@@ -18,11 +18,11 @@ We order laptops in bulk through our global vendors to ensure on time and consis
## Laptop Specs
GitLab approves and supports the use of [Linux](../onboarding101/linux-onboarding101/) and macOS for team member laptops. To keep GitLab IT Support efficient, Windows is not supported as a laptop OS.
GitLab approves and supports the use of macOS and Linux for team member laptops. To keep GitLab IT Support efficient, Windows is not supported as a laptop OS.
Further information on GitLab authorized operating systems, versions, and exception process is available on the internal [Approved Operating Systems for GitLab Team Member Endpoint Systems](https://internal.gitlab.com/handbook/security/corporate/operating-systems/) page.
Apple hardware is the recommended choice for GitLab team members. Team members may select a Dell Linux laptop if they are familiar with Linux and are capable of self-support.
Apple hardware is the standard choice for GitLab team members. Linux is available as an alternative for team members who prefer it, but is not encouraged due to limited support. Team members choosing Linux must be fully self-sufficient.
### Apple Hardware
@@ -37,27 +37,25 @@ Most roles that require higher performance machines are approved for a 14" or 16
### Linux Hardware
{{% alert color="warning" %}}
IT strongly encourages team members to select Macs; please only request a Linux laptop if you are experienced in Linux and capable of self-support.
Linux is available as an alternative to macOS, but is not encouraged due to limited support. By choosing Linux, you accept full responsibility for maintaining your environment and understand that IT does not provide support. There is a #linux channel in Slack for exchanging tips and tricks, but it is not an official helpdesk resource.
{{% /alert %}}
We have standardized on the [Dell](https://www.dell.com/en-us/shop/dell-laptops/scr/laptops/appref=ubuntu-linux-os) laptop for Linux users. Due to supply constraints, specific models available from these lines may vary.
Dell does not currently sell laptops pre-installed with Linux in some countries; team members will need to install Linux themselves in those cases.
**Dell is the only approved Linux laptop vendor.** These laptops generally come pre-loaded with Ubuntu Linux. Dell does not sell laptops pre-installed with Linux in some countries; team members will need to install Linux themselves in those cases.
> The maximum price of Linux laptops is not to exceed **the price of the equivalent [16" MacBook Pro laptop](#apple-hardware)**.
Our **only approved Linux laptop vendor is Dell**. These laptops generally come pre-loaded with Ubuntu Linux in order to save money on unused Windows licenses.
**Ubuntu LTS (latest version) is the only approved Linux distribution.**
#### Requirements
Dell is GitLab's exclusive Linux vendor for the following reasons:
***Fleet Enrollment:** All Linux endpoints must have [Fleet](#fleet) installed.
***EDR Agent:** CrowdStrike or SentinelOne is required (installed automatically via Fleet).
***Full-Disk Encryption:** LUKS encryption is required.
***Self-Managed:** You are responsible for maintaining your Linux environment, including security patching and version upgrades.
* Dell has the longest history of shipping laptops with Linux pre-installed among major manufacturers.
* Dell is able to ship laptops to most countries in which GitLab team members live.
* As we move forward with Zero Trust networking solutions, we need to have a stable and unified platform for deployment of software components in the GitLab environment.
Standardization on a single platform for Linux simplifies this.
* Current Ubuntu LTS is the **only approved Linux distribution**; Ubuntu LTS has a record of stability and quick patching.
* Purchasing laptops from a single vendor opens the possibility of corporate discounts.
*[Dell is a certified Ubuntu vendor](https://certification.ubuntu.com/desktop/models?query=&category=Desktop&category=Laptop&level=&release=18.04+LTS&vendors=Dell) They even have their own Ubuntu OEM release of Ubuntu they maintain, and as a result of their effort, the standard Ubuntu Linux LTS image natively supports Dell hardware and even firmware updates.
* To date, all of Dell's major security issues have not been related to their hardware.
EDR deployment is required on all team member endpoint systems, including [virtual machines](/handbook/security/corporate/systems/sentinelone/#virtual-machines). Docker containers are excluded from MDM/EDR enrollment requirements.
### Windows for Customer Support and Product Development
@@ -20,7 +20,7 @@ The main need centers around processing power and the operating system support f
#### Security needs
GitLab needs the ability to ensure a secure and stable platform. From an operating system perspective, macOS and Linux meet these needs. The Security team has found a slight advantage in Ubuntu as a Linux distribution due to their rapid response time when it comes to patching security flaws, and we recommend this distribution. It is necessary to use an [approved Linux distribution](https://internal.gitlab.com/handbook/it/it-self-service/operating-systems/).
