GitLab Laptop Management

Purpose

This page displays different pieces of information surrounding GitLab laptop procurement and management.

Scope

At GitLab, we use centralized laptop management for company issued devices. If you are in possession of a company issued laptop, the details below apply to you. However, not all endpoint management technologies GitLab deploys will be required for Apple, Linux, and Windows laptops. Some technologies may be specific to the hardware platform or operating system.

Roles & Responsibilities

Role	Responsibility
GitLab Team Members	Responsible for following the requirements in this procedure
Business Technology	Responsible for implementing and executing this procedure
Business Technology Management (Code Owners)	Responsible for approving significant changes and exceptions to this procedure

GitLab Laptops

Team members that live in these countries can be serviced via the IT Laptop Ordering Process:

USA, Canada, Mexico, all of the EU, Thailand, China, Japan, Philippines, Singapore, Australia, New Zealand, India, Israel and the UK.

We are adding supported countries to this list as we discover our ability to order in them.

We currently cannot procure laptops for Brazil, Costa Rica, Chile, Armenia, or Ukraine. If your country is not listed above or for any general laptop procurement questions please contact laptops@gitlab.com or your Candidate Experience Specialist to discuss alternate options. If the team member requires financial assistance to purchase the hardware, the Company can advance the funds to help facilitate the purchase (see Exception Processes below).

New Hire Laptop Ordering Process

The laptop ordering process for new hires starts once the initial welcome email is sent by the Candidate Experience Specialist. The email will include a link to place a request for a GitLab issued laptop. Processing time will vary by location. Please fill out the form as soon as possible to avoid delays. After the new hire fills out the form, they can expect their laptop to arrive the week before their start date.

If, in the rare case your laptop arrives damaged or unusable prior to your start date, please reach out to your Candidate Experience Specialist and CC laptops@gitlab.com for next steps on an immediate replacement or repair.

Laptop Refresh

Team members are eligible for a laptop refresh, no questions asked, after 3 years of active use. The 3-year period:

• Begins when a team member starts actively using their assigned laptop, not necessarily when it was first received
• Resets when a replacement laptop is issued due to damage, malfunction, or other circumstances
• Is based on the device’s usage period, not the team member’s employment duration

If the laptop is sufficient for your needs, you may opt to continue using the laptop until it no longer receives the latest macOS version from Apple (approximately 5 years).

Please use this template to request a laptop refresh.

The old laptop must be wiped or returned within 2 weeks of receiving the replacement laptop. We recommend using AirDrop or Google Drive to transfer files directly from the old to the new MacBook.

After 3 years of use, the team member may retain the old laptop after it has been wiped at no cost. Note that the option to keep a laptop at no cost may be voided where the team member is involved in cases of investigation, misconduct, termination for cause, any violation of GitLab’s Code of Business Conduct & Ethics, as well as other legal or security related inquiries. Please also refer to our Laptop Buyback Policy below.

GitLab Laptop Replacement Program

We get it, sometimes things change! If your laptop is not sufficient for your role, you can request a replacement laptop if you are not yet eligible for a 3 year refresh. Replaced laptops do not qualify for the Laptop Buyback Policy and will need to be returned to be repurposed at GitLab IT’s discretion.

Replacement laptops can be requested by creating an issue in the End User Services issue tracker project. Please describe the reason for your replacement in the issue. (i.e., laptop is not sufficient for job duties, internal transfer to a new role) Replacements will require approval from IT as well as your manager within the issue.

Many team members can use their company issued laptop until it breaks. If your productivity is suffering, you can request a new laptop. The typical expected timeframe for this is about three years, but it can depend on your usage and specific laptop.

Please note

Laptops paid for or reimbursed by the company are property of GitLab. They must be enrolled using the proper Endpoint Management System for accurate asset tracking. Since these items are company property, you do not need to buy insurance for them unless it is company policy to do so.

Laptop Repair

Any loss or damage must be reported to IT as soon as it occurs.

If your laptop has been damaged, you must open an issue in the End User Services Issue Tracker to document what is broken. GitLab IT will be able to assess the damage and provide guidance on the most beneficial repair option.

