facebook noscript

Workstation Management

July 2, 2018
engineering-default

Background:
Startups and small to medium businesses alike are faced with protecting information assets with limited resources. Laptops and mobile devices are a vector for sensitive and high value ex-filtration due to configuration. In this post we will cover the main use cases to address. We will also explore a straightforward solution design and set of procedures to manage a fleet of devices.

TLDR? A Kubernetes Helm Chart of the core solution can be found here:
Workstation Management Chart

Use cases:
End user compute fleet management will help with the following:

Service Delivery— Application Deployment, Configuration and Licensing

Operational Configuration management — manage settings like Wi-Fi anSet up. Configure settings like Wi-Fi and email and on all of your devices quickly and consistently.

Inventory — automatically collect hardware, software and security configuration details from your Apple devices.

Information Protection — secure your sensitive information assets, enforce security and compliance relevant settings like secrets/pass-code policy, remotely lock/wipe devices, documents and email and on all of your devices quickly and consistently.

IT Operational Support — automatically collect hardware, software and security configuration details to make device and security decisions based on aggregation of data.

Solution Design — this is a solution for macOS based workstation/laptop fleet configuration and patch management

Source: the design is based on the guidance provided by MacAdmins https://macadmins.psu.edu and Google MacOps teams: google/macops

Manage the state of the fleet: SAL OpenSource: salopensource/sal

To monitor the state of a fleet of macOS Laptops we will use Sal OpenSource which provides a nice dashboard view of the fleet. We can see the distribution of devices across sites, Line of Business, and work teams. SAL helps visualize compliance levels for things like installed packages, full disk encryption (FileVault), system integrity protection (SIP), Application Publisher Trust (GateKeeper), built in Anti-Malware (XProtect) and more. If a machine has some issue we can push an update via Munki, or have a help desk work with the device owner:

0*l4T19Zf838LH TXv
“SAL OpenSource” Dashboard

Leverage AutoPkgr to manage software package “recipes”:
We will use AutoPkgr to

  • manage application downloads from official sources and/or updates for it.
  • adding site-specific configuration
  • adding sane versioning information
  • “fixing” poorly-written installer scripts
  • importing official packages into the software distribution system: Munki
  • customize the associated metadata for such a system with site-specific, LOB specific, or team specific data, post-installation scripts, version info or other metadata

0*2B2JBEXpoB5FdfLw

autopkgr:lindegroup/autopkgr

Remote storage: mount remote Munki package site via fuse-sshfs
FuseSSHFS: libfuse/sshfs

Managing the package repository:
Use MunkiAdmin to manage remote Munki Repository
MunkiAdmin hjuutilainen/munkiadmin

We will leverage “MunkiAdmin” to manage the state of the package repository. MukiAdmin allows us to create package repositories that can be allocated across sites, LOB verticals or even different working groups. For example we may make one set of apps available to engineering and not to HR or Finance. Using MunkiAdmin assures that package versions and configurations are relevant across the fleet. We can even use MunkiAdmin to push Security and operational configurations to devices.

0*2U3N1xZSTUFjO7ku

MunkiAdmin — A a repository and package manager for macOS applications

Note: The entire solution (With the exception of the management tools) can be deployed on a Kubernetes Cluster. Bare Metal, AWS-EKS, Google-GKE etc.

Kubernetes Chart GitHub repo containing this solution

Putting it all together:

0*zGDzVUAQFGEJTrGM

Additional Resources:

Google MacOps: https://github.com/google/macops
MacAdmins forum: http://macadmins.psu.edu/
Munki Slack Channel: https://macadmins.slack.com/?redir=%2Fmessages%2Fmunki

gordon-young Gordon Young

Security Specialist

Share

You Might also be interested in...

engineering-default

Quick 3-Click Integration with VGS

Ulyana Falach July 9, 2018

compliance-default

PCI Scope Reduction: Understanding the Process

Stefan Slattery June 15, 2018

engineering-default

Securing IOT: Stream Level Redaction

Gordon Young May 27, 2018