This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
An endpoint is any device that is physically an endpoint on a network. These can include laptops, desktops, mobile phones, tablets, servers, and virtual environments.
End-point management is used to protect the corporate network when accessed via remote devices such as laptops. Each laptop with a remote connection to the network creates a potential entry point for security threats.
At GitLab, we plan to use centralized laptop management for company-issued laptops. If you are in possession of a company-issued laptop, the details below apply to you. However, not all endpoint management technologies GitLab deploys will be required for Apple, Linux, and Windows laptops. Some technologies may be specific to the hardware platform or operating system. Please review the details of each technology for more information and details.
| Role | Responsibility |
|---|---|
| GitLab Team Members | Responsible for following the requirements in this procedure |
| Business Technology | Responsible for implementing and executing this procedure |
| Business Technology Management (Code Owners) | Responsible for approving significant changes and exceptions to this procedure |
Our expectation are that all Team Members will be using a GitLab sponsered device and that we will find that at least 10% of our Macbook devices lack harddrive encryption and 5% of the operating systems are not at the current patch level.
If the number of encrypted drives is below 2% and the number of out of date OS is below 1% we will re-consider making end-point management required for all Mac OS users.
After assessing our endpoints it was determined that the number of encrypted devices and the number of out of date OS was falling outside of our accetable percentages. As a result, Gitlab has decided to move forward with implementing and enforcing end-point management as a requirmenet for all Mac OS users.
In order to achieve compliance with frameworks such as SOX (required as part of public company readiness), SOC, and in preparation of FedRAMP and ISO 27001, certain protections of company assets are mandated.
Given that transparency is so ingrained in our culture, the risk of any laptop having confidential or PII data is high (e.g. Slack contains team-member phone numbers).
Additionally, to meet the rigorous security requirements of enterprise customers who desire to use our service, a combination of endpoint management solutions is necessary. We have to select endpoint management solutions that will accomplish the following:
GitLab has chosen the following endpoint technologies to comply with the various security, compliance, regulatory, and customer requirements we face.
Jamf is an Apple device management solution used by system administrators to configure and automate IT administration tasks for macOS, iOS, and tvOS devices. For more detail, please review the Jamf endpoint management page.
SentinelOne is an endpoint detection and response technology used to secure and protect endpoints from malicious digital attacks. For more detail, please review the Endpoint Detection & Response page.
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
