA, resetting all active sessions, reassigning data to the employee's manager, and deleting the license after a configurable number of days. Every step is logged and auditable. And, as above, device retrieval is automated too.

The negative findings from the previous audit — inconsistent MDM coverage, local admin rights, fragmented identity management — are gone. Policies that were once too cumbersome to enforce are now applied automatically to every device at enrollment.

For a government consultancy that may need to navigate not just SOC 2 but CMMC and other frameworks depending on contract requirements, the ability to apply standardized, auditable policies across the entire fleet — and pull evidence without hunting through six different consoles — is more than a convenience. It's a competitive differentiator.

"Rippling puts us on a better compliance footing across the board… I see it making my job a lot easier and the organization a lot more efficient.”