Featured image of post The elusive Linux MDM

The elusive Linux MDM

Has been there all along

Whether we like it or not, workstations running Linux are commonplace in organisations. We all have stories of an engineer who is allowed to use an unmanaged Linux machine, or a team whose work cannot be done using the organisation’s usual computers. Whatever the reason, Linux workstations are not likely to vanish from our businesses any time soon. But they still pose a risk to the organisation if left unsupervised.

MDMs are not optional

Companies invest a great deal of effort in the security of their employees’ workstations; 22% of security budgets is allocated to endpoint security solutions. Security compliance standards systematically include requirements for workstation management.

Dora’s Article 11 sets out the requirements for workstations, including the ability to specify the programs that can be installed on the devices. As for the ISO27000 family of standards, ISO 27002 supplements 27001 Annex A.8.1 by requiring, among other things, the application of updates, encryption of storage media and the ability to block machines remotely. Similarly, the MDM-1 requirement of the SOC 2 standard clearly states ‘The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service’.

No room for misinterpretation here: in a business environment, MDMs are a prerequisite.

“But there are no MDMs for Linux”

So how do you meet the needs of your colleagues and auditors? In a Microsoft or Apple environment, there are many solutions available (eg. Microsoft Intune, ManageEngine, Scalefusion, Jamf, Kandji, Mosyle, etc).

When it comes to Linux, the selection is more limited, but still exists. It includes, but is not limited to:

  • Canonical Landscape
    • Landscape is Canonical’s solution for managing Ubuntu systems, offering features such as software updates, configuration management, and script execution.
  • Jumpcloud
    • Jumpcloud offers a single platform for managing devices, access and identities. Their device management solution supports Linux systems.
  • Red Hat Satellite
    • Satellite is Red Hat’s solution for managing RHEL systems at enterprise scale, with the price to match.

Realistically speaking, in an start-up or scale-up setting, it’s unlikely you’re running RHEL systems. So you need to choose between Jumpcloud’s do-it-all platform (that you might not necessarily need), costing you 108$/year/workstation, or Canonical’s plucky Landscape, costing you 25$/year/workstation. To me, the choice was clear.

Canonical Landscape

Canonical, creator of Ubuntu, has been offering a remote management tool for Ubuntu systems since 2007: Landscape. Even though it is not sold as an MDM, Landscape is fully capable of providing the usual functions expected of an MDM: management of updates, software, configuration, and so on.

Thanks to its ability to run scripts and centralise their results, you’ll be limited only by your imagination with Landscape. You can install and uninstall all the apt and snap packages you want, monitor the health and security of the machine, and even deploy bespoke scripts to block the use of storage devices on USB ports. You can do everything your auditors could ever dream of!

Landscape is included in the Ubuntu Pro licence, which starts at $25 per machine per year, and you can use the SaaS service or host your own Landscape instance. The Ubuntu Pro licence also includes 10-year extended security updates for all packages in the Ubuntu Main and Ubuntu Universe repositories; that’s a great bonus feature to have.

Landscape in a start-up setting

Deployment

To deploy Landscape on an Ubuntu machine, I wrote a Bash script (available below) to install the Landscape agent, and attach the machine to my workspace on the Canonical Landscape SaaS service.

I ran the script with curl -fsSL https://example.com/<random_string_to_make_finding_the_URL_harder> | sudo [FORCE_REGISTER=true|RESTART_MDM=false] bash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/bin/bash

# ##################################################################
# Inputs
title=("${HOST:-${HOSTNAME}}"-"${SUDO_USER:-${USER:-${USERNAME}}}")
acct_name="<organisation>" # Your account's name on landscape.canonical.com
reg_key="<registration key>" # The key you can define on your Landscape console
pro_key="<Ubuntu Pro subscription key>"

# ##################################################################
# Functions
register() {
	echo -e "\e[32m◎ Register Machine on the MDM Console\e[0m"
    landscape-config --computer-title $title --account-name $acct_name --registration-key $reg_key --http-proxy= --https-proxy= --access-group=global --tags="laptop" --script-users=ALL --include-manager-plugins=ScriptExecution --silent
}

enroll_ubuntu_pro() {
	echo -e "\e[32m◎ Attach machine to company's Ubuntu Pro workspace\e[0m"
	pro attach $pro_key
	sleep 2
}

