Chrome Flat On My Desk

Last week I was lucky to have squeezed an early sample of the Samsung Chromebook Pro out of my distributor for evaluation. This is not a review of the device but of how a device like this one, equipped with the ChromeOS stack might fit into the enterprise. Seek elsewhere for a review from someone with reference-kit love or hate (I’ve read both). At least it’s not vapor.

My Mission – The Golden Managed Fleet

For the past few months I’ve been fully engrossed in new company bootstrap mode. New projects are always exciting and this one is no exception. I won’t cover the specifics of what I’m working on here in this post but suffice to say a low maintenance security architecture which includes desktop management is important.

As a bootstrap entity the type of desktop control enterprises typically push down to their workstations to mitigate risk (or sometimes just annoy users with a little security theatre) is untenable. I can do what most startups of my calibre do and just ignore the workstation risk surface, or I can see what 2017 has to offer.

… Enter Google [slow clap walk-on with spotlight] …

Despite cloud weariness due to occasional rumored state-backed infiltrations (I’m looking at you China …. Russia … USA … North Korea?) Google’s PR machine has studiously calibrated the perception that their services are solid. While Google’s cloud is not the titan of security we idealize for our digital life container, it does from this security professional’s point of view offer a lot of bang for very few bucks.

As I’ve grown my team I have been wondering what I’m going to do about this desktop risk surface. Ignore? That’s a popular option right?

Why ChromeOS?

iOS and Android (if you can actually keep it updated) tend to have good (read: mediocre) policy management and much better security than a typical macOS or Windows machine. That said they’re certainly no desktop workhorses. My devs would have to spend at least 2 hours of cursing and 4 hours a day crying to get 2 hours of coding done on an iPad Pro or Samsung Galaxy Note Tab.

Chromebooks are neat, they’ve got automatic updates, TPM keyed file encryption, built-in sandboxing and policy management. More or less bulletproof from a configuration perspective …. But basically something so ugly we’ve decided as a society they belong in grade school next to the boxes of markers and crayons. Why do we wish this on our children!?

The Samsung Chromebook Pro

At CES 2017 this past January Samsung and Google teased us all with a bunch of product hype around the Samsung Chromebook Plus (ARM) and Samsung Chromebook Pro (Intel). These look vaguely like something a university student wouldn’t be embarrassed to whip out in their local millennial-flavored coffee dispensary. They’ve even got the sleek forms Macbook equipped enterprises have succumbed to at about half the cost.

I decided to give the ARM-backed Chromebook Plus a pass when it shipped a couple months ago since although it had the sleek and policy checkboxes covered it was still a little weak in the performance category. I will stop to say however that the ARMv8 based RK3399 chipset Samsung crammed into their Plus model is 64-bit and sports a 6-core big.LITTLE architecture and is impressive for an ARM chip. If current trends continue Intel will continue to struggle to bring their x86 CPU designs (despite a lead in lithography) into the low power form factors that present no apparent problems to ARM chips, while ARM easily climbs up out of our pockets and into our backpacks and messenger bags.

The Chromebook Pro, with a few more months of both hardware and software R&D (and over $100 increase in retail cost) includes an Intel Core m3 (dual core gen 7 die which scales from 0.9 to 2.2GHz). This is about double the CPU performance of the comparable ARM model (though this of course depends on the task). The much derided Octane tests claim this device is roughly equivalent to my 2012 vintage 15″ Retina Macbook Pro.

Deployment

After a relatively eventless unboxing ceremony I am presented by a prompt to connect to wifi, a 5 minute software update, and a logon box.

Instead of logging in however, I want to encumber this thing in policy.

Google is mostly focused on consumer accessibility and as such it as not at all obvious that at this point the next step is enrollment. I suppose, they figure IT departments are going to prep these things in advance, but I think that’s a dated assumption; I plan to let my staff self enroll (after all, there is no custom software image to deploy).

First I enabled chrome device policy management at the org level. I want to stop here and note that device inventory management, and software inventory management are both handled by chrome device management. Many information security professionals include these two technical controls as the #1 and #2 most important things you can do to mitigate risk and improve organizational security posturing. In security terms, that’s basically a passing grade (even if you stop there).

Enrollment

Then at the first time sign-on screen I simply pressed Ctrl+Alt+E which switches you to an enrollment box. One username, password, and U2F prompt later and my device has been enrolled. I’m now returned to the first time sign-on box except with the additional indication that the device is “Managed by fortmesa.com”. I couldn’t help but be reminded of an AD domain join, except faster and without a reboot.

Now Google’s Chrome device management isn’t free, but I’ve already accomplished the most important (and difficult) part of desktop fleet management by enrolling the device under centralized management. At $50/year/device (or about $4/mo) I’ve replaced a dedicated desktop support team and 24/7 NOC and I probably have better security than the average enterprise. Go me.

Note: Policy management available by google below in postscript.

Now to see if this ChromeOS device thing can actually handle work. I’ll let the device reviewers cover productivity but this ultimately comes down to what type of users you have and how much cruft you’ve got hanging around. Also, don’t expect this device to replace Workstation class desktops anytime soon.

… A few days later …

The Admin Experience

I’ve had a few days to push my CBP through the paces of enterprise management and my conclusions are the following.

