An endpoint is any device that is physically an endpoint on a network. These can include laptops, desktops, mobile phones, tablets, servers, and virtual environments. For the purposes of this current project however, the scope is limited to Apple laptops.
End-point management is used to protect the corporate network when accessed via remote devices such as laptops. Each laptop with a remote connection to the network creates a potential entry point for security threats.
At GitLab, we plan to use centralized laptop management for company-issued laptops. If we start doing that, we'll change this sentence. This page is live in the handbook so we can respond to feedback.
At this stage, if you are in possession of a company-issued Apple laptop, the details below apply to you. Non Apple laptops, personal laptops or mobile devices are not in scope of this iteration.
Our expectation is that we will find 10% of our Macbook devices with no harddrive encryption and 5% of the operating systems are not at the current patch level.
If the number of encrypted drives is below 2% and the number of out of date OS is below 1% we will re-consider making end-point management required for all Mac OS users.
In order to achieve compliance with frameworks such as SOX (required as part of public company readiness), SOC, and in preparation of FedRAMP and ISO 27001, certain protections of company assets are mandated.
Given that transparency is so ingrained in our culture, the risk of any laptop having confidential or PII data is high (e.g. Slack contains team-member phone numbers).
Additionally, to meet the rigorous security requirements of enterprise customers who desire to use our service, an endpoint management solution is necessary. We have to select an endpoint management solution that will accomplish the following:
What the endpoint management solution does not do:
We performed a proof of concept of multiple solutions and determined Jamf to be the best option due to its complete suite of features that meets GitLab compliance and customer requirements as well as providing end-user transparency through accessible logs.
Jamf is an Apple device management solution used by system administrators to configure and automate IT administration tasks for macOS, iOS, and tvOS devices. The current project will focus solely on macOS devices
Jamf was selected as a best option that covered our list of requirements:
The data collected from your company-issued Apple laptop can be viewed in XML format by accessing
~/Documents/Jamf.xml on your Apple laptop. You can see an example of what this file looks like here
We recommend an XML parser to view the data.
unverified. Is this normal behaviour?
Yes. It is safe to install and there is no threat to install the certificate. What you're seeing is expected as the Jamf Pro CA is a self-signed certificate and is technically not trusted until it is installed.
The Endpoint Management Implementation Plan is as follows:
We do not have Linux-based endpoint management in place yet. There will be a second initiative to address Linux management later in FY21.
The Windows operating system is not a supported platform at GitLab, as described in the Internal Acceptable Use Policy. If you’re using a Windows laptop, please contact IT to have a company laptop shipped to you.
Please review the Frequently Asked Questions before asking for additional help.
To install Jamf on your Mac hardware device, you will need to launch the Safari browser and navigate to https://gitlab.jamfcloud.com/enroll. Please note that Safari browser is the preferred browser of choice for enrolling into Jamf.
Safari vs chrome
Note that the following instructions are being shown in Safari.
TLDR - Too long didn't read can be found at the end of the installation instruction.
Please note, this section is continuously being updated with answers to common questions that GitLab team members have. This section is expected to grow significantly.
Yes. Centralized endpoint management is common and necessary in enterprise organizations looking to achieve large scale growth, going public, and certifications. This is an expectation of our customers to meet their standards in order to utilize our service.
The Jamf Pro endpoint management solution provides a lot of advantages over an open-source/build-it-yourself solution. Some of these include integration with our Single Sign-on Identity management system (Okta), Security and access profiles, and a self-service application that allows users to easily install officially supported applications. While a read-only solution would address some of these basic tenets, not everyone in the company is technical enough or motivated to manage the security of their machine. Therefore we require a solution that can be an active component in enforcing security measures.
We have chosen to go with the SaaS version of Jamf because we believe that it will be more costly to get the same level of security with the self hosted version. The self-hosted version requires expertise with the security and management of MySQL and Tomcat, plus additional costs for the cloud infrastructure required to support it. Since Gitlab uses SaaS applications for all other functions of the company, we see no reason to treat this service differently.
According to DPA (Data Processing Agreement) that we have with Jamf in the event of a security breach or vulnerabilities disclosure, Jamf must notify us within 48 hours of knowledge of such an event.
GitLab IT Operations is the owner of Jamf and the Manager, IT is the DRI.
As with any enterprise tool, both the Security and Legal team will perform audits to ensure that Admins have the correct least access privilege and are adhering to our code of conduct when using the tool Admins that abuse the endpoint monitoring tools face disciplinary action, up to dismissal, civil/criminal prosecution, and damage claims.