# ##################################################################
# Install clients
if apt list --installed 2>/dev/null | grep --quiet landscape-client ; then
    true
else
    echo -e "\e[32m◎ Install landscape-client\e[0m"
    DEBIAN_FRONTEND=noninteractive apt-get -yq install landscape-client
fi


if apt list --installed 2>/dev/null | grep --quiet ubuntu-pro-client ; then
    true
else
    echo -e "\e[32m◎ Install ubuntu-pro-client\e[0m"
    DEBIAN_FRONTEND=noninteractive apt-get -yq install ubuntu-pro-client
fi

# ##################################################################
# Set config
echo -e "\e[32m◎ Set configuration\e[0m"
cat << EOF > /etc/landscape/client.conf
[client]
log_level = error
url = https://landscape.canonical.com/message-system # Change this if using a self-hosted instance
ping_url = http://landscape.canonical.com/ping # Change this if using a self-hosted instance
data_path = /var/lib/landscape/client
computer_title = $title
account_name = $acct_name
registration_key = $reg_key
include_manager_plugins = ScriptExecution
http_proxy =
https_proxy =
access_group = global
tags = laptop
script_users = ALL
ping_interval = 60
monitor_plugins = ALL
manager_plugins = ALL
package_monitor_interval = 3600
snap_monitor_interval = 3600
EOF

cat << EOF > /etc/default/landscape-client
RUN=1
EOF

# ##################################################################
# Register
if [ -n "${FORCE_REGISTER}" ] && [ "${FORCE_REGISTER}" = "true" ]; then
    echo -e "\e[32m◎ FORCE_REGISTER is true\e[0m"
    enroll_ubuntu_pro
    register
elif [ -z "${FORCE_REGISTER}" ] || [ "${FORCE_REGISTER}" = "false" ]; then
    # FORCE_REGISTER is false or not set
    if landscape-config --is-registered 1>/dev/null ; then
        echo -e "\e[32m◎ Machine already registered on the MDM Console\e[0m"
    else
        enroll_ubuntu_pro
        register
    fi
fi

# ##################################################################
# Restart MDM agent
if [ -n "${RESTART_MDM}" ] && [ "${RESTART_MDM}" = "false" ]; then
    echo -e "\e[32m◎ Skipping MDM agent restart\e[0m"
elif [ -z "${RESTART_MDM}" ] || [ "${RESTART_MDM}" = "true" ]; then
	echo -e "\e[32m◎ Restart MDM agent\e[0m"
	service landscape-client stop
	sleep 3
	service landscape-client start
fi

# ##################################################################
# All done! Is the MDM agent "active"?
echo -e "\e[32m◎ Check that everything is working\e[0m"
systemctl status landscape-client.service | head

Once this script has been run on the workstations, they will appear on your Landscape web console!

Imperfect solution

User experience

It’s important to bear in mind that Landscape has been developed for Ubuntu, although it is possible to use it with other Debian-based distributions. So if your colleagues are using machines running Fedora, or Arch Linux, Landscape will not be suitable.

Things aren’t so rosy on the admin side either unfortunately. Landscape is a long way from offering the admin experience and functionality you’ll find in Microsoft and Apple MDMs. For example, there is no application catalogue in Landscape’s interface and no protection against uninstallation by root-level users. Communication between the deployed agents and the control server is also unreliable, which can be very frustrating.

SaaS-specific limitations

On the SaaS platform hosted by Canonical, you won’t be able to benefit from two-factor authentication, or even SSO authentication. API access is also disabled. I strongly recommend that you host Landscape yourself, but that comes with its own set of challenges.

Conclusion

There is indeed a solution to your unmanaged Linux machines problems. With Canonical Landscape, you can offer your coworkers a workstation running Ubuntu, and ensure your security and compliance needs are covered, at the cost of a significant management and administration effort.

Let me be very clear, a junior IT support technician will likely struggle to manage the deployment and configuration of Landscape and its fleet. So you’ll need to rely on a more experienced professional to provide a good service to your users.