Erik Gomez | Pinterest engineer, IT Client Platform
Over the last year, Pinterest IT has been moving away from traditional device management frameworks to an almost completely open source model. Our team’s goal is to make minimal user roadblocks while also maintaining a secure and safe platform for employees. While we’ve done this for years with traditional MDM tools, it often came at a cost. For example, there were increased engineering hours spent writing tool extensions, and code was often duplicated across multiple deployments out of sheer necessity. By redesigning our platform around Chef, we standardized our client management design and gained some flexibility for both our IT staff and Pinterest employees. What used to be hundreds of lines of code can now be a single line of Ruby. Here we’ll give background on why we made this change and share many of our cookbooks we’re releasing today on GitHub.
As we were evaluating various configuration management tools for client devices, we found Chef met our requirements for managing them. While Puppet is great for managing servers, there isn’t much support for macOS. Apple does major updates to their operating system yearly, but we need a tool that’s regularly improved with client devices in mind. With Puppet, we heard many stories where it took months for the next operating system to officially be supported.
Other companies, including Facebook IT, have been big proponents of Chef. After looking at their code base, we decided to adopt several of their cookbooks as the base of our technology stack for macOS.
The screensaver example
It’s difficult to explain the benefits of moving to this model, but there’s always one perfect way of understanding just how significant these changes are through “the screensaver example.”
At Pinterest, we require that all company devices have a screensaver, an idle time. When the screensaver is enabled, we immediately require authorization. While this is extremely secure, there are times where it makes sense to augment this restriction. For example, a user may have hot corners and accidentally lock their machine from time to time. By allowing a few seconds before the password is required, they can still have a secure machine but don’t need to re-authorize for a simple accident.
Previously, this was impossible. We only had a single method to enforce this setting company-wide and no way to easily augment it on a per-user basis. By using Chef, a user can write a single line of code to work around this particular issue.
By committing the code
node.default[‘cpe_screensaver’][‘askForPasswordDelay’] = 5, it informs Chef to converge all values of this node object thereby overriding the original value of 0. As Chef runs on the client device, it recognizes the user logged into the machine and changes the values to the new desired attribute.
New cookbooks for macOS
Pinterest is committed to open source, and so today we’re releasing our repository of client-based Chef cookbooks on GitHub. While these cookbooks are primarily focused on macOS, we’ll eventually add other operating systems. We welcome any issues, feedback and pull requests.
Acknowledgements: Thank you to Facebook IT for open sourcing many of their Chef cookbooks. This significantly reduced the barrier of entry for our initial Chef deployment.