Whether we like it or not, workstations running Linux are commonplace in organisations. We all have stories of an engineer who is allowed to use an unmanaged Linux machine, or a team whose work cannot be done using the organisation’s usual computers. Whatever the reason, Linux workstations are not likely to vanish from our businesses any time soon. But they still pose a risk to the organisation if left unsupervised.
MDMs are not optional
Companies invest a great deal of effort in the security of their employees’ workstations; 22% of security budgets is allocated to endpoint security solutions. Security compliance standards systematically include requirements for workstation management.
Dora’s Article 11 sets out the requirements for workstations, including the ability to specify the programs that can be installed on the devices. As for the ISO27000 family of standards, ISO 27002 supplements 27001 Annex A.8.1 by requiring, among other things, the application of updates, encryption of storage media and the ability to block machines remotely. Similarly, the MDM-1 requirement of the SOC 2 standard clearly states ‘The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service’.
No room for misinterpretation here: in a business environment, MDMs are a prerequisite.
“But there are no MDMs for Linux”
So how do you meet the needs of your colleagues and auditors? In a Microsoft or Apple environment, there are many solutions available (eg. Microsoft Intune, ManageEngine, Scalefusion, Jamf, Kandji, Mosyle, etc).
When it comes to Linux, the selection is more limited, but still exists. It includes, but is not limited to:
- Canonical Landscape
- Landscape is Canonical’s solution for managing Ubuntu systems, offering features such as software updates, configuration management, and script execution.
- Jumpcloud
- Jumpcloud offers a single platform for managing devices, access and identities. Their device management solution supports Linux systems.
- Red Hat Satellite
- Satellite is Red Hat’s solution for managing RHEL systems at enterprise scale, with the price to match.
Realistically speaking, in an start-up or scale-up setting, it’s unlikely you’re running RHEL systems. So you need to choose between Jumpcloud’s do-it-all platform (that you might not necessarily need), costing you 108$/year/workstation, or Canonical’s plucky Landscape, costing you 25$/year/workstation. To me, the choice was clear.
Canonical Landscape
Canonical, creator of Ubuntu, has been offering a remote management tool for Ubuntu systems since 2007: Landscape. Even though it is not sold as an MDM, Landscape is fully capable of providing the usual functions expected of an MDM: management of updates, software, configuration, and so on.
Thanks to its ability to run scripts and centralise their results, you’ll be limited only by your imagination with Landscape. You can install and uninstall all the apt
and snap
packages you want, monitor the health and security of the machine, and even deploy bespoke scripts to block the use of storage devices on USB ports. You can do everything your auditors could ever dream of!
Landscape is included in the Ubuntu Pro licence, which starts at $25 per machine per year, and you can use the SaaS service or host your own Landscape instance. The Ubuntu Pro licence also includes 10-year extended security updates for all packages in the Ubuntu Main and Ubuntu Universe repositories; that’s a great bonus feature to have.
Landscape in a start-up setting
Deployment
To deploy Landscape on an Ubuntu machine, I wrote a Bash script (available below) to install the Landscape agent, and attach the machine to my workspace on the Canonical Landscape SaaS service.
I ran the script with
curl -fsSL https://example.com/<random_string_to_make_finding_the_URL_harder> | sudo [FORCE_REGISTER=true|RESTART_MDM=false] bash
.
|
|
Once this script has been run on the workstations, they will appear on your Landscape web console!
Imperfect solution
User experience
It’s important to bear in mind that Landscape has been developed for Ubuntu, although it is possible to use it with other Debian-based distributions. So if your colleagues are using machines running Fedora, or Arch Linux, Landscape will not be suitable.
Things aren’t so rosy on the admin side either unfortunately. Landscape is a long way from offering the admin experience and functionality you’ll find in Microsoft and Apple MDMs. For example, there is no application catalogue in Landscape’s interface and no protection against uninstallation by root-level users. Communication between the deployed agents and the control server is also unreliable, which can be very frustrating.
SaaS-specific limitations
On the SaaS platform hosted by Canonical, you won’t be able to benefit from two-factor authentication, or even SSO authentication. API access is also disabled. I strongly recommend that you host Landscape yourself, but that comes with its own set of challenges.
Conclusion
There is indeed a solution to your unmanaged Linux machines problems. With Canonical Landscape, you can offer your coworkers a workstation running Ubuntu, and ensure your security and compliance needs are covered, at the cost of a significant management and administration effort.
Let me be very clear, a junior IT support technician will likely struggle to manage the deployment and configuration of Landscape and its fleet. So you’ll need to rely on a more experienced professional to provide a good service to your users.