Repair options

In some regions, GitLab IT has an Apple certified vendor to perform repairs. At GitLab IT’s discretion and vendor availability, the broken laptop may be sent to the vendor for repair. Our GitLab IT team can check if vendor support is available in your region. For minor repairs or when vendor support isn’t an option, they may suggest visiting an Apple authorized service center in your area.

Estimates or quotes from an Apple authorized service center must be included in the issue before approval. Approval must be given by IT and your manager prior to any repair work being done. Either a picture or PDF are both acceptable and should include some identifying information about the laptop (Serial number, year, make, model). If the quote for the repair is less than $1,000 USD, and can be completed within a short time frame, GitLab IT may recommend/approve the Apple authorized service center to complete the work. If the repair is going to take longer than a day, make sure you have a back up laptop that uses an approved OS.

However, if the repair is going to be more than $1,000 USD and/or take too long to fix, GitLab IT may decide to replace the laptop. In those cases, a replacement laptop will be shipped out and the broken laptop collected to be repaired or recycled. Be advised, broken laptops do not qualify for the Laptop Buyback Policy and will need to be returned to GitLab IT. Replacements for broken laptops may be used, but will be the same model of laptop (a performance model wouldn’t be replaced by a standard model).

If IT confirms the laptop needs to be replaced, please create an issue for the replacement and link it to the laptop repair issue. When you receive the new laptop, please follow the guidelines in the replacement template. If you are still using the old laptop, we will have it sent off to be recycled or repaired.

Laptop Purchasing and Shipping Process

After End User Services receives your laptop order, we will start working on the request. New hires can expect their GitLab laptop to arrive the week before their start date. We leverage business relationships with several different vendors across the globe to accomplish this remotely. Please note delivery times will vary depending on location, hardware supply, vendor selection, and shipping method.

In some instances, we may be able to work out priority or overnight delivery. We will not be able to service this for all cases and regions. If this is needed please reach out to laptops@gitlab.com or talk with your hiring manager to review all options available.

If you are a hiring manager or member of the hiring/recruiting team, you may check the status and content of a new hires order in the IT Equipment Order Process Project

Minimum processing time for laptop orders before shipping. Some countries may take longer due to required documentation for delivery.

• US/Canada New Hires - 2 weeks (Apple) and 5 weeks (Linux)
• EMEA/APAC New Hires - 2 weeks (Apple) and 5 weeks (Linux)
• Other Regions - 3 weeks (Apple) and 9 weeks (Linux)

Key Performance Indicators

KPI 90% of laptops will arrive prior to start date or 21 days from the date of order.

Exception Processes

Laptops Out of Spec

If a requested laptop is outside the standardized specifications listed here, approval will be required from the team member’s manager as well as the Device Logistics Team before IT will purchase the laptop. Once your manager has approved, please tag @gitlab-com/gl-security/corp/logistics for logistics approval.

Self procurement

Cost will not be covered by GitLab without proper approval

IT approval is required for self procurement of laptops. Self procurement is only available if you are in a region where we are not able to have a laptop delivered. If the team member desires financial assistance to purchase the hardware, GitLab can advance the funds to help facilitate the purchase. See the handbook page for Temporary Advances. For current team members, please obtain two quotes from local retailers (online or physical) and include them in the refresh/replacement issue.

IT must verify the laptop specs and cost before approval is given. The created issue will be verified by the AP team to release funds.

Additional Laptop Request

If you are in need of a additional device, have a business justification, have manager approval and IT approval, you can request an additional laptop through the Laptop Refresh/Upgrade template. Please note that if the secondary device is approved it will be a refurbished device and not a new device.

Use of Personal Laptop

We do not allow personal laptops to be used for GitLab work. If a laptop is not available to a new GitLab team member upon their start date, it is permissable for them to temporarily use a personal macOS or Linux laptop.

Laptop exceptions not listed

Any circumstance that falls outside of the listed exceptions or if GitLab IT deems it necessary, a Laptop Exception can be created using this template. These requests require approval from leadership across multiple departments and are discouraged due to the possibility of data leakage.

Laptop Configurations

GitLab approves and supports the use of Linux and Apple’s macOS as the OS for employee laptops. To keep GitLab IT Support efficient, Windows is not supported as a hardware laptop OS.

