Laptop Security Configuration Standards

New laptops should be configured with security in mind. See the linked configuration guides and policies below.

Using iOS or Android? See the Mobile Devices (Phones and Tablets) page.

Using Linux? See the Linux Desktop Security Standards page.

Apple ID for Work

Overview

Please create a new Apple ID using your {handle}@gitlab.com work email address to keep your personal and work data separate.

Do not sign into your MacBook with a personal email address Apple ID.

When prompted for a credit card for purchases, use a personal card. You can submit expense reports for apps that you purchase on the App Store using an @gitlab.com Apple ID.

Background Context

Your Apple ID consists of an email address and a password. It’s the account you use for everything you do with Apple—including using the App Store, Apple TV app, Apple Book Store, iCloud, Messages, and more.

Laptop Backups

Overview

When backing up data team members’ laptops should use GitLab’s Google Drive.

Our deployment is regularly tested and data at rest is encrypted by default.

Laptop Disk Encryption

Overview

All laptops are required to have hard drive disk encryption enabled.

All team members needed to provide proof of disk encryption in the new laptop order or onboarding issue.

Configuration Steps

Apple macOS

No Action Required: We use Jamf to enable hard drive encryption for you automatically and monitor for any laptops that are misconfigured. You do not need to configure anything, however you are encouraged to verify that is enabled.

Laptop Firewalls

Overview

All laptops need to have the operating system firewall enabled.

GitLab uses SaaS web applications and does not use a VPN to access most services (unless you are a Infrastructure or Security system administrator).

See the wireless networks handbook page to learn more about best practices when traveling and using public networks.

Configuration Steps

Apple macOS

Ubuntu Linux

Advanced Firewalls

For team members that are security conscious, you can purchase and expense 3rd party firewall software like Little Snitch or LuLu. These allow you to monitor and control outbound traffic on a per-application basis.

Laptop Hostnames and Usernames

Overview

You can choose any username you wish for setting up the local account on the Mac. By default the format for the host name is Firstname's MacBook Pro. For example, John’s MacBook Pro, Jane’s MacBook Air, etc.

Mac User Account

When you set up your laptop for the first time, it will ask you to set up the local account. You can use any name that you wish, for the username it is a best practice to use your {firstname} (ex. kate) or {firstInitial}{lastName} (ex. klibby) and for the display name it is best practice to use title case (ex. Kate Libby). Based on filesystem case sensitivity, it is recommended to keep your username lowercase.

Laptop iCloud Drive

Overview

To help protect company data and improve collaboration, any yellow, orange, or red data should be stored in Google Drive, GitLab issue or repository code, or in the handbook.

Do not enable Apple iCloud Drive.

iCloud has the ability to store desktop and documents in iCloud. GitLab uses Google Drive for document and file storage, so please make sure this feature is disabled. This can be unchecked during installation or reconfigured later using the instructions below.

Laptop Passwords

Overview

This is a placeholder page. Please see the GitLab Password Guideslines and Password Standards Policy pages.

Laptop Personal Use

Overview

We do allow team members to use their laptop for limited personal use (at their discretion) subject to any conflicting statements contained in any individual employment contracts or agreements, in line with the Internal Acceptable Use Policy, including gaming or personal browsing. This includes social media, online banking and normal consumer applications. It is never a good idea to use your work computer for not-safe-for-work (NSFW) websites.

Our concerns usually start with websites that contain lots of popups, click bait, multiple pages of celebrity photos, or are susceptible to malware. In other words, you can view your Facebook news feed, however please avoid opening any advertisements. Please visit any of these kinds of websites on your personal phone or tablet since they are much less vulnerable to malware installation.

Laptop Remote Management and Monitoring

Overview

GitLab has a large and ever-growing fleet of laptops (a.k.a. endpoints) that Corporate Security is responsible for maintaining.

We use endpoint management and fleet intelligence tools to help us meet our Zero Trust security policies and compliance needs.

Mobile Device Management (MDM)

The term “mobile device” is deceiving and actually refers to any “user” device including desktops, laptops, or phones that are enrolled and tracked. This is used for sending a configuration inventory export to the server with details about the hardware specifications, current versions, and a list of applications installed with the current version.

Laptop Software Updates

Overview

We believe in staying up to date with security patches on all endpoint operating systems and installed software to mitigate the risk of exploitable vulnerabilities.

What to Expect

You should plan on performing software updates for 30-60 minutes every 2-3 weeks. It is easiest to plan for this towards the end of your workday or the end of the work week so that you can save any work and close any application windows before needing to restart your laptop.

Laptop Touch ID Biometrics

Overview

Please enable Touch ID on initial setup.

We use WebAuthn for 2FA at GitLab. In other words, you will be prompted for your biometrics (Face ID/Touch ID/fingerprint) or a security key (YubiKey, etc.) on a regular basis when signing into Okta and various web applications.

Laptop Web Browsers

Overview

We use Google Chrome as our primary web browser since many of our collaboration and security tools are natively integrated with Google.

We do not recommend or support using other browsers such as Firefox, Safari, etc. While we recognize that there are scenarios where alternate browsers are needed eventually all access to GitLab resources will require Google Chrome.

Configuration Steps

Enterprise Browser Management

Chrome Enterprise Browser Management is a service that allows Corporate Security system administrators to achieve the following benefits:

Laptop Wireless Networks

Overview

It is safe to connect to the wireless network at your home or a friend or family member’s house.

Smart Home

There are security implications involved in the use of “smart home devices” such as Amazon Echo or Google Home. In rare instances these devices can record conversations you might not have intended them to record. Many smart home devices will provide a visual and/or auditory indicator to let you know they’re activated; for many such devices, when they’re activated, they’re recording you and save a transcript of what you say while it’s active.

Locking Laptop When Unattended

Overview

All GitLab team members must follow the clean desk / clear screen principle and keep their computers locked when not actively being used and any sensitive GitLab information must be stored and secured when not in use when working from a shared or public space.

In other words…

  • Never leave your unlocked computer unattended.
  • Activate the screensaver, lock the desktop, or close the lid.
  • When possible, sign out or close active web browser sessions when finished.
  • If using public wireless networks, you should disable WiFi on your laptop when not in use or when traveling to avoid network traffic interception or use Nordlayer VPN.

Screen Saver and Password Lock

No Action Required: This has been automatically configured by Jamf, however verification is recommended.

Last modified July 1, 2024: Add Corporate Security handbook pages (b684cdaf)
View page source - Edit this page - please contribute. Creative Commons License