Introduction
One of the services we offer our customers is Endpoint Lifecycle Management (ELM), which covers the provisioning and shipping of devices to end users, device recovery, and data wipe (for reuse, sale, or e-waste).
The devices are stored, shipped from, and returned to warehousing facilities which have strict (SOC2) access controls that limit the number of people who can physically go on site.
We use warehouse facilities in multiple countries including the US, shipping directly to end users in the US, Mexico, Canada, the UK, the EU, India, Australia, and New Zealand.
In addition, most of our Managed Services staff, who are a key part of the ELM process, work from locations that make on-site visits impractical.
We needed a solution that would allow us to remotely and securely access devices for the provisioning and de-provisioning process.
Solution
Our initial solution was an 8-port KVM (which required Java for access), front-ended with a dedicated firewall, reachable via inbound ports opened on the warehouse firewall that were locked down to specific source IPs.
It wasn’t very manageable, it wasn’t as secure as we wanted, and we really didn’t want to have to run Java just to access the KVM.
We started looking for other solutions and discovered the TinyPilot KVM and TailScale.
TinyPilot
The TinyPilot Voyager 2a is a single, small form-factor KVM that only requires a web browser for access. That removed the need to run Java, which is one less security risk to deal with.
The single form factor means we can scale up one KVM at a time, rather than scale up multi-port KVMs, one at a time.
https://tinypilotkvm.com/blog/introducing-voyager-2a
The TinyPilot KVM comes in two versions – one that uses a power cable and one that supports PoE.
We tried both and ended up deploying the PoE version because it reduced the amount of cable clutter, simplified the deployment, and allowed us to power our TinyPilot KVMs through the Meraki PoE switch they are connected to.
We had TinyPilots deployed, but how to connect to them securely from anywhere? That’s where TailScale came in.
TailScale
TailScale is software that lets you create a fast, secure, virtual private network with minimal configuration.
The TinyPilot can run TailScale and they have instructions on how to set that up on their blog.
https://tinypilotkvm.com/blog/tailscale
With TailScale set up and configured, the TinyPilot KVMs were able to join our new TailScale private network using outbound connections, removing the need for any inbound ports to be open on the warehouse firewall – a significant security improvement.
With TailScale deployed on our workstations and servers, we could now access the TinyPilot KVMs remotely and securely.
Note: TailScale supports Access Control Lists, which we use as an added level of security to control which users can connect to the TinyPilot KVMs
Operation
Each device that needs to be provisioned is connected by the on-site warehouse staff to a TinyPilot KVM via an HDM cable for video and a USB-C cable for data.
Some devices don’t support HDMI, so we have to use an adapter cable (HDMI to DisplayPort, for example) for the video connection.
If the device supports USB-C, we will use a USB-C to USB-C data cable, otherwise we use the USB-C to USB-A cable that comes with the TinyPilot.
Once the device is connected, we can connect to its TinyPilot over TailScale remotely, take control and perform whatever tasks are required to provision that device prior to shipment to the end user.
Provisioning tasks depend on the specific customer, but can include installing specific software, or performing a white-glove setup of the device for the end user to make sure all applications are configured and functioning.
Once the device provisioning is complete, the warehouse will box the device up, and ship it to the end user.
At the other end of the process, when devices are returned to the warehouse for reuse, resale, or e-waste, they will be connected to a TinyPilot KVM so we can perform de-provisioning tasks.
Again, de-provisioning tasks vary by customer, but usually involve backing the device up, then performing a factory reset to clear existing data and configurations, after which the device is stored in the warehouse ready for reuse.
For a device that is going to be sold or e-wasted, we perform a data wipe of the hard drive before disposal.
The TinyPilot contains a flash card that can be configured with virtual media and mounted to the connected PC as an external CD-ROM or external drive. We use this to mount a virtual CD-ROM containing the data wipe application and run it.
The same functionality could be used, for example, to mount a virtual CD-ROM containing a “gold” ISO deployment image and install that on a PC being provisioned.
Questions about Endpoint Lifecycle Management?
If you have any questions about how Endpoint Lifecycle Management could work for your organization, contact Navigator Networks. Our team of experts can provide you with the information you need to make an informed decision. We specialize in providing ELM solutions that meet the unique needs of companies of all sizes, and we’re always here to help.
Questions about TinyPilot?
If you have questions about the TinyPilot, check out their web site.
https://tinypilotkvm.com