GitLab needs the ability to ensure a secure and stable platform. From an operating system perspective, macOS and Linux meet these needs. Ubuntu LTS is the only approved Linux distribution due to its stability and rapid response time when it comes to patching security flaws. See the [Approved Operating Systems](https://internal.gitlab.com/handbook/security/corporate/operating-systems/) page for details.
@@ -4,9 +4,11 @@ title: "GitLab Linux Onboarding 101"
## Welcome to the GitLab Linux Community
While MacBooks are the primary device choice for most of our members, we do offer the option for technical team members to use Linux. We expect all of our Linux users to be familiar with the platform and to be self-sufficient in setting up their work environments, while also staying compliant with our security policies. However, we also want to make sure that everyone who joins our team is able to get set-up with the basic tools needed to get started without any issues. As such, this guide is designed to address common issues that users encountered when setting up their new machines.
Linux is available as an alternative to macOS, but is not encouraged due to limited support. By choosing Linux, you accept full responsibility for maintaining your environment and understand that IT does not provide support.
>**NOTE**: We generally do not provide in-depth technical support for Linux, but we can assist with making sure that users can log into Okta.
We expect Linux users to be familiar with the platform and self-sufficient in setting up their work environments while staying compliant with our security policies. This guide addresses common issues encountered when setting up new machines.
>**NOTE**: We do not provide in-depth technical support for Linux, but we can assist with Okta login issues. The #linux Slack channel is available for exchanging tips and tricks, but it is not an official helpdesk resource.
## Table of Contents
@@ -29,18 +31,18 @@ To get set up on your new Linux laptop, you will need to have the following:
## Security Requirements
>**Note**: Ubuntu is the standard distribution used on Linux laptops. This is to ensure GitLab meets all regulatory and compliance standards. Ubuntu has proved to be highly reliable for running the "tech stack" of required security products to meet the various industry standards.
>**Note**: Ubuntu LTS (latest version) is the only approved Linux distribution. This ensures GitLab meets all regulatory and compliance standards, and Ubuntu has proven highly reliable for running the required security tools.
Before being able to log into Okta, a number of security requirements must be met
Before being able to log into Okta, the following security requirements must be met:
1.Disk encryption must be enabled
1. The laptop's hostname must match our standard naming convention
1. Fleet Device Management must be installed
1.Endpoint Security (CrowdStrike Falcon OR SentinelOne (Germany,the Netherlands, Italy, and Austria only)) must be installed
1.**Full-Disk Encryption:** LUKS encryption must be enabled
1.**Hostname:**The laptop's hostname must match our standard naming convention
1.**Fleet:** Device management must be installed
1.**EDR:**CrowdStrike Falcon or SentinelOne (Germany,the Netherlands, Italy, and Austria only) must be installed
## Initial Installation and Disk Encryption
The default version of Ubuntu that ships on Linux does not have disc encryption enabled. While it may be possible to encrypt a disk after an OS has been set up, it is not recommended and will likely result in further issues. As such, you will need to reinstall the OS before continuing.
The default version of Ubuntu that ships on Dell laptops does not have disk encryption enabled. Encrypting a disk after OS installation is not recommended and may cause issues. You will need to reinstall the OS with encryption enabled.
1. Download the latest Ubuntu LTS release [here](https://ubuntu.com/download/desktop)
1. Create a bootable USB drive using [balenaEtcher](https://etcher.balena.io/) or similar
Linux is allowed as an alternative to an Apple Mac running macOS. Historically this was only allowed for the Engineering Division, but anyone in GitLab can use Linux. Just bear in mind it is assumed you are capable of self-support when running Linux - there is a #linux channel in Slack where one can exchange tips and tricks, but it is not intended as an official Helpdesk resource.
Linux is available as an alternative to macOS, but is not encouraged due to limited support. By choosing Linux, you accept full responsibility for maintaining your environment and understand that IT does not provide support. There is a #linux channel in Slack for exchanging tips and tricks, but it is not an official helpdesk resource.
The following is the list of standards that Corporate Security is requiring for all Desktop OS laptops, including Linux:
**Ubuntu LTS (latest version) is the only approved Linux distribution.**
- The hard drive must be encrypted.
