82 Frequently Asked Questions
Please note, this section is continuously being updated with answers to common questions that GitLab team members have. This section is expected to grow significantly.
82.1 Problem description
82.1.1 Is endpoint management necessary?
Yes. Centralized endpoint management is common and necessary in enterprise organizations looking to achieve large scale growth, going public, and certifications. This is an expectation of our customers to meet their standards in order to utilize our service.
82.1.2 Why are we using a third party endpoint management system?
The Jamf Pro endpoint management solution provides a lot of advantages over an open-source/build-it-yourself solution. Some of these include integration with our Single Sign-on Identity management system (Okta), Security and access profiles, and a self-service application that allows users to easily install officially supported applications. While a read-only solution would address some of these basic tenets, not everyone in the company is technical enough or motivated to manage the security of their machine. Therefore we require a solution that can be an active component in enforcing security measures.
Gitlab is a fully remote/SaaS first company, so the backend Jamf server will not be self-hosted. We will be using their SaaS service for hosting.
82.2 Safeguards and controls
82.2.1 Who owns and manages Jamf at GitLab?
GitLab IT Operations is the owner of Jamf and the Manager, IT is the DRI.
82.2.2 Who ensures IT Operations is managing the tool correctly and ethically?
As with any enterprise tool, both the Security and Legal team will perform audits to ensure that Admins have the correct least access privilege and are adhering to our code of conduct when using the tool Admins that abuse the endpoint monitoring tools face disciplinary action, up to dismissal, civil/criminal prosecution, and damage claims.
82.3 Endpoint management access
82.3.1 Is my personal activity being monitored?
No. This is not an activity monitoring solution.
82.3.2 Does this mean that you’re able to view my browsing history?
No, browsing activity will neither be tracked nor monitored.
82.3.3 Will remote viewing occur?
No, per policy we will not perform screen sharing. If laptop support is needed, it will be upon request with your desktop shared through Zoom.
82.3.4 Can someone Secure Shell (SSH) into my laptop?
Only the IT Team will have administrative access into Jamf, and interactive Secure Shell into user’s laptops will not be done without first obtaining permission from the user.
82.3.5 Who has access to the data that’s being collected? Who can manage security policies? Who can trigger remote laptop wipes?
The IT Operations team has access to this data and has these permissions. Any of the IT team can trigger a remote wipe in cases where a laptop is lost or stolen, or a team-member is off-boarded. Policy creation and management will be limited to a small group within IT Operations (currently only 3 people). We will not put a technical safeguard in place to prevent remote laptop wipes by a single IT operations team-member, this isn’t practical. Only a few people will have this ability. If they use a wipe maliciously we will consider filing a police report and we might start a criminal prosecution. To prevent an ITOps team-member from doing this after getting offboarded we remove their access immediately in the case of an involuntary termination as per our offboarding policy.
82.3.6 How much notice will be provided before a change is made to the data collection and operations of Jamf?
While we don’t expect to be making any changes to our currently defined data privacy policy, should the need arise due to a request from the Security or Legal departments, that change would go through the same change management process as defined above.
82.3.7 Where can I view data collected from my laptop?
As outlined in the merge request, all data being collected by the Jamf agent will be listed in an XML file in each user’s home directory located here ~/Documents/Jamf_Data.xml. Jamf also offers wide community support, and customizability and we fully expect to take advantage of this and iterate towards more transparency. In the meantime ITOps is happy to hop on a call with any team-member and show them how Jamf works and what data has been collected from their machine.
82.3.8 Will a user be notified that the endpoint management software is installing something? And will the user know what has been installed?
In general, all changes performed by Jamf will notify the user ahead of time and offer the user the option to defer the change in cases where the timing is inconvenient to the user. However, that deferral is limited and the user will eventually be forced to apply the update in cases where the update is related to security.
82.3.9 What about the risk of Jamf being used as an attack vector against business or personal interests?
Jamf, including the SaaS component, has passed our usual security procedures for suppliers, and we’re philosophical about this possibility - although the potential hazards are high, we judge the risks to be low enough that this won’t stop us from continuing with the current proposal. For business interests, this is our call to make, although you can disagree, commit, and disagree.
Personal interests are more difficult, especially given GitLab’s status as a remote-only company - individuals may differ in their evaluation of what risks are acceptable here, and it is not our call to make. If this describes you, then your best option is to practice stricter separation of personal and business interests to avoid the conflict.
For instance, you could:
- Avoid using the endpoint for personal tasks - if you are concerned about a remote wipe causing personal data loss on the endpoint
- Isolate the endpoint to its own virtual or physical network - if you are concerned about a compromise making other endpoints on your network vulnerable
- Isolate the endpoint in rented office premises - if you are concerned about a compromise of the camera or microphone
Remember that you can spend company money like it’s your own to get a working environment that is suitable for you.
82.4 Eligibility
82.4.1 Are personal laptops in scope?
Personal laptops are not in scope here since they are not issued by GitLab. If you are using a personal laptop for business purposes please ensure you comply with our Acceptable Use Policy at all times.