Context

This guide is intended to be used as a supplement guide for deploying ubuntu systems to laptops. This is generally not done often and has a few exceptions to our normal policies for linux deployments that should be kept in mind. In generaql, you will follow most of the steps that are found HERE , but there are a few keys things that will be different that should take priority that the guide does not account for.

Last updated Date: Oct 2024

DNS and OS installation

Because most laptops will be mobile and do not have dedicated ethernet ports, we do not assign a static ip or dns entry into the laptop.

• In order to access the internet, during deployment, you will connect to eduroam using your credentials
• When handing off the laptop to the user, you will need to have them log in as themselves, forget the wifi connection, and have them connect to eduroam with their credentials
  • In order to connect to eduroam, you will need to use the PEAP authentication credentials
  • Check the box that says no CA required
  • use your gtusername@gatech.edu for the login user
• When going through the iso install, make sure that LUKS is enabled on the hard drive. this has to be done during the OS installation step
  • Have the password for unlocking the drive be the default root password

BIOS

The bios settings for laptops will be different depending on the manufacturer, but we'll note down specific troubleshooting steps we have encountered

• If you see some strange corrupted, noise like graphics on the display once you are in ubuntu, you will need to go into BIOS and disable the graphics adapter handoff setting. This will force the laptop to basically always be using the GPU for graphics instead of trying to do a smart handoff. The laptop bios may not always handle thishandoff well and create an undesired visual effect.

Salt

Even though the salt will not be able to connect when the laptop is off the gt network and auditing of the status will not be as up to date, we will still configure the laptop to use salt and act as a configuration monitoring platform.

• Use the manual salt enrollment process found at https://tso.cc.gatech.edu/howtos/how-manually-enroll-system-salt
• Otherwise, you will enter the same salt commands that are found at https://tso.cc.gatech.edu/howtos/server-deployment-quickstart-guide-ubuntu

Configure the OS

• We are still using SSSD authentication credentials for logging in on this server, however we are not going to delete the default "cocinstance" user.
  • We are intending for this to be a manual backdoor into the laptop in case authentication has issues over wifi
  • By default the laptop will cache SSSD credentials for 30 days when not on wifi. Make sure to inform the user of this requirement
• Otherwise you can configure the laptop the same way as a workstation with two exceptions
  • You will not need to disable sleep
  • We will not install borg on the laptop. Make sure to inform the user of the backup situation here
• Enable luks to be decrypted by the TPM
  • While this technically makes the laptop less secure, doing this allows the user to not need to enter a root password boot the machine and protects the hard drive data from a USB interruption and if the hard drive is stolen and removed
  • We have a script that does this currently housed on shoebox
  • wget shoebox.cc.gatech.edu/scripts/laptops-only-luks-tpm-encrypt.sh -P /tmp/
  • chmod 700 /tmp/laptops-only-luks-tpm-encrypt.sh
  • /tmp/laptops-only-luks-tpm-encrypt.sh

Install the VPN

• You will need to install the vpn manually to the laptop as root. This is getting it's own section because of the amount of troubleshooting that can be involved.
  • As a heads up, globalprotect is notoriously awful at working with linux in general, and these instructions may need to be updated
  • Follow the instructions provided by OIT at https://vpn.gatech.edu/global-protect/login.esp
  • Make sure to download the latest version
    • Each version tends to introduce different bugs, so I hope this doesn't get out of date too quickly.
    • Currently the latest version provided by OIT is v6.2.0.1-265
  • Once you follow the instructions you should now have vpn working, but with a catch
    • You can use terminal commands freeling, ping, apt update, wget, etc will all work
    • But your browser will not, in this case firefox will no longer work due to how globalprotect configures it's tunnelling
      • disconnect globalprotect
      • Edit your /etc/systemd/resolved.conf file to explicitly include the settings that firefox uses
        • DNSStubListener=yes
DNStublistenerExtra=udp:127.0.0.1:53
      • you may need to restart the laptop, but now once you re-connect global protect it should work as expected now

Additional Troubleshooting

Any additional troubleshooting or exceptions can go here