As our company grew from 20 something to over 60 people, with an expected employee base of 100 by the end of the year, we faced new challenges in managing our fleet of laptops. Our laptop management system evolved from self-service, to a golden image system, into today’s automated deployment system utilizing Munki and Apple Profile Manager. Throughout our company’s growth, we’ve always been committed to handing our users a laptop, ON DAY ONE, fully configured. How many other companies can boast that new hires walk into the door and have a configured workstation, ready to contribute, before they even have their first meeting?
With a well maintained wiki page, we could setup a factory fresh laptop within a justifiable amount of time by following a single wiki document. We were using golden images to manage the re-use of existing laptops and for setting up factory fresh laptops. After restoring from a golden image, the DevOps team would setup the user’s account, configure the WiFi, and pre-load additional software as needed. As our engineering team grew, they would update the internal wiki with their own notes on how to configure a laptop for their teams’ needs. They would document DMG download links to needed software such as MySQL or IntelliJCE, important aliases or PATH settings to ~/.bashrc, or step by step instructions on how to install Hadoop libraries into their development environment. Naturally, the DevOps team used those notes when updating the golden image.
Along the year, we’d occasionally tweak the golden image. Laptops, factory fresh or recycled for interns, would get booted into an Apple Restore DVD, and with Disk Utility, restored from the golden image. The bulk of our setup was now done from an unattended restore from this single image. There were still post-restore steps to perform, such as adding a printer installed after the golden image was generated, and setting systems settings tied to the user account, like enforcing a password-locked screen-saver.
At the rate of hiring one or two employees every 3 months, it didn’t matter that DevOps would spend about 40 minutes setting up a laptop. The manual process of re-imaging a laptop, enforce password protected screen-savers, took little effort and was not worth the time to automate. For our engineering users, the DevOps team would follow the wiki documentation and manually install, compiling if necessary, their development tools.
Then, our summer internship program began to take off; Suddenly, we would be responsible for setting up laptops not for a single user, but for potentially a dozen new users in a single month. Interns have a limited amount of time, and couldn’t waste it by tweaking or installing software on their laptop.
Golden images are supportable when you have a small rate of change. Our nimble and fast iterating engineering staff created an ever constant change in their software requirements. The number of laptops to setup per month increased as we on-boarded new consultants, full-time employees, and winter/summer interns. Each change request required us to regenerate the golden image, or document it and handle it in a post-restore step. When a new model of MacBooks were released, we’d could no longer use the golden image, since the golden image didn’t have drivers for models newer than the one it was generated on. We were also limited in how many simultaneous installs we could perform; We could only restore as many laptops as there were external HDs.
We now employe a Mac Mini running OS X Server and Munki. Using Profile Manager, we can now automatically push to all laptops system settings such as password requirements, WiFi networks, or disabling auto logins. We can also deploy File Vault 2 using a institutional recovery key, instead of manually recording individual File Vault keys in a spreadsheet, all from a centralized interface. New or existing laptops simply need to have an enrollment profile installed, and then plugged into our wired network. Installing packages and configuring system settings are now 100% automated and require no attention from the DevOps team.
With Munki, we can now fully automate our user’s software requirements. Using Profile Manager, we separate our laptops into broad groups such as Biz and Dev. Profile Manager will configure their locally running Munki client to point at department specific Munki Manifests, which dictate what software packages must be installed. From there, the Munki client will automatically download and install software from our internal Munki Server. The number of simultaneous installs are limited only by the number of USB ethernet adapters we have on hand. If a software package, or system setting needs to be added or updated, we can just update the Munki Server, plug laptops into the network, and let the Profile Manager/Munki client do the rest.
Using OS X Server, we now have a cleaner and faster solution for wiping and restoring existing laptops recycled for interns or one-offs. Using Net Restore, we pop a laptop into our wired network, power on and camp on the N key, and wait for the laptop to restore to our bare Mavericks install, hosted in our internal OS X Server. The only software package pre-loaded in the Net Restore image is the Munki client and the local Enrollment Profile. Post restore, the Munki client automates additional software installs.
Here at LiveRamp, we value & respect our co workers time. Handing them a fully configured laptop the moment they walk into the door fosters a culture of high productivity. New employees, interns, consultants, all focus on contributing to their team within the first few days, without having to wait days or weeks for an IT staff to hand them a working laptop. Utilizing a centralized knowledge base (wiki) that our employees are encouraged to use broke down any barriers new employees and their mentors may have had within their first few days, and created a natural feedback loop to the DevOps team. No matter how we setup their laptop (An instructional document, a golden image, or a modern MDM solution), our primary goal has always been to empower new hires to contribute to their job on day one.