Further information on GitLab authorized operating systems, versions, and exception process is available on the Approved Operating Systems for GitLab Team Member Endpoint Systems page.

The operating system choices have obviously affected the hardware selection process.

Apple hardware is the common choice among GitLab team members. Team members may also select a Dell Linux laptop if they are familiar with Linux and capable of self-support, as long as they are using an approved operating system.

NOTE: GitLab’s IT Ops team uses a corporate discount for our corporate-purchased Apple products only. Apple does not have an employee discount program for GitLab at this time.

Apple Hardware

Chipset specifications not listed as they will vary based on current inventory levels.

• MacBook Pro 14-inch - 16GB Unified memory / 512GB storage Standard model
• MacBook Pro 16-inch - 36GB Unified memory / 1TB storage Performance model
• MacBook Pro 14-inch - 36GB Unified memory / 1TB storage Performance model

Most roles that require higher performance machines are approved for a 14" or 16" MacBook Pro performance model. Please see this spreadsheet (public) to locate your department group and determine which machine you are eligible for.

Linux Hardware

Below are roles that qualify for Linux Laptops

• Engineers, Support Engineers, Data Analysts, Technical Marketing Managers, Product Designers, UX Managers, Product Managers, Technical Writers, and Digital Production are eligible for Dell Precision Mobile Workstation laptops from the 5690 line. Due to supply constraints, specific models available from these lines may vary. IT will work with each person to find an available model meeting the following specifications: 16" display/1TB SSD/32 GB of RAM/Intel Core CPU.

**NOTE: The maximum price of Linux laptops is not to exceed the price of the equivalent 16" MacBook Pro laptop. Please make sure you order this model a minimum of 14 days, based on your locality, prior to your desired date to receive.

Our only approved Linux laptop vendor at this time is Dell. These laptops generally come pre-loaded with Ubuntu Linux in order to save money on unused Windows licenses. Dell do not currently sell laptops pre-installed with Linux in Australia and New Zealand; staff will need to install Linux themselves.

Dell is GitLab’s exclusive Linux vendor for the following reasons:

• Dell has the longest history of shipping laptops with Linux pre-installed among major manufacturers.
• Dell is able to ship laptops to all countries in which GitLab employees live.
• As we move forward with Zero Trust networking solutions, we need to have a stable and unified platform for deployment of software components in the GitLab environment. Standardization on a single platform for Linux simplifies this.
• The current Ubuntu LTS is the preferred Linux platform; Ubuntu LTS has a record of stability and quick patching.
• Purchasing laptops from a single vendor opens the possibility of corporate discounts.
• Dell is a certified Ubuntu vendor with multiple laptop choices available. They even have their own Ubuntu OEM release of Ubuntu they maintain, and as a result of their effort, the standard Ubuntu Linux 20.04 LTS image natively supports Dell hardware and even firmware updates.
• To date, all of Dell’s major security issues have not been related to their hardware.

Laptops are purchased by GitLab IT during a team member’s onboarding process; the team member will be sent a form to fill out for ordering.

Windows for Customer Support and Product Development

While GitLab limits the Laptop Hardware OSes supported for team member daily work, specific roles will need to use Windows for Customer Support and Product Development to ensure excellent platform and ecosystem support for GitLab customers and partners who develop for the Microsoft Ecosystem.

Microsoft Windows Professional (Desktop OS) and Windows Server may need to be used by some technical roles for supporting GitLab customer usage of Windows and developing GitLab software. These editions can be used for support and development purposes using virtualization or cloud instances and are self-supported and must be in compliance with all endpoint policies, including installation of SentinelOne as well all information in this section.

Complete details about Windows usage is available on the Approved Operating Systems for GitLab Team Member Endpoint Systems page.

Laptop Vendor Selection Criteria

When recommending or approving end user device vendors for team member access, the Security Team tries to balance privacy, security, and compliance to ensure a solid choice for accessing GitLab data. Our current recommendations include Apple MacBook Pro running macOS and Dell Precision running Linux.

