Bartosz
Borowski

Led the end-to-end planning and delivery of a company-wide WiFi infrastructure overhaul, replacing end-of-life Cisco Meraki access points with Ubiquiti UniFi U7 Pro Max (WiFi 7) APs across the main office and two remote sales centres.

Business Case: Authored the full project brief and business case, identifying that Meraki's enterprise licensing represented significant unnecessary expenditure. A cost-benefit analysis demonstrated projected savings of approximately £5,000 over five years by migrating to a self-hosted UniFi solution with no recurring licensing fees.

Delivery: Managed procurement via competitive tender, salvaged an existing Intel NUC to avoid additional hardware costs, and deployed Ubuntu 24.04 LTS as the UniFi Network Management Controller host. Configured secure remote access, UFW firewall rules, VLAN-based staff/guest SSID segmentation, and zero-touch AP adoption across all sites. Resolved PoE+ compatibility issues and firewall port conflicts without service disruption.

Outcome: Migration was seamless and transparent to end users with no reported service disruption. The new infrastructure ensures Cyber Essentials compliance, supports the forthcoming WiFi 7-enabled Device-as-a-Service refresh, and is expected to remain relevant until at least 2031.

Designed and delivered a full mobile device management solution for all corporate Apple devices — iPhones, iPads, and Macs — integrating Apple Business Manager (ABM) with Microsoft Intune to achieve Cyber Essentials compliance and replace an entirely unmanaged estate.

Key Challenge: A critical early challenge was recovering an ABM account originally set up by a former employee with no documentation or handover. This required engaging Apple Business Support, compiling legal proof of company ownership, and successfully regaining full administrative control of the account.

Technical Delivery: Configured the full technical stack across both platforms: MDM Push Certificate, ABM-Intune enrolment token, automated enrolment profiles with supervised and locked enrolment, VPP token for corporate app deployment, and dynamic Azure AD group architecture for automatic device targeting. Deployed Microsoft 365, Defender, Teams, and Adobe Acrobat company-wide alongside role-specific apps for sales teams.

Rollout: Delivered in two phases — an IT pilot (Phase 1) followed by a full business rollout (Phase 2), during which a more efficient wireless enrolment method using iOS Apple Configurator was identified, eliminating the need for physical USB connections. Managed migration of all users from personal iCloud accounts to corporate Managed Apple Accounts.

Identified and made the business case for replacing the company's ageing DrayTek router with a UniFi Enterprise Fortress Gateway, addressing critical security gaps including the inability to inspect encrypted HTTPS traffic and no intrusion detection capability.

Business Case: Authored a detailed project brief including a full threat landscape analysis, vendor comparison across Fortinet, SonicWall, Cisco Meraki, and UniFi, and cost justification — securing approval for a one-time £1,617 investment with no recurring licensing, against enterprise alternatives costing £13,000–£34,000 over five years.

Delivery: Executed out-of-hours within a planned two-hour maintenance window. Pre-migration work included full config backups, firmware preparation, colour-coded cable labelling, VLAN design, a step-by-step migration runbook, and a documented rollback strategy. Post-migration produced a full network topology diagram in Microsoft Visio.

Outcome: Delivered VLAN segmentation, encrypted DNS (DoH/DoT), Intrusion Detection and Prevention (IDP) with daily signature updates, rogue DHCP detection, and dual PSU redundancy integrated with a new UPS. Project completed with no service disruption and a materially improved security posture across all connected sites.

Identified and made the business case for replacing Sophos Intercept X and Sophos Email Advanced with Microsoft Defender for Endpoint and Defender for Office 365, leveraging capabilities already included within existing Microsoft 365 Business Premium licences.

Business Case: Authored a cost-benefit analysis demonstrating projected savings of ~£15,500 over three years, with a one-off implementation spend of ~£2,500, eliminating ~£6,000 in annual recurring Sophos licensing costs. Engaged BCN Group as an implementation partner to manage risk.