The operating system shows a lot of promise for deployment outside the educational market it has so far called home and the ease with which I can easily and economically deploy a comprehensive desktop security architecture is impressive. As we continue our shared march toward the cloud (and away from entrenched desktop apps) it is obvious to me enterprises that currently struggle with the highly (human) resource intensive support (both helpdesk and active management) load present on both MacOS and Windows will fleets will begin to cling to these devices like a liferaft.

Policy

The operating system has a trusted execution environment rooted in a TPM that warms the heart of any security professional, the management policies available while not quite a match for what’s available in the Microsoft Active Directory ecosystem are comprehensive. It should be noted many of the detailed policies available on Microsoft and Apple desktop operating systems are compensating controls and not at all necessary on ChromeOS (that is, they are fixes for security design flaws).

CBP: An economical reference implementation

It’s obvious the CBP is intended as reference hardware, and for what it is the kit is impressive. Any staffer seeking an ultralight 12” convertible to fill out their collaboration / productivity application needs will feel quite at home and at about half the price of the closest competing Microsoft, Lenovo or Apple alternative.

The S-Pen lacks mit-protection, but at 12” and 2.4lbs it’s not exactly going to be balanced on your arm as easily as a notepad. Still it demos the technology quite nicely and does add a bit of function to form.

While many reviewers have been wowed by the display I find it adequate. It doesn’t offer true color or battery-sipping OLED form, but it’ll match (and perhaps outperform) the average Retina Macbook. Also, the 3:2 ratio relieves some of the ache that this device is not quite a replacement for 13” or 15” laptop (though the extra inch in vertical real-estate is a visible improvement on the Macbook form).

Ration-card Performance

I’ve heard complaints about the size of the 32GB onboard storage and 4GB RAM limitation. When I hooked it up to a secondary 4k display however and ran it as my primary desktop for a full day session I found the system resources perfectly adequate. I would be hard pressed to think of an enterprise use-case where a user would be unhappy with system performance yet still satisfied with the locked-down nature of ChromeOS lacking high class professional tools like Adobe Creative Suite or any number 3D modeling applications. I’m intentionally discounting anyone out there that has the thing running in dev mode as a stripped down budget Linux laptop — because while devs are a real market — you’ve just gutted most of the security of your device and may as well shell out for the far superior Macbook Pro which at least has your project directories encrypted and can be adequately managed. I hope Google addresses this market officially, its 2017 and there’s no such thing as a secure development laptop. It doesn’t seem like a big ask to include container support.

Google Desktop Experience

The software on the other hand is still a work in progress. Android apps being stuck in handset mode or fullscreen leaves multiple windowing nonfunctional. In the Apple ecosystem we expect apps to mostly look okay on an iPad; Android devs have mostly ignored the larger screen form factor (and thus most apps are ugly). It’s obvious the trend is to improve this (Google is sorta forcing the issue) — and we’re all on the web in the cloud now anyway right?

Enterprise Mobility Management

The enterprise management software is also not quite perfect. Google’s Enterprise Mobility Management (EMM) capability is currently split into two incompatible efforts and you have to commit to either some missing ChromeOS management features (the Enterprise focused Google Mobile Management) or giving up on comprehensive Android security (the Education focused Google Device Management).

After some back and forth with google’s support team I was pointed to a knowledge base entry (https://support.google.com/chrome/a/answer/7131624?hl=en&ref_topic=7324303) written by the Chrome Device Management team which tells me if I want to allow users to download Android apps from the Play Store I have to disable my “3rd party EMM” (that is, the EMM the Android team manages called Google Mobile Management) for my entire G Suite org and switch over to the Google Device Manager (the ChromeOS team EMM) which by the way only performs “Basic Android Management” (ie, limited to wipe/lock/etc).

EMM has some holes, the workaround?

As a workaround while keeping my Android phones secure? I can “force install” Android apps per org or OUs (depriving the user of an app-store experience entirely). Hopefully this is fixed quickly because as it stands this device is totally inappropriate for fleet deploys.

I’ll give Google a few points since Android apps for ChromeOS is still in Beta, but subtract the same number of points because they overuse the word Beta so much it basically has no meaning these days.

Conclusion?

It’s not clear how fast ChromeOS will land on enterprise desks, but all the pieces are on the table and seem to be coming together.

Unfortunately I can’t seem to knit together enough of a software ecosystem for the NodeJS / Angular developer platform I was hoping for (without gutting security in dev mode). Yes this leaves VDI as a solution but the remote access clients I’ve tried for ChromeOS aren’t yet good enough for the demanding developers I know and if we’re doing VDI what’s the point of a Chromebook deployment anyhow when I can just draw the security boundary closer to home?

Google seems to be gearing up for a three way enterprise showdown and Apple/Microsoft haven’t figured it out yet. Nadella has brought some energy to the incumbent however Apple is still out to lunch after the loss of Jobs (wake up guys, your iPad keyboard is garbage and managing Macbooks still requires a _Microsoft_ Active Directory).

If tech-sector economics hold one of these three dogs will get stuck holding a 10 billion dollar bag. I’m not sure who I’m rooting for but Google has arrived on my desk (and in my pocket, and in my bag) …

Grade: E+ for effort.

Postscript: Some of the available policies.