We’re looking to set up a short-term solution for managing a fleet of about 50 Ubuntu laptops. Please poke holes in this solution! I’m looking for feedback
Here’s the proposed setup:
3 blob stores where permissions are managed by group membership:
-
Tasks: Read + list permissions
- Ansible playbooks are stored here
- Initial provisioning playbook is stored here
-
Assets: Read-only
- Sensitive assets stored here
-
Logging: Write-only
- Logs for ansible playbook tasks are logged here
-
Custom Ubuntu ISO where a script runs on first user first login
- User is prompted for SSO creds
- Once successful SSO authentication happens, access token is stored securely on the laptop
- Script uses access token to download initial provisioning playbook from the Tasks blob store.
- The ansible playbook then downloads the necessary assets for initial provisioning from the Assets blob store
- Once the assets are downloaded and the provisioning is completed, cron jobs are installed on the laptop to, on a regular basis:
- check the tasks store for new ansible playbooks
- send inventory to the logging server
New ansible playbooks can be uploaded to the Tasks store whenever there is an MDM task to be run.
Note: This is a short term solution until a proper MDM solution is evaluated, decided on, prices are negotiated, terms are disputed, contracts are signed, purchases are put through, funds are transferred (I think you get the point)