Ask HN: Developer PC setup automations for company owned devices

31 pointsby foxylion9 months ago

Hi, we are currently discussing within our company if the current state of developer PC setup is okay ore should be improved.Current state:- Laptop with either Linux, Windows or MacOS pre-installed and integrated in Microsoft AD is provided.- The developer needs to install software, CLI tools, Git configuration and so on by following guides in our documentation.- Docs are frequently updated to reflect latest changes within the tooling (new version of software, different commands, ...).- Setup time is roughly a day for less experienced developers.Now some people ask for an automation to get a "pre-installed" laptop that only needs some sign-in credentials to get started. I'm sceptical that this does work without huge efforts, developers preferences might interfer a lot with the auomations. Especially for the upgrade case when updates happen.Is there any other company/your employer doing such a thing and how well does that work?

25 comments

michaelt9 months ago

In my experience:1. There's very rarely a one-size-fits-all solution, in terms of what people need. Oh sure, if everyone needs a VPN then you should install the VPN and suchlike. If there's mandatory corporate security software, add that as well. But will they need docker? Will they need virtualbox? Will they need VS Code? CLion? PyCharm? IntelliJ? Do they need Java installed? Which version of Java? Will they need Altium? SolidWorks?2. There's constant churn. You can't just create an image once and use it unchanged for years - there are so many components involved that there'll be some change or other needed pretty much monthly.And you can't rely on volunteers helping out to scratch an itch - everyone in a position to do that has long since got their computer set up how they like it.What's more, lot of the changes you end up pushing out will be unpopular. Ain't nobody going to volunteer their time to add a giant block of all-caps legalese to a login banner, or to deploy enterprise security crapware like crowdstrike.3. Laptops are imaged by level 1 helpdesk workers. People who can troubleshoot Linux problems and maintain setup images probably aren't in helpdesk at all, and certainly aren't level 1.So if you imagine making an image and handing it over to helpdesk to maintain - you'll find doing so isn't possible.

评论 #41392057 未加载

评论 #41393169 未加载

jabroni_salad9 months ago

In my experience, doing the automation is very easy but getting the list of requirements is very hard. The guys taking an entire day to set up a computer could just install their stuff with (any package manager), so why does it take so long? They don't know what they need and just go with it until they hit a road block.We pre install the licensed corporate tools and universally used tools like np++ and git for windows, and let them figure out the rest. Every time we bring up baseline changes with that group it turns into bikeshed city.

amne9 months ago

I usually live in WSL2 on Windows running on company provided laptop. Each time the laptop has to be replaced (failure or age) I struggled to get my "home" back up so a couple of years ago I took a full day to setup my so-called "dot files repo".My goal was to be able to install any debian-based distro and run a single script, non-interactive, that would get me up and running. All that I needed to do was to clone code I wanted to work on.After I created the dot files repo the process was:- install distro- checkout dot files- run script- do I have everything I need? (minikube, k9s, jq, yq, asdf, terraform, git config, nvim config, etc.)- if no, then:<pre><code> - fix, commit, push - remove distro</code></pre>

评论 #41392123 未加载

评论 #41394520 未加载

stonemetal129 months ago

I would take "Now some people ask for an automation to get a "pre-installed" laptop" as a lack of " developers preferences".Personally I dislike Git, and haven't found a git UI I like, so throw whatever you want on there. I am not going to like it, but not because I want something else.Since you support a range of OSes I assume you would go with a cross platform editor IntelliJ, VSCode or something. Both are fine, and "something" probably is too.I like beyond compare enough that I bought a personal license for it.Give them a 100% works out of the box then they can customize the 1 or 2 things they care about.

评论 #41391188 未加载

评论 #41392074 未加载

bloopernova9 months ago

After corporate IT gives out a MacBook, we run a local-only Ansible script I wrote.It sets .zshrc, .zshenv, and .zshenv-private for tokens etc.It also uses Homebrew to install a bunch of packages, then creates various config files.It works well. Developer setup time went from days to less than 2 hours (corporate VPN is slow)Edited to add:Workflow is:<pre><code> 1. Install homebrew, xcode command line tools, Ansible, and then git+credential helper. 2. Clone repo (which ensures the new dev has correct roles/groups to access the repo) 3. Run Ansible. </code></pre> Snippet of the Ansible script:<pre><code> --- - name: Configure dev macOS hosts: localhost vars_prompt: - name: githubtoken prompt: What is your github token? private: false tasks: - name: Create variable from brew prefix ansible.builtin.command: "brew --prefix" register: brew_prefix changed_when: false - name: Update Homebrew community.general.homebrew: update_homebrew: true - name: Install GNU Coreutils community.general.homebrew: name: coreutils state: present</code></pre>