- The approved EDR (Endpoint Detection and Response) solution is installed.
- The user account must be a regular user account, with the administrative account disabled from login. All administrative actions must be carried out using the the `sudo` command.
- The laptop must have the corporate-approved remote management tools. For Linux this is FleetDM. This is used to confirm certain settings are in use, confirm the hard drive is encrypted, firewall is enabled, deploy the EDR solution, and allow for remote hard drive wiping at "end of life" for the laptop before a new one is provided.
- The use of a YubiKey 5 FIPS to authenticate is also required. Please review the [ordering guide](/handbook/security/corporate/systems/yubikey/purchasing/) and associated [user guide](/handbook/security/corporate/systems/yubikey/2fa/).
## Security Requirements
All Linux endpoints must meet the following security standards:
| Requirement | Details |
| :--- | :--- |
| **Fleet Enrollment** | Mandatory for all Linux endpoints |
| **EDR Agent** | CrowdStrike or SentinelOne (region-dependent) |
| **Security Patches** | Must be applied within 7 days of release |
| **User Account** | Must be a regular user account; use `sudo` for administrative actions |
| **YubiKey** | YubiKey 5 FIPS required for authentication |
For YubiKey setup, see the [ordering guide](/handbook/security/corporate/systems/yubikey/purchasing/) and [user guide](/handbook/security/corporate/systems/yubikey/2fa/).
Fleet is used to confirm security settings, verify encryption and firewall status, deploy the EDR solution, and enable remote wipe capability.
@@ -4,17 +4,17 @@ title: Linux Desktop OS Setup Guide
## Setup and Deployment Steps
These steps assume you are using the work-purchased Dell running Ubuntu 22.04 LTS or later. This is because Ubuntu 22.04 is known to support the required software packages for remote management and EDR solutions that allow for Linux use in GitLab. If your situation is different and you are running different hardware and/or using a different Linux distribution, it _must_ be capable of supporting the required software packages.
These steps assume you are using a company-provided Dell laptop running **Ubuntu LTS (latest version)** - the only approved Linux distribution. Dell is the only approved Linux laptop vendor. Ubuntu LTS is required to support the necessary software packages for remote management and EDR solutions.
1.**Ensure your laptop is running Linux**. Certain circumstances (world region and availability of hardware) might require the self installation of Linux on a Dell that was shipped with OEM Windows. If this is the case, you will need to set up a USB drive with Ubuntu and perform the installation.
For laptops shipped with OEM Windows you may want to make a full drive backup (e.g. by using open source utility [Clonezilla](https://clonezilla.org/)) to an external drive before installing Linux. That way you could restore your laptop to the original state at any time. It will make the RMA process much easier in case you need it. This is optional and not required.
1.**Ensure the hard drive is encrypted**. From a terminal window run the command `sudo dmsetup ls`. If there is a reference to something like `cryptdata` or `dm_crypt-0` in the output, encryption is enabled. If not, you will need to reinstall Ubuntu and enable drive encryption during the installation process.
1.**Ensure full-disk encryption is enabled (LUKS required)**. From a terminal window run the command `sudo dmsetup ls`. If there is a reference to something like `cryptdata` or `dm_crypt-0` in the output, encryption is enabled. If not, you will need to reinstall Ubuntu and enable LUKS drive encryption during the installation process.
1.**Ensure the firewall is enabled**. From a terminal window run the command `sudo ufw status`. If the response is `Status: inactive` run `sudo ufw enable`. If `ufw` is not installed, run `sudo apt install ufw` first.
1.**Ensure MDM is installed**. Follow the instructions listed [here](https://internal.gitlab.com/handbook/security/corporate/tooling/fleet/#enrolling-in-fleet)(internal link). This will also install the EDR tool.
1.**Ensure Fleet is installed**. All Linux endpoints must have Fleet installed. Follow the instructions listed [here](https://internal.gitlab.com/handbook/security/corporate/tooling/fleet/#enrolling-in-fleet)(internal link). This will also install the EDR tool (CrowdStrike or SentinelOne depending on your region).
1.**Regular Applications**. Use the regular approved applications such as Google Chrome (and sign into Okta), Zoom, and Slack. Install the other applications for your job description (e.g. development tools) as needed. Complete the steps in your onboarding issue and/or laptop equipment issue.
