Chef Blogs

The Need to Automate Endpoint Management as Your IT Fleet Scales

Chaithra Mailankody | Posted on | ChefConf | community | DevOps | learnchef | news | Products and Projects | webinar

How a code-first automation tool can simplify your endpoint management workflows

Swamped with tickets from employees? Resolving a security incident? Are you trying to figure out how to generate reports for the upcoming audit? While an IT Administrator must deal with all of these, they also need to work on other planned projects. IT teams could manage their endpoints with existing tools for a small fleet of devices, but challenges arise when the device fleet scales. For example:

  • Time Investment: Configuring devices with required settings for different user groups, deploying customized applications, scheduling tasks appropriately in the correct sequence while parallelly responding to help desk tickets, troubleshooting and fixing issues are activities that consume a lot of time in an IT Administrator’s Day—more so when the device fleet scales.
  • The Risks of Manual Steps: There could be unintended consequences when trying to configure devices manually through menus and buttons in the MDM GUI. An IT Administrator who sets out to delete a policy could end up accidentally deleting a different policy. Some employees could manage to change their laptop configurations to install a new application resulting in a drift from the desired state of the fleet, or a fellow IT team member could accidentally update device settings leaving those devices vulnerable to security threats.

Identifying and troubleshooting mistakes, rolling back changes and remediating issues becomes a herculean task. As a consequence, IT teams are often overburdened and are left with their work spilling over into the weekends.

Growing Complexity with Scale and Remote Work

The fleet of end-user devices grows as organizations scale. Additional complications include geographically distributed teams, an increasing number of remote employees, and BYOD. As more businesses shift to long-term remote work, the complexity in managing endpoints has only increased. Employees may or may not be connected to the VPN and managing machines on different networks could be a challenge. There is little to no information on the state of the organization’s devices. Fleets often grow rapidly and setting up multiple configurations in a large number of devices is burdensome. They need to constantly monitor the fleet, identify non-compliant devices and remediate them manually to ensure that the fleet remains secure.

MDMs may be a preferred solution to perform tasks like Zero Touch Enrollment, Remote Wipe/Lock and Patch/OS management, but along with your MDM a layer of automation that improves team productivity could be empowering for IT teams. Automation is essential for organizations to standardize processes, increase employee productivity and avoid losses due to inevitable human mistakes. Introducing a configuration management tool as a secondary tool with your existing MDM is an effective way to automate tedious tasks and incorporate changing needs of your organization.

How Chef Can Help

  • Chef is a code-first solution, and the state of the device is represented as code by leveraging abstractions, making it highly flexible to customize configurations specific to organizations. The devices are configured optimally through idempotency ensuring that the devices are brought to the desired state.
  • Chef Inspec can be used to write customized profiles for ensuring organization specific compliance standards, or one can go with audit profiles for CIS Benchmarks provided by Chef for ensuring Fleet Compliance. Continuous Compliance and automatic remediation can be enabled with remediation content provided by Chef.


The advantages of achieving automation with Chef are:

  • Declarative: Configuring endpoints with Chef only require the desired state to be declared abstractions take care of the rest.
  • Idempotency: If the system is not at the desired state, a configuration change is made to make it so; but if it is already at that state, no state change is made.
  • Automated configuration drift correction: Chef can be configured to run periodically on end-user devices to ensure that configuration drifts are managed automatically.
  • Visibility: You have a dashboard to view the state of your fleet, check-in details, top errors, etc.
  • Manage Windows, macOS and Linux Operating Systems: A single tool to maintain the state of devices with different operating systems.
  • SDLC Process Adoption: Fleet state is represented with code, which is peer-reviewed, and changes can be tested before deployment.
  • Community Support: Leverage Chef Supermarket to use community cookbooks and Inspec profiles. Use them as is or customize them to suit your needs to get started quickly with managing endpoints.
  • Content: Abstractions in the form of resources to solve common use cases for endpoint management. Audit profiles for CIS Benchmarks and remediation content for performing automated remediations.

Chef’s declarative and code-first approach to configuration management enable IT teams to move faster, avoid human errors and ensure that devices always remain in the desired state—which means that IT teams can devote less time to fixing issues, resolving employee tickets and security incidents.

If remote work, scaling fleets and security concerns have made it increasingly difficult to manage end-user machines in your organization, register for the upcoming webinar "Manage your IT Resource Fleet at Scale Through Automation" to learn more on how Chef Desktop could serve as a code-first automation tool to simplify your endpoint management workflows.

Grab Your Spot Now!