macOS Onboarding at Kolide
At Kolide, we believe that we should be the first customers of the products we build. Dogfooding our products has helped us catch bugs, improve user experience and come up with new product ideas. Like many other startups, we mostly use Macbooks for development. We’ve developed tools and workflows to ensure that every Mac in our fleet is up to date and has the most recent version of osquery and the Kolide Launcher running.
Kolide is fully remote, with employees in every US timezone which creates unique challenges for employee on-boarding. Since a Kolide employees’ first day typically occurs in their own home and we don’t stockpile pre-imaged Macs, we must ship them factory sealed laptops directly from Apple. This requires an on-boarding process that literally works “out of the box”. To accomplish this, we’ve chosen to use Apple’s Device Enrollment Program (DEP) to help us enroll our Macs in Mobile Device Management (MDM). The DEP service ensures that any new laptop we purchase will automatically enroll into our MDM service.
Going through the Setup Assistant on the Mac, the user is prompted to join our Mobile Management Server. We’ve chosen MicroMDM — a side project of mine that has met wider success in the mac admin community — as our MDM solution because it is one of three MDMs out there capable of installing custom macOS packages without a proprietary agent. That lets us make sure we have complete control over the software installed on the Mac, and that our management tools are the first to be installed.
While the user finishes typing their account information on the new mac, several things happen in the background:
The MDM pushes a custom signed copy of Munki with a script that kicks off our DEP Bootstrap software manifest.
Munki installs Yo, a lightweight notification utility. We use it to let the user know we’re configuring the laptop.
Munki installs our launcher package and queues a Yo notification.
The launcher enrolls the user into Fleet. A final notification is triggered letting the user know we’re done. Munki exits and starts its normal, hourly check-in process.
One of the challenges of running our own client on our Macs is that we’re also constantly running development versions of osquery and the launcher. To allow running both development and long lived versions of the client we namespaced the folders within the package deployed by Munki with kolide-corp.
We added the ability to quickly create custom packages into our package tooling, which is available in the launcher repository.
Kolide Launcher includes a built-in feature that allows it to download new versions of itself and osquery from a secure TUF mirror (More on The Update Framework in a future blog post). We enable autoupdate in our packages and use a beta feed so that we can test upcoming releases internally before the Osquery team marks them as stable
As you can see, with minimal effort and a few open source tools, you can create a first-class Mac unboxing experience for your remote employees that also gives your organization immediate visibility into a new Mac’s security posture. Look out for more insights from us on this topic as Kolide’s engineering organization grows and the process evolves.