While such a possibility exists, we feel that the risk of something like this happening is much, much smaller than some of the risks that an endpoint management solution is made to address. Risks like:
There is a lot of information about our environment (laptop os configs, software apps that are used, etc) that's publicly available on our Handbook. The risk of someone using that information to exploit one of our machines is higher due to our transparency.
No software can mitigate all types of bad behaviour or abuse. Rather than relying on software to police itself, we would prefer to make the software transparent enough so that operations which violate company policies would be made plain to everyone. We are working on 2 Jamf customizations that will provide more visibility and privacy to team-members should they choose to enable them. In the meantime, if you wish to see what data is being collected, and what policies are applied to your device, we would be happy to do a Zoom screen share with you. Simply reach out to ITOps by opening an issue in the IT Helpdesk tracker to schedule a time .
We do not have any additional controls in place beyond the existing requirements applied to all team members at the moment, such as requiring multi-factor authentication and limited session lengths where supported. We are constantly iterating to improve the overall security of all team-members. Some of ideas that have been discussed include the deployment of additional endpoint protection software, sometimes referred to as Next-Gen Antivirus (NGAV) or Endpoint Detection and Response (EDR).
It will be no different than our current process for change management which is outlined here: /handbook/business-ops/business-technology-change-management/.
If you wish to add further privacy and security to your home network, you can further isolate your work machine by creating a separate network for it. While we cannot provide you with any direct support for this type of network setup, the Security team have a good writeup with some examples here that might help to get you started.
Jamf only requires inbound access on port 443, and outbound to Jamf and Apple servers on ports 8443, 5223 and 443. The Jamf documentation references SSH (port 22), but that functionality is being deprecated, and will not be used at GitLab. Users are free to block access to port 22 on their devices, or home firewall.
There are no built-in activity monitoring features in Jamf. While there isn’t a mechanism in place today for a team-member to verify this, one of the Jamf customization projects that we would like to rollout at a later date is called Friendly Ghost and offers team-members the ability to see all the changes from the Jamf server logs, as well as any policies that are in effect for their devices. Please follow the issue for this project if you wish to see how it’s progressing
No. This is not an activity monitoring solution.
No, browsing activity will neither be tracked nor monitored.
No, per policy we will not perform screen sharing. If laptop support is needed, it will be upon request with your desktop shared through Zoom.
Only the IT Team will have administrative access into Jamf, and interactive Secure Shell into user's laptops will not be done without first obtaining permission from the user.
The IT Operations team has access to this data and has these permissions. Any of the IT team can trigger a remote wipe in cases where a laptop is lost or stolen, or a team-member is off-boarded. Policy creation and management will be limited to a small group within IT Operations (currently only 3 people). We will not put a technical safeguard in place to prevent remote laptop wipes by a single IT operations team-member, this isn't practical. Only a few people will have this ability. If they use a wipe maliciously we will consider filing a police report and we might start a criminal prosecution. To prevent an ITOps team-member from doing this after getting offboarded we remove their access immediately in the case of an involuntary termination as per our offboarding policy.
As outlined in the merge request, all data being collected by the Jamf agent will be listed in an XML file in each user's home directory located here ~/Documents/Data.xml. Jamf also offers wide community support, and customizability and we fully expect to take advantage of this and iterate towards more transparency. In the meantime ITOps is happy to hop on a call with any team-member and show them how Jamf works and what data has been collected from their machine. You can see an example of the different kinds of data that Jamf is collecting, in this Google Doc.
In general, any Security or OS software updates performed by Jamf will notify the user ahead of time and offer the user the option to defer the change in cases where the timing is inconvenient to the user. However, that deferral is limited and the user will eventually be forced to apply the update in cases where the update is related to security. Application changes, will go through the Jamf SelfService app and those are completely at the discretion of the user.
Jamf, including the SaaS component, has passed our usual security procedures for suppliers, and we're philosophical about this possibility - although the potential hazards are high, we judge the risks to be low enough that this won't stop us from continuing with the current proposal. For business interests, this is our call to make, although you can disagree, commit, and disagree.
Personal interests are more difficult, especially given GitLab's status as a remote-only company - individuals may differ in their evaluation of what risks are acceptable here, and it is not our call to make. If this describes you, then your best option is to practice stricter separation of personal and business interests to avoid the conflict.
For instance, you could:
Remember that you can spend company money like it's your own to get a working environment that is suitable for you.
Personal laptops are not in scope here since they are not issued by GitLab. If you are using a personal laptop for business purposes please ensure you comply with our Acceptable Use Policy at all times.
While the initial rollout of Jamf will be opt-in, this is temporary while we refine our security policies and test that the Jamf software is performing as expected. That period of time will also allow us to work on a couple of Jamf customizations that will provide more visibility and privacy to team-members should they choose to enable them. Once this work is completed we expect 100% adoption of this endpoint management application on all Mac Laptops.