评论 #41392052 未加载

WorldMaker9 months ago

For Developers on Windows 11, depending on what you think of Microsoft's "Preview" status, the growing power tool here in this space is Windows Dev Home: <a href="https://learn.microsoft.com/en-us/windows/dev-home/" rel="nofollow">https://learn.microsoft.com/en-us/windows/dev-home/</a>One of the key pieces of Dev Home is Machine Configuration via WinGet Configuration files [1], which are an upgrade from PowerShell DSC, if you've tried that for server configs, with increased support for installing software from WinGet, cloning git repositories (to Windows Dev Drive if you want to allow that). These config files are just YAML files so you could very easily offer starter templates and also allow developers to customize them based on their own preferences. (Also as YAML they could be source controlled in git themselves.)Some sample configuration files: <a href="https://github.com/microsoft/devhome/tree/main/docs/sampleConfigurations">https://github.com/microsoft/devhome/tree/main/docs/sampleCo...</a>Microsoft has been iterating on Dev Home pretty rapidly and adds new features regularly (relatively recently it added support to applying the same configuration files to building new virtual machines either locally under Hyper-V or remotely with Microsoft Dev Box).I've not yet seen a company try to use WinGet Configuration and Dev Home as a company-wide initiative, but I have seen some growing "bottom up" usage as Developers like myself adopt parts of it for our own multi-device needs or virally share YAML snippets among each other for common corporate repos and tools.[1]: <a href="https://learn.microsoft.com/en-us/windows/package-manager/configuration/" rel="nofollow">https://learn.microsoft.com/en-us/windows/package-manager/co...</a>

prophesi9 months ago

For software developers, `asdf`[0] and dockerized projects goes a long way. For provisioning the environment variables needed for development, HashiCorp's `vault`[1] can make that pretty simple. Combine that with `direnv` to have it load the value dynamically with:```# .envrcAPI_KEY=$(vault kv get -field=API_KEY secret/projectA/dev)```I also wanted to experiment using `pass`[2] instead, but messing with GPG keyrings and the like is unwieldy and not too user-friendly. It's what I use for personal projects since Vault is overkill.[0] <a href="https://github.com/asdf-vm/asdf">https://github.com/asdf-vm/asdf</a>[1] <a href="https://github.com/hashicorp/vault">https://github.com/hashicorp/vault</a>[2] <a href="https://www.passwordstore.org/" rel="nofollow">https://www.passwordstore.org/</a>

评论 #41391941 未加载

lijok9 months ago

Buy an MDM, spend a couple of days setting it up and you’re off to the races.Every place I’ve worked at where I had some control over workforce device management, we had devices shipping from the store directly to the end user, which would get automatically set up once the user logged in with their gsuite creds.

hnrodey9 months ago

Your setup process is aligned with my industry experience (15+ years).As for an installation script - I agree that is a big effort. ROI depends on frequency of the onboarding process. 10+ people per week? It might make sense. 3-4 people per year, not so much.Smooth onboarding is a feature, not a baseline. Great onboarding takes consistent time, effort and energy to create and maintain.Ensure that you have a predictable time to complete the onboarding. 1 day, 3 days, 2 weeks, etc. Time to complete onboarding should be very predictable and consistent.Use relevant measures to reduce onboarding duration. Example: our developers need to install Oracle database on their Windows machine - normally it takes several hours to complete this step. We found that the Docker setup for Oracle can be completed in less than one hour.

aae429 months ago

i think a developer should be "in-tuned" with their tools, and time spent installing and configuring them is still "work"they can automate the setup on their own if desiredalso.. <a href="https://www.jetify.com/devbox" rel="nofollow">https://www.jetify.com/devbox</a> for specific project tooling

评论 #41390985 未加载

评论 #41390253 未加载

ripjaygn9 months ago

What's missing is how many onboardings on the dev do you expect per year?If it's like 10 or even 25, then it's not worth the extra automation. More than 50 is when the time is worth it.