Endpoint (Defender for Endpoint): Designed and deployed a comprehensive Intune policy suite covering Attack Surface Reduction rules, Tamper Protection, real-time scanning with cloud-delivered protection, Network Protection, and custom device tagging. Staged rollout across IT test, pilot, and business-wide phases with formal acceptance criteria across eight security controls.

Email (Defender for Office 365): Coordinated DNS delegation for DKIM and DMARC configuration, managed company-wide communications during switchover, and deployed a tiered Standard/Strict protection model. Configured VIP impersonation protection for senior management, established trusted domain allowlists, and validated full SPF/DKIM/DMARC alignment post-cutover on 6th January 2026 with no outages.

Identified that a significant portion of Adobe Acrobat Pro licences were being consumed by a single, simple workflow — extracting individual pages from multi-page PDF construction drawing packages. Used AI-assisted development to build a purpose-built internal Windows desktop application with no prior software development background and no external development costs.

The Application: Built in Python using open-source libraries (PyMuPDF, Pillow, Tkinter), the DH Stamp Plan Extractor provides a graphical interface for browsing PDF thumbnails, selecting pages manually or via keyword search, automatically extracting drawing titles from AutoCAD title blocks, and saving individual pages as standalone PDFs.

Technical Challenges Solved: The standard Tkinter file dialog does not load Windows shell namespace extensions, making ZeeDrive-mapped SharePoint locations invisible — resolved by replacing the dialog with direct Windows Common Dialog API calls via ctypes. AutoCAD PDFs write text layer-by-layer rather than in visual reading order, causing title block extraction to interleave labels with values — resolved with a two-strategy title parser combining phrase-line matching and a hardened label-skip list.

Deployment & Outcome: Packaged using PyInstaller and deployed silently via Intune as a Win32 app. Delivering ~£1,750 in annual savings with no ongoing licensing or vendor dependency.

AOC provides the Royal Armouries Museum with private WiFi infrastructure for events and the annual UKREiiF conference, where exhibitors purchase private connectivity for their stands. As the conference scale grew, bottlenecks in the existing infrastructure were limiting the number of paid connections available.

Scope: Led analysis, design, and implementation of a full network infrastructure upgrade to support 10G speeds across three independent buildings. The project involved coordinating new fibre line installs with an external contractor, building multiple pfSense-based firewalls and traffic shapers with 10G capability, and designing a 7-switch stack spanning the museum and surrounding areas.

Scale & Outcome: The network was designed to serve approximately 3,000 concurrent clients at peak during UKREiiF. Delivered on time with no delays and no outages to the wider museum staff or public WiFi during the implementation phase. The investment yielded positive financial return after UKREiiF, establishing AOC as a top-tier contractor with key museum stakeholders.

Delivered a comprehensive 17-initiative security and infrastructure modernisation programme across Duchy Homes, with an estimated total investment of ~£6,000 in hardware and capital items. The programme addressed critical gaps in mobile device management, wireless infrastructure, endpoint security, network resilience, and identity controls.

Key Initiatives: Apple ABM & Intune integration for iOS/iPadOS lifecycle management; WiFi modernisation from Meraki to UniFi across multiple sites; NUC and shared device Intune enrolment; Windows 11 upgrade programme; leased line cost optimisation (50% reduction); UniFi Enterprise Fortress Gateway deployment for IDS/IPS and Layer 7 inspection; Sophos→Defender endpoint and email migration; UPS installation for resilience; device refresh via competitive tender; phishing-resistant MFA for administrators; managed iOS web clip applications; meeting room device Intune management; enhanced anti-spam policies; tenant-wide Conditional Access expansion; printer OAuth migration; platform-specific Defender policies; and Windows Autopilot automation expansion.

