Background:
Startups and small to medium businesses alike are faced with protecting information assets with limited resources. Laptops and mobile devices are a vector for sensitive and high value ex-filtration due to configuration. In this post we will cover the main use cases to address. We will also explore a straightforward solution design and set of procedures to manage a fleet of devices.
TLDR? A Kubernetes Helm Chart of the core solution can be found here:
Workstation Management Chart
Use cases:
End user compute fleet management will help with the following:
Service Delivery— Application Deployment, Configuration and Licensing
Operational Configuration management — manage settings like Wi-Fi anSet up. Configure settings like Wi-Fi and email and on all of your devices quickly and consistently.
Inventory — automatically collect hardware, software and security configuration details from your Apple devices.
Information Protection — secure your sensitive information assets, enforce security and compliance relevant settings like secrets/pass-code policy, remotely lock/wipe devices, documents and email and on all of your devices quickly and consistently.
IT Operational Support — automatically collect hardware, software and security configuration details to make device and security decisions based on aggregation of data.
Solution Design — this is a solution for macOS based workstation/laptop fleet configuration and patch management
Source: the design is based on the guidance provided by MacAdmins https://macadmins.psu.edu and Google MacOps teams: google/macops
Manage the state of the fleet: SAL OpenSource: salopensource/sal
To monitor the state of a fleet of macOS Laptops we will use Sal OpenSource which provides a nice dashboard view of the fleet. We can see the distribution of devices across sites, Line of Business, and work teams. SAL helps visualize compliance levels for things like installed packages, full disk encryption (FileVault), system integrity protection (SIP), Application Publisher Trust (GateKeeper), built in Anti-Malware (XProtect) and more. If a machine has some issue we can push an update via Munki, or have a help desk work with the device owner:
Leverage AutoPkgr to manage software package “recipes”:
We will use AutoPkgr to
- manage application downloads from official sources and/or updates for it.
- adding site-specific configuration
- adding sane versioning information
- “fixing” poorly-written installer scripts
- importing official packages into the software distribution system: Munki
- customize the associated metadata for such a system with site-specific, LOB specific, or team specific data, post-installation scripts, version info or other metadata
autopkgr:lindegroup/autopkgr
Remote storage: mount remote Munki package site via fuse-sshfs
FuseSSHFS: libfuse/sshfs
Managing the package repository:
Use MunkiAdmin to manage remote Munki Repository
MunkiAdmin hjuutilainen/munkiadmin
We will leverage “MunkiAdmin” to manage the state of the package repository. MukiAdmin allows us to create package repositories that can be allocated across sites, LOB verticals or even different working groups. For example we may make one set of apps available to engineering and not to HR or Finance. Using MunkiAdmin assures that package versions and configurations are relevant across the fleet. We can even use MunkiAdmin to push Security and operational configurations to devices.
MunkiAdmin — A a repository and package manager for macOS applications
Note: The entire solution (With the exception of the management tools) can be deployed on a Kubernetes Cluster. Bare Metal, AWS-EKS, Google-GKE etc.
Kubernetes Chart GitHub repo containing this solution
Putting it all together:
Additional Resources:
Google MacOps: https://github.com/google/macops
MacAdmins forum: http://macadmins.psu.edu/
Munki Slack Channel: https://macadmins.slack.com/?redir=%2Fmessages%2Fmunki