zerkten9 months ago

What kind of software are developers building and do they have automation/CI for this? In my company we are mostly deploying web apps to Linux with devs using all of these laptops. If you have a wide range of development going on, then I'd suggest prioritizing the feasible ones.Using <a href="https://github.com/bradwilson/ansible-dev-pc">https://github.com/bradwilson/ansible-dev-pc</a> (public equivalent to ours), you can automate the setup of a Linux laptop or WSL2 environment under Windows. This covers a fair chunk of our dev team. Once you start thinking about making this work on macOS, it starts becoming quite a bit more work, but it's not terrible if management values the effort.If you have people doing mobile and Windows desktop development in addition to Linux web apps, it starts to get much more complex. Maybe you can't offer a fully "pre-installed" laptop, but you can automate the time-consuming parts like a Visual Studio install.From experience, you are going to encounter a lot of developers who struggle more than you expect with troubleshooting and automation of their work. This includes experienced devs. It seems to turn on interest and curiosity versus dev experience. It helps to create a checkpoint at onboarding where you make an effort to determine the best approach for them and know who accepts an automated happy path provided by you and who wants to handle things on their own (and perhaps fails). You can then report on the general pattern of issues to management and prioritize ways of improving your happy path build so they don't reject it.

heraldgeezer9 months ago

IT here.Devs need to manage their own. We hook it into AD/AAD, EDR and Office 365.Dev enviroments THEY setup as THEY are developers. If then cant install some stuff can they even dev?

评论 #41391349 未加载

lnxg33k19 months ago

I only modify my system with Ansible, and when I am given a company laptop, I can have all my config, tools, etc. installed and configured right away with zero issues. Then most of the times, the dev env itself is based on docker and it's also done in a little time. So you could use something like ansible instead of docs

gxonatano9 months ago

Here's how I would do it, very opinionatedly.- Step 1. Use only Linux. You avoid having to translate between operating systems, you avoid paying expensive licenses, and you make your environments repeatable across dev machines. If a dev needs software that's only available on Windows or MacOS, have them run it in Docker or in a VM.- Step 2. Define your software, programs, and user configuration in a .nix file. Create variables for user-specific stuff (usernames, email addresses, preferred software, etc.) and put them at the top of the file, so that you or the dev can easily edit it. Keep the Nix file in a Git repo, but allow your dev to maintain a separate branch. Build the Nix file into the system with `nixos-rebuild`.- Step 3. There is no step 3.

jiehong9 months ago

Similar here.More than onboarding, there is also the question of changing your laptop, and having to setup everything again.Some pieces of software that help:- Humble bundle (<a href="https://github.com/homebrew/homebrew-bundle">https://github.com/homebrew/homebrew-bundle</a>) with a `Brewfile` stored in git and shared;- dump of all dot files in $HOME encrypted and stored in the company's cloud (because it contains ssh private keys, or password manager db, etc);- All documents are synchronized with OneDrive.Mostly, there isn't a one-size fits all, but there is a common set of packages that all devs want, but IDE choice is personal, and many other things.

Kelteseth9 months ago

We use a mix of winget and chocolatey for everything via a python script. We also check the tool version when we configure our project with CMake. Sadly, we had to implement the version check for each application.

twp9 months ago

Some teams are using <a href="https://chezmoi.io" rel="nofollow">https://chezmoi.io</a> to set up and maintain their developer's machines. It runs on Linux, macOS, and Windows.<a href="https://install.doctor/" rel="nofollow">https://install.doctor/</a> is a higher level option which uses chezmoi.

muststopmyths9 months ago

I'm really out of the loop on this, but in the past for Windows at least you could customize an image and use PXE to install it from the network. Then all the user had to do was login with a domain account.Does that not work any more or is it just not popular ? Any insights as to why not ?

评论 #41391094 未加载

from-nibly9 months ago

Direnv plus nix will go a long way on linux and macos. Windows should be using wsl anyway.If you can get an image with just those two tools installed then each repo can specify what things it needs and when you cd into the repo it will install all the tools you need.

knckl9 months ago

We have a mixture of MacOS (managed via Jamf Pro) and Windows managed via Intune/Autopilot.All of us are AD integrated. Some software is managed (auto updated/installed) other software is up to us to manage.Both setups work pretty well.

solardev9 months ago

Can everything live inside a docker thing that you redistribute?

