Ansible + blob storage as an MDM-lite solution

We’re looking to set up a short-term solution for managing a fleet of about 50 Ubuntu laptops. Please poke holes in this solution! I’m looking for feedback

Here’s the proposed setup:

3 blob stores where permissions are managed by group membership:

  • Tasks: Read + list permissions

    • Ansible playbooks are stored here
    • Initial provisioning playbook is stored here
  • Assets: Read-only

    • Sensitive assets stored here
  • Logging: Write-only

    • Logs for ansible playbook tasks are logged here
  • Custom Ubuntu ISO where a script runs on first user first login

  1. User is prompted for SSO creds
  2. Once successful SSO authentication happens, access token is stored securely on the laptop
  3. Script uses access token to download initial provisioning playbook from the Tasks blob store.
  4. The ansible playbook then downloads the necessary assets for initial provisioning from the Assets blob store
  5. Once the assets are downloaded and the provisioning is completed, cron jobs are installed on the laptop to, on a regular basis:
  • check the tasks store for new ansible playbooks
  • send inventory to the logging server

New ansible playbooks can be uploaded to the Tasks store whenever there is an MDM task to be run.

Note: This is a short term solution until a proper MDM solution is evaluated, decided on, prices are negotiated, terms are disputed, contracts are signed, purchases are put through, funds are transferred (I think you get the point)