At this time there are no restrictions with regards to software as long as the team-member follows proper security notices and keeps their applications current. Team-members will also see a Self-Service app when they enroll their laptop into Jamf. This app provides an app-store-like experience, with a curated list of applications that IT will pre-configure and manage. It’s merely a way to make it easy for team-members to always know where to look for the latest updates to their applications.
There will be a Self-Service application that is installed with Jamf and gives each team-member a curated list of applications that they can choose to install. That list currently includes things like:
More applications may get added over time if we find them to be useful to team-members.
Jamf will keep track of the software versions of all the applications installed on a team-members device and that information will be stored in that device's user record within Jamf. You can see an example of the kind of data that Jamf collects in this file
One of the customization projects that ITOps will be looking to do to extend the transparency of Jamf is called Friendly Ghost and with it a team-member can see all the data that’s been collected about their machine. In the meantime if you want to see what data is stored about your machine in Jamf, feel free to open an IT Helpdesk issue and we'll coordinate a time to have a Zoom chat and a tour of the Jamf UI.
There are 2 scenarios where a remote wipe is required as part of our security compliance measures. The first is when a laptop is lost or stolen. The second is when a team-member leaves the company.
In the former case, a team-member should follow the Lost or Stolen Procedures as outlined in our handbook. As soon as ITOps is informed of the situation, the Jamf admin will login to the Jamf admin console and locate the user’s devices in order to validate the computer name, serial number, hardware specifications, and the last time the device checked into the server. From there, they can execute the remote wipe command by clicking on a button. The Jamf UI will require a 6 digit passcode to be entered before the wipe proceeds. Once the laptop is wiped, it will boot to a lock-screen which prompts the user to enter that same 6 digit passcode. Until that step is completed, the laptop will not allow the user to proceed any further. This way if the device is ever recovered, we can enter the passcode and once again use the laptop.
In the case of an offboarded team-member an ITOps administrator reaches out by email to the former team-member and coordinates with them a time to perform the wipe. From there, the process is the same, except that we will provide the 6 digit passcode to the former team-member so that they can proceed past that lock-screen and reinstall the Mac OS Software from the laptop’s recovery partition.
The remote wipe operation is limited to a small group within IT Ops. Any one of those individuals can initiate the remote wipe. ITOps has been performing disk wipe operations at least once a week, on average, since the beginning of 2020, so they are well versed in the process, and all operations are logged within issues. There is no other technical safeguard in place at this time.
Yes and no. After the laptop is wiped, it will boot into a lock-screen where the team-member needs to enter a 6 digit passcode. Once they are past the lock-screen, they can re-install the Mac OS operating system from the recovery partition that comes with every Mac Laptop.
Since Jamf is a relatively new platform for our team, it will take some time for the ITOps team to come up to speed with any idiosyncrasies around the product. While we don’t anticipate there will be disk wiping problems, should that happen, we will be engaging with Jamf support to resolve the issue as quickly as possible.
Yes, you can block it. Although the Jamf documentation makes references to requiring access to SSH (port 22), this is for a legacy application called Recon which is being deprecated and will not be used by GitLab admins. Users are free to block access to port 22 on their devices, or home firewall.
Some of your options are outlined below in the this FAQ question Also, please see this Jamf customization project issue that could offer you more security, If you feel like contributing please join the discussion.
Some of the specific items in question are things like: Asset tracking and lifecycle management Encryption of Data at Rest (Laptop disk encryption) Data retention and disposal (disk wiping)
There are other security frameworks that establish baseline security policies like: Password Policy and Authentication
Endpoint management supports GitLab's requirements under GDPR to implement technical and organizational protections of personal data, whether these are employee personal data or customer personal data. See the previous question for specific security compliance frameworks.
The collection and processing of personal information is lawful when it meets one of the conditions set out in GDPR. In this instance, the collection and processing of personal data would be for GitLab's legitimate interests, to ensure network and information security.
GitLab is collecting and using the personal information in accordance with GDPR. GDPR is considered one of the most stringent privacy laws that applies across a wide range of jurisdictions.
We are working to put together a process where team-members can request this. Together with the Privacy Team, GitLab IT admins will evaluate the request and, provided there are no legal exceptions, we will delete the data using the following Jamf process.
The GitLab IT team is working with the Privacy Team to complete a detailed privacy review, which will ensure the use of the tool meets the requirements of GDPR. In addition, the Privacy Team will be conducting an audit of the tool (data collected, accessed etc) on a quarterly basis to ensure the use stays within the parameters reviewed and set out in the Handbook. The results of the audit will be available for review.