By its very nature, GitLab has historically been very open as a company, starting as open source and migrating from a group of coders with their own laptops to an organization that needs to protect not just their own corporate data but customer data as well. Having developed a Data Classification Policy and currently implementing Zero Trust, we’ve had to make adjustments in laptop recommendations.

Our laptop vendor selection criteria is as follows:

Team member need

The main needs center around processing power and the operating system support for required workloads. Most modern systems meet the processing power needs of our team members. Apple macOS and Dell Linux distributions meet the operating system needs.

Security needs

GitLab needs the ability to ensure a secure and stable platform. From an operating system perspective, macOS and Linux meet the needs. The Security team has found a slight advantage in Ubuntu as a Linux distribution due to their rapid response time when it comes to patching security flaws, and we recommend this distribution. It is necessary to use an approved Linux distribution.

Compliance needs

To meet compliance needs for the various certifications, programs, and industry regulations, we have to meet criteria including the ability to restrict access to sensitive data to company-issued laptops running company-monitored software. In many cases we need to be able to prove this via auditing, including outside auditors. Using one vendor for macOS (Apple by default) and one for Linux (Dell by default). A part of this process will include ensuring systems are patched, and in the Linux case we want to ensure firmware patches are applied. Very few hardware vendors not only supply Linux as an operating system but also provide a way to apply patches - including security patches - to firmware via the normal Linux patch process.

There is no specific example for using one brand over another from a compliance perspective. That being said, there are customers we wish to sell GitLab products that have specific requirements internally, and to align ourselves with those requirements can be not only a positive sign we understand the customer space, but give us a competitive advantage. For example, since there is a strong push to sell to agencies within the US Government, we will already face restrictions such as support from only US-citizen GitLab team members while on US soil. As these agencies also have access to classified (non-public) reports on such things as computer vendors, one only has to note which laptops are approved for purchase. For that reason, we will restrict our vendor list to vendors that are currently approved by the various organizations issuing those certifications and programs we are trying to be compliant with. This simplifies the ability to support those customers which may impose restrictions on team members working in support roles for that customer solely based upon the hardware they are using. In other words, we eliminate this possibility of becoming a situation to be managed.

Logistics needs

To be able to use a laptop vendor, we have to be able to purchase and ship hardware to our team members regardless of where they live. Therefore the vendor should be able to handle most if not all shipping requirements to all team members. Our current hardware vendors are: CDW for US requests. Presidio for EMEA requests. Sycomp for most other regions. GitLab laptops that are procured from our vendors will come with GitLab branded asset labels by default. Please refer to this issue for more information on GitLab asset labels. GitLab Branded Laptop Labels

Configuring New Laptops & Apple IDs

New laptops should be configured with security in mind.

We require the use of an @gitlab.com Apple ID that is separate from any personal Apple ID’s you may have. Some of these reasons include:

• Backups, keychains and documents are all considered sensitive information, and should not be stored in personal services.
• 2FA for remote lock, wipe, or account resets are common methods of account compromises, and ensuring the use of GitLab.com email addresses also ensures we are in control of that aspect of multi-factor authentication.
• Keeping a strong separation between work and personal accounts will help prevent the accidental leak of information from one to the other, in either direction.

Defense in depth, in part, means you make a best effort to be secure at each layer. To read through more instructions, please refer to security best practices when configuring your new laptop.

All team members must provide proof of whole disk encryption within the new laptop order issue.

Certain circumstances (world region and availability of hardware) might require the self installation of Linux on a Dell that was shipped with OEM Windows. Please make sure you follow any needed requirements when self installing and open an issue with GitLab IT if needed for verification.

For laptops shipped with OEM Windows you may want to make a full drive backup (e.g. by using open source utility Clonezilla) to the external drive before installing Linux. That way you could restore your laptop to the original state at any time. It will make the RMA process much easier in case you need it.

Laptop Buyback Policy

Please refer to the laptop buyback policy.

Laptop Recycle/Return

We use SIPI Asset Recovery for devices that need to be recycled. At GitLab IT’s discretion, laptops may also be sent to our vendor for repair. Either way, GitLab IT can provide a shipping label and box upon request at no cost to yourself. If you are able to purchase and expense the box, please do so.

