№ 03 / Pillar
Laptops that arrive ready, stay patched, and obey from afar.
Sovereign-tier device management: every company laptop ships with disk encryption on, our agent enrolled, SSO ready against your Keycloak. Windows, macOS, Linux — pick or mix. Samba AD if you want Group Policy on Windows.
DAY 0
Provisioning
- → Standard image: cloud-init, autounattend, MDM enroll
- → Disk encryption enforced (BitLocker, LUKS, FileVault)
- → SSO ready, password vault preconfigured
- → Tailnet joined out of the box
DAY 1 → 1,000
Management
- → FleetDM agent reports inventory + posture
- → OS patching on a defined schedule
- → Group Policy via Samba AD (Windows)
- → Compliance reports, quarterly
WHEN IT GOES WRONG
Recovery
- → Remote wipe on lost device
- → Re-enroll a replacement in < 30 minutes
- → Files restored from your Nextcloud backup
- → No "but I had everything on my desktop"