77 Endpoint management at GitLab

At GitLab, we plan to use centralized laptop management for company-issued laptops. If we start doing that, we’ll change this sentence. This page is live in the handbook so we can respond to feedback.

At this stage, if you are in possession of a company-issued Apple laptop, the details below apply to you. Non Apple laptops, personal laptops or mobile devices are not in scope of this iteration.

77.1 Expectation and success criteria

Our expectation is that we will find 10% of our Macbook devices with no harddrive encryption and 5% of the operating systems are not at the current patch level.

If the number of encrypted drives is below 2% and the number of out of date OS is below 1% we will re-consider making end-point management required for all Mac OS users.

77.2 Why is this necessary?

In order to achieve compliance with frameworks such as SOX (required as part of public company readiness), SOC, and in preparation of FedRAMP and ISO 27001, certain protections of company assets are mandated.

Given that transparency is so ingrained in our culture, the risk of any laptop having confidential or PII data is high (e.g. Slack contains team-member phone numbers).

Additionally, to meet the rigorous security requirements of enterprise customers who desire to use our service, an endpoint management solution is necessary. We have to select an endpoint management solution that will accomplish the following:

  1. Allow for software to be remotely deployed without requiring manual installation
  2. Maintain asset inventory of all GitLab owned devices
  3. Software license management
  4. Enable confirmation that whole disk encryption has been enabled (using the Mac OS built-in FileVault feature)
  5. Provide the ability to remotely wipe a device that has been lost or stolen
  6. Allow for the configuration of security features such as required passwords and OS updates

77.2.1 What is not necessary?

What the endpoint management solution does not do:

  1. Content filtering
  2. Collect, log or track personal activity (including website visits or purchases)
  3. Remote viewing
  4. Key-logging