评论 #41390133 未加载

jabart9 months ago

Unless you are getting ready to hire a lot of developers, or churn a lot of developers, the three OS choices mean 3 versions of the same image/script to get setup. That now becomes another application you have to manage. The setup docs are more of a live training not a waste of time. Their setup time will never be zero as they have to setup logins, verify license keys, etc, for all the tools that are installed.The internal IT team should already have a way to configure security software and such but will also not want to manage a specific group setup for likely a small amount of people.Reference.<a href="https://xkcd.com/974/" rel="nofollow">https://xkcd.com/974/</a>

EricRiese9 months ago

<a href="https://containers.dev/" rel="nofollow">https://containers.dev/</a>

oneplane9 months ago

What definitely doesn't work is one-size-fits-all. It doesn't work with hardware specs, it doesn't work with software, and it doesn't work with workflows. Managing Windows, macOS and Linux is all different enough to only get value out of it if you specialise a bit for each.Here comes a somewhat long form answer that doesn't cover everything but covers enough, assuming you have a tech department (be it SWE, testers, platform etc) of at least 100 users.For Windows: Use Intune and Company Portal, don't bind to AD, but use Azure as that is a requirement for native Windows lifecycle management.For macOS: Use ABM and ADE with an MDM (like Jamf, Mosyle, Addigy, Kandji), they all come with the option to deploy a self-service portal. Don't bind to AD, don't log in with Azure, especially on single-user devices. It antithetical to lifecycle management of macOS, and doesn't help. Do escrow FV2 to MDM. Optionally you can enable DEP which enables you to do more smooth transitions for existing devices. Using MAIDs can help with resolving a user to a directory user but isn't a requirement.For Linux: if someone wants Linux, they usually also have specific preferences for their productivity. Providing something in terms of "here, have a linux" is something I have not seen being very effective or efficient. I have had fleets where there was a default supported setup (Debian mostly, but some orgs defaulted to Ubuntu). There were two approaches:1. Hands-off, you want Linux, you'll probably know what you're doing, just enroll into osquery so we know your posture.2. Hands-on, you can pick our defaults or roll your own, but you'll get a SaltStack Minion configured and our Master will append your installed packages and amend your configuration as needed. Interaction is purely via chat for end-users (chatbot style in IRC or channel integration with Slack).As for how this then works provisioning-wise:Windows: you publish packages to the Company Portal. They can be of many shapes and sizes but we've found that ensuring that everything is actually a package and not some wrapped script is the way to keep it clean and functional. We use pseudo apps that pull in dependencies to automatically install everything you need. So if you're maintaining some legacy .NET WPF app we'd give you VS, various .NET versions, WSL2 (so you can use normal Git and interact with our services), and perhaps Rancher Desktop if you need to mock some endpoints locally.macOS: you publish packages to the self-service app of choice. Generally they are all Installer packages but it's fine if their payload is mostly scripts since it's mostly Unix under the hood anyway. We use groups of presets so someone can click "configure me as if I were building microservices with Go and NodeJS". This would result in Rosetta, XCode, Homebrew, JetBrains, VSCode, UTM, Podman all being setup in the background and the user either getting a SwiftDialog about the process or just a notification after completion.Linux: you publish formulas to Git and for hands-off people can read those, for hands-on you ask your chat system of choice to handle it for you. We use some jinja2 magic to pull in many formula configurations at once, and inside the formulas we try to support at least from-source, apt and dnf. But often we'll only have the automation for apt as that is where the majority of "I need Linux but I don't want to do it myself" lands (the default distro we deliver). We don't have zero-touch provisioning but instead ask users to log in on our enrolment portal and download a small Go binary that does the enrolment for them.For all of them we keep the sources in Git so we don't end up needing a billion service desk employees writing arbitrary application profiles for multiple platforms. If someone wants to add support for their special flavour of the week, they can do that, and after a review it'll be available. That also includes OSQuery packs we use for cross-platform posture management. There is no need to hide this, and especially in a technology BU you will only create friction with opaque top-down management. They (we) will always win as technologists will find ways to do things that get the job done and hide them if needed.This model is of course not the same as say, accounting users, or marketing or C-level. They get Chromebooks or a computer of their favourite brand that is essentially turned into an expensive web browser kiosk. The only legacy 'fat' managed systems that remain are offline systems that you might use to manage PLCs in the field. That's mostly older (but supported) windows versions that people don't want to ever reboot or shut down because the old school way of managing those means it takes almost 50% of the time of a job to boot and authenticate before you can start to get any work done. But that's often as required by some compliance or regulatory regime.