Outcomes: Microsoft Defender Secure Score improved from ~54% to ~79%; Entra ID Secure Score improved from ~55% to ~80%. IT-related costs for Jan-Dec 2025 reduced by ~£8,000 through software licensing consolidation and managed connectivity optimisation. Security posture, resilience, and manageability all improved materially, positioning Duchy Homes on modern, supportable platforms aligned with Microsoft and industry best practices.

Designed and implemented Single Sign-On (SSO) across six enterprise SaaS platforms, centralising authentication via Microsoft Entra ID and eliminating password fatigue across business-critical applications.

Implemented Applications: Procore (construction document management) — SAML via dynamic group assignment; Zutec (Part L compliance) — SAML with static group targeting high-risk roles; HubSpot (CRM) — SAML with sandbox-first validation approach to ensure zero production disruption; AutoDesk (design software) — SAML with DNS domain verification and credential-based re-authentication; EVA Check-In (site attendance/induction) — OAuth-based Graph API integration; SolarWinds Service Desk (ITSM) — SAML restricted to IT function only.

Applications Reviewed & Excluded: Timetastic, Geniebelt, Bluebeam Revu, and Adobe — all assessed but excluded due to paid SSO add-on requirements or licensing constraints.

Outcomes: Centralised identity governance through Entra ID; reduced password management overhead and credential risk; improved onboarding/offboarding via group-based access; enhanced auditability and compliance posture; improved user experience through single credential model.

Multi-component strategic initiative implementing Zero Trust principles across identity, devices, access control, and data governance. This programme replaces siloed, reactive security measures with a cohesive, centrally-managed compliance and access framework.

Exchange Online Mailbox Archiving & MRM: Implemented a two-tier archiving strategy (2-year policy for general users, 3-year policy for business-critical roles). Restructured legacy Exchange Messaging Records Management (MRM) policy to simplify and modernise configuration, improving user clarity and alignment with Microsoft best practices. Archive mailboxes provisioned for high-traffic accounts, reducing primary mailbox pressure and supporting business continuity.

Compliance Notification Framework Overhaul: Redesigned all Intune compliance notifications with severity-based messaging, Quick Fix self-remediation guidance, and professional branding. Shifted from notification-only to user-empowerment model, reducing IT support overhead while improving time-to-resolution.

NUC Privilege Model Redesign & UAC Hardening: Transitioned from local administrator kiosk model to identity-based, centralised privilege elevation via Intune Account Protection. Added explicit UAC enforcement across corporate Windows estate. Kiosk accounts now operate as standard users; IT elevation requires credential authentication, aligning with Zero Trust principles and Cyber Essentials least-privilege guidance.

Android BYOD Compliance Policies: Implemented three Android compliance policies (password/encryption enforcement, minimum OS version Android 13, device health/root detection) targeting personally-owned devices via dynamic group assignment. Ensures devices meet baseline security standards before Conditional Access enforcement gates access to Microsoft 365.

A self-built SFF (Small Form Factor) home server that has been running continuously since 2021. Built from scratch with hardware carefully selected for the specific demands of 4K Dolby Vision and HDR video transcoding — the key requirement being Intel QuickSync hardware acceleration, which allows high-bitrate 4K streams to be transcoded in real time without taxing the CPU.

Software & OS: The server runs the current Ubuntu LTS release — always upgraded to the latest long-term support version to ensure ongoing security patches and kernel support throughout the hardware's lifetime. Plex Media Server runs as a background service managing the media library and handling all local and remote playback requests. Windows devices on the local network can access the media library directly via Samba shares, providing a seamless file-transfer experience without any additional software required.

Maintenance & Efficiency: The server is configured for largely autonomous operation. Unattended-upgrades handles automatic OS and security patching. Scheduled overnight reboots allow maintenance windows to be applied without manual intervention, and HDD spindown add-ons reduce power draw during idle periods — keeping running costs low over time.

Remote Access & Security: Remote access is handled entirely via a Cloudflare Tunnel — there are no open ports on the home router. The cloudflared daemon maintains a persistent outbound connection to Cloudflare's edge through which all remote Plex traffic is routed. SSH access is available but restricted to a limited number of local devices via Ubuntu UFW firewall rules, with no remote SSH exposure.