We use Sycomp for devices that need to be repaired. At GitLab IT’s discretion, laptops may also be sent to be recycled. Either way, GitLab IT can request a shipping label and box from the vendor at no cost to yourself. If you are able to purchase and expense the box, please do so.

If the IT department has record of a current litigation hold for the offboarded employee, IT will consult with Legal before proceeding.

All team member laptops must be securely wiped before being returned. This not only protects the company, but also protects you since it is possible for personal information to exist on these machines. Reformatting a computer is not sufficient in these cases because it is possible for sensitive data to be recovered after reinstalling an operating system.

Laptop Wipe

Laptop wipes must be performed by scheduling an appointment with an IT analyst to wipe the machine, re-install the base operating system, and remove all software and configurations that were supplied by GitLab. Laptops must be wiped with Jamf for macOS, and DriveStrike for Linux. Using these tools ensures a clean disk wipe is performed and GitLab can retain evidence of the disk wipe.

Under no circumstance should you perform your own disk wipe unless you are doing so at the request of IT to troubleshoot a technical problem with the laptop. If GitLab discovers that a device has not been wiped according to policy, GitLab may act to enforce a remote wipe without notice.

Laptop Donations

Donating hardware/laptops will help people in disadvantaged areas and/or from underrepresented groups with their ability to learn about technology. Therefore GitLab offers the possibility to donate hardware devices to vendors on a curated list after 3 years of use. This curated list has been a result of the Upstream Diversity Working Group.

The vendors on the list have been meeting the following criteria:

1. Their focus group should be people in disadvantaged areas and/or underrepresented groups
2. They should be non-profit
3. Their values have to align with GitLab’s CREDIT values
4. They should pass a “negative-press” check (first 2 pages of Google)

If you, as a GitLab team member, would like to add a vendor aligned with the criteria, please comment in the Vendor sheet.

Steps for donating your hardware

1. Create an issue for laptop refresh
2. Indicate in the issue you want to donate your used laptop to a vendor on the curated list.
3. For security reasons we must make sure all laptops are fully wiped before being donated.
4. After the wipe has processed, you can complete the donation.

GitLab Asset Management

Snipe-IT

The End User Services Team has been busy iterating and setting up Snipe-IT open source asset management. As of April 2021, GitLab has an asset-tracking application that is the source of truth for all GitLab hardware!

How does it work exactly?

I’m glad you asked! We installed and configured the application in a GCP virtual machine, we set up an integration with Jamf and our Okta LDAP directory to automatically sync users and laptop information from Jamf. Linux machines will be imported manually through the apps web interface. If you would like a more detailed view of what has been completed and what will come in the future, please check out the master issue for Snipe-IT.

Other Resources

Okta

In an effort to secure access to systems, GitLab is utilizing Okta. The key goals are:

• We can use Okta to enable Zero-Trust based authentication controls upon our assets, so that we can allow authorized connections to key assets with a greater degree of certainty.
• We can better manage the login process to the 80+ and growing cloud applications that we use within our tech stack.
• We can better manage the Provisioning and De-provisioning process for our users to access these application, by use of automation and integration into our HRIS system.
• We can make Trust and Risk based decisions on authentication requirements to key assets, and adapt these to ensure a consistent user experience.

To read more about Okta, please visit the Okta page of the handbook.

Full Disk Encryption

To provide proof of Full Disk Encryption, please do the following depending on the system you are running.

• Apple : Evidence is automatically gathered in Jamf. No user action necessary.
• Linux : Take a screenshot showing the output of sudo dmsetup ls && sudo dmidecode -s system-serial-number && cat /etc/fstab

Fleet Intelligence & Remote Lock/Wipe

GitLab has a large and ever-growing fleet of laptops, which IT Operations is responsible for maintaining. In order to do this and combined with our Zero Trust security policies and various Compliance needs, there must be some measure of intelligence and reporting in place. To accomplish this goal we are utilizing Jamf for MacOS devices to obtain only the essential information required. For Linux machines we will be utilizing DriveStrike as a light-touch mechanism.

For more information regarding Jamf, refer to our Endpoint Management handbook page.

For more information regarding DriveStrike, refer to our DriveStrike handbook page.

