Using IdP login events as a proxy for physical office presence is fragile—sessions persist, apps bypass SSO, and workarounds annoy remote staff. Companies need reliable presence detection for hybrid work policies.
An agent on managed devices (leveraging existing MDM) that detects office network connection via WiFi BSSID/IP range and fires a webhook to check-in systems (Envoy, Robin, etc.), completely decoupling presence detection from authentication flows.
Freemium: free for up to 50 users, subscription at $3-5/user/month for larger orgs with analytics and integrations.
Real pain confirmed by the Reddit thread and broader RTO enforcement trends. However, it's primarily felt by workplace ops/HR teams—not the end users. Many orgs muddle through with badge data or manual check-ins. The pain is acute for the segment enforcing RTO with consequences (bonus adjustments, performance reviews) but mild for orgs that just want soft nudges.
TAM is narrower than it appears. Target is hybrid orgs with MDM-managed devices AND enforced RTO policies AND dissatisfaction with current check-in methods. Estimated 50K-100K mid-to-large companies globally fit this profile. At $3-5/user/month with avg 200 users = $7.2K-12K ARR per customer. Realistic SAM is $50M-200M. Not a billion-dollar market, but viable for a bootstrapped or seed-stage startup.
This is the weakest link. Workplace ops budgets are often squeezed. $3-5/user/month competes with tools like Envoy that offer broader functionality at similar price points. Many orgs will ask 'can't IT just script this from our MDM data?' Badge systems already exist in most offices. The buyer (HR/ops) may see this as a nice-to-have unless RTO compliance has C-suite visibility and consequences.
Core MVP is straightforward: a lightweight agent (macOS/Windows) that checks WiFi BSSID or IP range against a configured list and fires a webhook. Leveraging MDM for deployment simplifies distribution. A solo dev could ship a working macOS agent + basic API + Envoy webhook in 4-6 weeks. Challenges: Windows service signing, cross-platform parity, handling VPN edge cases, battery/performance impact. macOS privacy permissions for WiFi BSSID access (CoreLocation) require user consent, which MDM can pre-approve.
Clear white space. No product offers passive, vendor-agnostic, client-side network presence detection that maps to individual employees and integrates with check-in systems. Cisco/Aruba do passive WiFi detection but require their infrastructure and don't map to employees. Envoy/Robin require manual action. MDMs have the data but no one has productized it. This is a genuine gap.
Natural SaaS fit. Per-user/month pricing with ongoing value (daily presence data, analytics, compliance reporting). Retention should be strong once integrated into HR workflows and compliance processes. Expansion revenue from analytics tier, multi-site support, and integration add-ons.
- +Clear competitive white space—no one has productized passive, vendor-agnostic network presence detection
- +Leverages existing MDM infrastructure, so no new hardware and low deployment friction
- +Technically feasible MVP in 4-6 weeks for a solo dev with systems programming experience
- +Strong tailwinds from enforced RTO mandates at large companies
- +API-first approach enables integration with existing workplace tools rather than replacing them
- !Willingness to pay is uncertain—buyers may view this as a feature of their MDM or workplace platform, not a standalone product
- !OS privacy restrictions are tightening: macOS requires Location Services permission to read BSSID, and future OS updates could further restrict access
- !Political risk: employees may resist being 'tracked' and push back, creating internal friction for the buyer
- !Platform risk: Envoy, Robin, or MDM vendors (Jamf, Intune) could ship this as a native feature with minimal effort
- !Small initial market if only targeting orgs with both MDM and enforced RTO policies
Workplace platform for visitor management and employee check-ins via mobile app, iPad kiosk, or badge tap. Added desk booking and capacity tracking.
Workplace management platform for desk booking, room scheduling, and occupancy analytics via reservations and optional hardware sensors.
Enterprise location analytics on Cisco WiFi infrastructure. Detects devices on the network via WiFi trilateration, provides occupancy heatmaps and dwell time.
Hardware sensor platform using proprietary overhead depth sensors to measure real-time room and floor occupancy by counting bodies.
MDM platforms that collect device inventory including connected SSID, IP address, and network info from managed devices. Not designed as presence tools, but the raw data exists.
macOS agent (Swift, distributed via MDM profile) that reads current WiFi BSSID on network change, matches against configured office BSSIDs, and fires a webhook to Envoy or a generic endpoint. Simple admin dashboard (Next.js) for configuring office networks, viewing daily presence logs, and managing webhook destinations. Start with a single integration (Envoy) and one platform (macOS) to validate demand before expanding.
Free for ≤50 users (single site, basic webhook) → $3/user/month Pro (multi-site, analytics dashboard, Slack notifications) → $5/user/month Enterprise (SSO, audit logs, custom integrations, compliance reporting exports). Land with IT/workplace ops teams at mid-market companies already using Envoy. Expand via HR buyer once compliance reporting is built.
8-12 weeks. 4-6 weeks to build macOS agent + basic API + Envoy integration. 2-4 weeks for initial customer discovery and pilot with 2-3 companies from sysadmin/IT communities (Reddit r/sysadmin, MacAdmins Slack). First paying customer likely month 3-4.
- “Okta sessions expire on network/IP change”
- “users spend the whole day without ever hitting Okta, so no check-in fires”
- “causing frustration especially for remote workers”
- “I think our office uses badge-in for Envoy check-ins... you only care about a check in”