A self-hosted Home Assistant installation that serves as the central automation hub for the home — powered by Claude API for energy analysis, forecasting, and recommendations. The system is built around maximising solar self-consumption, autonomous energy arbitrage, and optimising battery and grid usage to maximise return on investment from the installed energy systems.

Active Integrations: SolisCloud API (solar inverter & battery), Intelligent Octopus Go (smart overnight EV charging tariff), Octopus Saving Sessions (demand flexibility events), Octopus Free Energy Sessions (bonus free-energy windows), AxleVPP (event-based grid support battery dispatch), MyEnergi Zappi API (EV charger control), Tesla Fleet API (vehicle state & charging), Solar Forecast API (next-day generation predictions), Google API, Zigbee2MQTT (local Zigbee device control), and Thread/Google Home integration for smart devices.

Automations & AI: All logic is built in self-written YAML automations that run entirely locally. These automations coordinate charging schedules, battery dispatch, export decisions, grid support event participation, and EV charging windows based on real-time solar output, tariff pricing, weather forecasts, and battery state of charge. Claude API is integrated to provide natural language energy analysis, summarise daily performance, and surface recommendations — adding an AI reasoning layer on top of the raw sensor data.

Remote Access & Security: Home Assistant is accessible remotely via a Cloudflare Tunnel with Zero Trust policies enforced — no ports open, identity-gated access at Cloudflare's edge. SSH access to the host is restricted to a limited number of local devices via Ubuntu UFW firewall rules.

A self-managed home network built on Ubiquiti UniFi hardware centred on a UDR7 router, providing the reliable and controllable foundation on which Plex, Home Assistant, and all Cloudflare Tunnels run. The network operates on a static public IP address, which simplifies tunnel connectivity and ensures consistent routing for all outbound services.

Architecture: The network runs as a flat network without VLAN segmentation — a deliberate choice for the home environment where complexity is managed differently than in an enterprise context. Security is instead enforced through Zero Trust firewall rules that control traffic flows based on identity and destination rather than network segment, combined with Cloudflare Tunnels that eliminate the need for any inbound port exposure.

Management via UniFi Site Manager: The network is managed through UniFi Site Manager — Ubiquiti's self-managed cloud platform, included at no additional cost with UniFi hardware. Site Manager provides centralised visibility, remote access, and configuration management without introducing a third-party cloud dependency or recurring subscription. It represents strong value for money and mirrors the type of centralised management approach used in professional deployments. SSH access to network devices is available to a limited number of local devices only, controlled via UFW on the connected Ubuntu hosts.

Remote access to home lab services has gone through three distinct generations, each driven by a better understanding of the security trade-offs involved — evolving from a quick free solution into a properly engineered zero-exposure architecture.

Generation 1 — DuckDNS: Started with DuckDNS as a free dynamic DNS solution, with ports forwarded on the home router to reach Plex and Home Assistant. Simple and effective to set up, but required open inbound ports on the public IP — a direct attack surface that became increasingly uncomfortable as the services matured.

Generation 2 — Own Domain on Cloudflare: Migrated to a personal domain hosted on Cloudflare DNS, with Cloudflare acting as a proxy in front of the services. This added TLS termination and hid the origin IP, but inbound ports were still open on the router — traffic was just better obscured.

Generation 3 — Cloudflare Tunnels (Current): The current setup uses Cloudflare Tunnels exclusively. The cloudflared daemon on the home server maintains persistent outbound connections to Cloudflare's edge — there are no open ports on the router at all. All inbound traffic for Plex and Home Assistant routes through Cloudflare, with Zero Trust access policies enforcing identity verification before any request reaches the tunnel. The result is a genuinely zero-exposure architecture: no open ports, no origin IP visibility, and identity-gated access at the edge.