Backblaze

Backblaze is a tool that might be deployed to backup data on your company owned device in the event of a security or legal hold/investigation and only following a request of the Legal and People Ops teams, subject to local data, privacy and employment laws.

Google Workspace Deprovisioning

IT Ops has an automated workflow that triggers upon a notification from PeopleOps of a team-member offboarding. This automated workflow is composed of 2 parts that are outlined below. The first part happens within 1 hour of the offboarding. The second part occurs after 90 days of the offboarding. This workflow will send out notifications throughout this 90 day period to let the Former Team member’s manager know that the final deadline is approaching.

These are the steps that follow immediately upon termination of a team-member

• The former team-member (FTM) is removed from all Google groups
• The former team-member (FTM) is locked from access to their laptop
• The former team-member (FTM) is removed from access to all GitLab provisioned services linked to their Okta account
• The former team-member (FTM) is removed from access to all GitLab provisioned services not linked to their Okta account
• Unless there is a legal hold on their laptop, the laptop is securely wiped
• The FTM’s manager is setup as a delegate to their Gmail and Google Calendar
• The FTM’s manager gains editor privileges to all “My Drive” Google Drive Files
• The FTM’s account is moved to the Former Team Members OU
• Remove the FTM account from the Global Address List
• All of the account’s sign in cookies/sessions are cleared and the account password is reset to a random 64 character password
• The account’s recovery email is set to null
• The account’s recovery phone number is set to null
• The FTM’s auto-response email message is setup.

These are the steps that follow after the Former Team Member has been gone for 90 days

• All of the former team-member (FTM) aliases are removed
• Archive of all Google Drive files in the users My Drive that are marked as owner
• These are saved in the Offboarded Users Drive Archive
• Each user has their own folder in the following format <emailUsername>_google_drive
• The FTM’s account is suspended
• The FTM’s account will be moved to NoGSuiteLicense OU
• The Google Workspace License is removed from the account

The following notifications will be sent out to the FTM’s manager and IT over Slack

Immediate Slack notification:

Hello <Manager Firstname>``<Manager Lastname>, you are receiving this notification to let you know that one of your direct reports <Firstname>``<LastName> has been deprovisioned from GitLab’s Google Workspace. In keeping with our standard offboarding policy you will receive a copy of this user’s Google Drive data as well as delegated access to their email and calendar account. This delegate access will remain available to you for 90 days after which the account will be closed, and all data will be archived. Please be sure to copy anything you wish to keep to your own account before this time. For more information about how to access this data please see information in this Handbook page (provide link).

You will receive another notification 30 days before and then a final notification at 1 week before this account is closed. If you have any questions about this process, or need assistance with access the data, please feel free to reach out to the Corp IT team in the #it_help Slack channel.

30 Days Slack notification

Hello <Manager Firstname>``<Manager Lastname>, you are receiving this notification to let you know that one of your direct reports <Firstname>``<LastName> was deprovisioned from GitLab’s Google Workspace 60 days ago. In keeping with our standard offboarding policy you will continue to have delegated access to their email and calendar account for another 30 days after which the account will be closed, and all data will be archived. Please be sure to copy anything you wish to keep to your own account before this time. For more information about how to access this data please see information in this Handbook page (provide link).

You will receive another notification at 1 week before this account is closed. If you have any questions about this process, or need assistance with access the data, please feel free to reach out to the Corp IT team in the #it_help Slack channel.

7 Days Slack notification

Hello <Manager Firstname>``<Manager Lastname>, you are receiving this notification to let you know that one of your direct reports <Firstname>``<LastName> was deprovisioned from GitLab’s Google Workspace 83 days ago. In keeping with our standard offboarding policy you will continue to have delegated access to their email and calendar account for another 7 days after which the account will be closed, and all data will be archived. Please be sure to copy anything you wish to keep to your own account before this time. For more information about how to access this data please see information in this Handbook page (provide link).

This is the final notification. If you have any questions about this process, or need assistance with access the data, please feel free to reach out to the Corp IT team in the #it_help Slack channel.

Final Slack notification

The GitLab Google Workspace account for <Firstname>``<LastName> has been archived after 90 days as per our standard offboarding policy.

Exceptions

Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.

References

• Controlled Document Procedure