Maintained by:

Endpoint management overview

Purpose

What is an endpoint?

An endpoint is any device that is physically an endpoint on a network. These can include laptops, desktops, mobile phones, tablets, servers, and virtual environments.

What is endpoint management?

Endpoint management is used to protect the corporate network when accessed via remote devices such as laptops. Each laptop with a remote connection to the network creates a potential entry point for security threats.

Scope

Endpoint management at GitLab

At GitLab, we use centralized laptop management for company-issued laptops. If you are in possession of a company-issued laptop, the details below apply to you. However, not all endpoint management technologies GitLab deploys will be required for Apple, Linux, and Windows laptops. Some technologies may be specific to the hardware platform or operating system. Please review the details of each technology for more information and details.

Roles & Responsibilities

Role	Responsibility
GitLab Team Members	Responsible for following the requirements in this procedure
Business Technology	Responsible for implementing and executing this procedure
Business Technology Management (Code Owners)	Responsible for approving significant changes and exceptions to this procedure

Why is this necessary?

In order to achieve compliance with frameworks such as SOX (required as part of public company readiness), SOC, and in preparation of FedRAMP and ISO 27001, certain protections of company assets are mandated.

Given that transparency is so ingrained in our culture, the risk of any laptop having confidential or PII data is high (e.g. Slack contains team member phone numbers).

Additionally, to meet the rigorous security requirements of enterprise customers who desire to use our service, a combination of endpoint management solutions is necessary. We have to select endpoint management solutions that will accomplish the following:

Allow for software to be remotely deployed without requiring manual installation
Maintain asset inventory of all GitLab owned devices
Software license management
Enable confirmation that whole disk encryption has been enabled (using the built-in capabilities of macOS and Linux)
Provide the ability to remotely wipe a device that has been lost or stolen
Allow for the configuration of security features such as required passwords and OS updates
Automatically identify and stop digital attacks on endpoints
Alert the Security Incident Response Team (SIRT) of attacks on endpoints
Provide the SIRT team with the ability to respond, investigate, and remediate attacks on endpoints
Provide a flexible and configurable endpoint firewall solution
Provide antivirus functionality for endpoints

Endpoint management technologies

GitLab has chosen the following endpoint technologies to comply with the various security, compliance, regulatory, and customer requirements we face.

Jamf

Jamf is an Apple device management solution used by system administrators to configure and automate IT administration tasks for macOS, iOS, and tvOS devices. For more detail, please review the Jamf endpoint management page.

SentinelOne

SentinelOne is an endpoint detection and response technology used to secure and protect endpoints from malicious digital attacks. For more detail, please review the Endpoint Detection & Response page.

DriveStrike

DriveStrike is a lightweight device management solution for Linux that can remotely wipe devices. It also can be used to wipe macOS devices in the event Jamf is unable to do so. For more detail, please review the DriveStrike page

Exceptions

Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.

References

Parent Policy: Information Security Policy

Endpoint Management at GitLab