Automated provisioning for Linux desktop in the enterprise

Linux users love the power and flexibility of their systems that include features like:

• Built-in package managers (e.g., apt and yum) for installing software
• Deep OS customization
• Native tooling for development, infrastructure and server management
• Scriptable kernel-level access for crafting complex workflows

The Linux provisioning gap

But, this power and flexibility widens a critical gap for enterprise organizations that must control and manage Linux devices: Linux “MDM” is a term of art, not a real protocol. While there is no framework built into Linux for enrolling, provisioning and configuring Linux desktop computers in the enterprise that ensures a seamless “out of the box” (OOB) experience for end users while guaranteeing device compliance and security, there are more Linux management options than ever. Let’s look at some of the history, the challenges and a modern Linux provisioning / management solution.

Enabling work

Delivering a frictionless end user experience when deploying devices to new hires should be a goal to which every organization aspires. Smooth employee onboarding says a lot about how an organization functions and communicates. When new hires are confident in the onboarding process, it gives them confidence in their role and equips them for success by allowing them to intuitively get to work on day one.

Getting a computer from a manufacturer and setting it up manually (i.e., installing software, configuring controls and securing access to enterprise resources) requires meticulous planning, coordination and a lot of effort. To deploy manually at scale, many large organizations pay 3rd parties or have dedicated entire teams to handle this work due to the complexity of delivery logistics and device configuration.

In the early days of Windows PCs, disk imaging became the de facto approach for replicating OS settings across a deployment. Windows admins spent unimaginable amounts of time crafting a ‘golden image’ which was then applied to all newly purchased computers.

Some organizations still take this antiquated approach believing it to be a best practice, but the overhead of maintaining and refreshing master images is expensive. Windows has long supported automated provisioning because of this, following Apple’s lead on improving and boosting the use of mobile device management (MDM) specifications built into operating systems that help organizations modernize their device deployments.

Modern device enrollment and provisioning

Apple’s Automated Device Enrollment (ADE) and Microsoft’s Windows Autopilot protocols have made device enrollment and provisioning far easier than ever before.

Much of the improvement to these systems came along at just the right time. During the dark days of the COVID pandemic, zero-touch device provisioning went from being a fancy, “nice-to-have” device deployment option to table stakes for enabling and maintaining end user productivity. IT and client platform engineers could no longer expect or even allow new employees to show up at an office nor were they able to provide the “white glove” experience of provisioning a computer by hand, on-demand.

But, without good management options, Linux enterprise deployment is often even worse than the old days of Windows or the pandemic:

• Because of a lack of Linux management options, end users may be allowed by an organization to “manage” devices deployed to them on their own - this may mean they are given management guidelines or security documentation without any form of actual enforcement.
• Linux at the enterprise level is often used by an organization’s most sophisticated end users, meaning lack of enforcement around Linux device management can become a hollow promise at best, or a political football at worst.
• Linux computers are often intended for use by end users with root-level OS access. This means manual creation and deployment of ‘golden master’ images is practically useless and really only functional as a “starting point”, not for management.
• Meanwhile, IT teams being asked by security teams to ensure that all devices are compliant with regulations and business policy can’t make their requirements - they have no control over an important subset of the devices they’ve been asked to deploy.

Why device enrollment and automated provisioning are critical

There are 3 general reasons why device enrollment into a management solution and automated provisioning are crucial for modern device management:

First, properly enrolling endpoints via a system like Apple’s ADE or Microsoft’s Autopilot protocols into a management solution guarantees device provenance, establishing ownership all the way from the manufacturer, through the purchase, to the end user. With provenance and institutional ownership established, MDM protocols enable and allow automated provisioning to occur, meaning, a device can automatically proceed from an OOB state with no IT interaction and minimal end user interaction all the way to being securely configured for use. A seamless, zero-touch provisioning process minimizes the risk of the security gap created by shipping new devices directly to end users. Because of this, automated enrollment and provisioning workflows have become indispensable to teams managing devices for remote workers.

Second, automated provisioning is one of the ways organizations can provide the frictionless end user onboarding experience they desire. For all employees, but especially those working remotely, automated provisioning ensures that new hires get onboarded fast without making help desk calls and that they are able to get straight to business.

Third, automated device provisioning establishes the connection between end user identity and an end user’s assigned device. Getting an end user’s identity configured, linking local accounts on device with an enterprise identity provider (IdP) and configuring access in single sign-on (SSO) systems are critical provisioning steps for allowing end users to securely access enterprise resources. Once a user’s identity can be reliably associated with their device, administrators can establish secure access policies based on user attributes and group membership instead of relying on device attributes alone.

Best practices for automated provisioning on Linux deployments

If your organization is purchasing computers directly from a large manufacturer like Dell or Lenovo, or from a 3rd party reseller like CDW or SHI, they all offer computers preinstalled with Linux. This is often the simplest and best way to start with enterprise Linux deployments. There is no MDM specification / protocol for Linux and there is no central registry for Linux computers like Apple Business Manager (ABM) or Microsoft Entra.

Typically, orchestration approaches are used for managing Linux devices at scale.

The agent-less approach is typified by tools like Ansible. SSH connections are used to authenticate and control Linux endpoints. YAML files and scripts are used to configure devices to match a desired state per an Ansible “playbook”. The intent of this system is to “declaratively” manage endpoint state, however, because Linux end users often have root-level access (meaning any configuration “declared” can be overridden) “configuration drift” can become a challenge. Changes made by the end user are not reflected by default back to the Ansible playbook, monitored or remediated.

An agent-based approach might make use of tools like Puppet or Chef. An installed agent is capable of monitoring Linux devices for deviations from a known baseline and remediation, but, in practice, these deployment systems are not full-featured device management solutions.

When looking for a management solution to overcome these challenges around Linux deployments, the following features should be considered:

• Simple agent installation / enrollment
• Script execution
• Software installation and patch management
• Device state monitoring
• Compliance reporting
• Automated state remediation

Fleet has quickly become the first choice for many enterprise organizations deploying Linux desktop computers at scale because it ticks all of these boxes. Though there are Linux-flavor specific management options available like Canonical’s Landscape for Ubuntu management, no other multi-platform solution on the market comes close to Fleet’s Linux management capabilities.

Not only can your Linux devices be enrolled and managed, Fleet offers an automated Setup Experience for Linux, meaning you can realize zero-touch, automated provisioning for your Linux end users and link your Linux endpoints to your user’s identity in your IdP just like you do on your other platforms.

The next article in this series will cover more on the topic of enforcing security baselines for Linux: how detecting device state, monitoring compliance and automatically bringing devices back into compliance by triggering automations will finally allow your Linux devices to be as secure as the other OS platforms in your fleet.