Remote is the new black

Due to the COVID-19 pandemic, a huge chunk of the global workforce went remote in the blink of an eye. We have customers that added 240k new VPN users in three short days. Now this new 'hybrid' way of working combines home and office.

A new world order

Within this new world order, enterprises face new issues. Corporate VPNs are stressed, and network management and security has become even more complex for IT teams stretched thin and operating under tremendous strain.

To make matters worse, there are some key IT tasks that were designed to be on-premise only, mainly due to a historic and "we've always done it this way" mentality.

A prime example of this is PC rebuild and onboarding of PCs over the Internet.

Image
Image

The new normal

The COVID pandemic certainly changed the way we work, and few now believe that work will ever go completely back to the old "normal."

Between the establishment of new remote work habits and the fear that another unforeseen crisis could send their entire workforce home again, companies are formulating strategies to protect their networks, operations and employees.

This solution deals with a critical function of the 'work from home' (WFH) ideal - rebuilding user computers.

How do we deal with PC builds (and rebuilds) when people cannot go into the office?

The three big rebuild obstacles

Traditional PC rebuild scenarios like staff onboarding or break fix scenarios require networks and infrastructure to be available. They were never built to enable an entire workforce to work remotely all the time, or even for weeks and months at a time.

The problem

Where this becomes a problem, is that companies still need to maintain that provisioning and 'break fix' alongside key aspects of the PC management for all the computers and devices connected to the network.

We know that it gets a whole lot more complicated when everyone is out of the office.

The following are the three major issues:
Number 1 icon

How do we remotely start and build a device?

Number 2 icon

How do we securely re-establish connectivity with our home base?

Number 3 icon

How can we use existing infrastructure investments as much as possible?

Using traditional USB-based installation media offers some key disadvantages that make it impossible to use in an enterprise setting:
Shield icon

Security – there is no way to guarantee the media has not been tampered with.

Monitor icon

Keeping media up-to-date is a major issue, and if we don't have up-to-date media, how can we securely re-initiate the machine?

Settings icon

Media has to be somewhat tailored to the device that uses it, which brings on compatibility issues such as drivers.

So let's say we do solve this, what then?

Allowing home/remote users to build from the cloud/internet

Let’s say we actually get the technology in place to do this. We quickly run into several other issues. Other questions that come up once these initial hurdles are overcome are questions that are less commonly discussed.

The IT industry never really considered these capabilities:
Wifi icon

How do we build over WiFi only?

Lock icon

How we do build over the internet securely?

User check icon

How do we make it simple enough for users to do this themselves?

Eye icon

How do we allow IT to monitor and shadow installations being done from home?

Introducing imaging from the cloud

Cloud icon
Cloud icon
Remote builds
A new way to deploy with PXE over the WAN

2Pint’s iPXE Anywhere is a next-generation network booting solution that enables secure, fast, and reliable operating system deployment. It operates in the most challenging environments, and the most simple.

We have built in complete flexibility so that practically any scenario can be easily covered with minimal management overhead. Extremely simple to set up and manage, we believe that iPXE Anywhere is unsurpassed as a solution to the challenges of Modern Windows Management.

For remote branches, typically not having any remote servers often means we don’t have any local PXE capabilities, crippling the ability to rebuild machines remotely in a secure and efficient way.

iPXE Anywhere challenges this by allowing remote over the WAN PXE booting which will simplify and speed up the enterprise-wide OS deployments of any PC.

Boot securely using either USB (iPXE binary only on the USB media) or PXE boot directly in your remote locations. You can even boot directly from the cloud, over the Internet, using secure HTTPS network booting.

The clean source principle requires all security dependencies to be as trustworthy as the object being secured.

This is key when deploying over the Internet, as we are no longer playing in our own back yard.

An attacker that compromises the source media gets access to everything the device later controls (including user credentials), and everything the user controls (including high privilege user access).

Applying the clean source principle to installation media requires you to ensure that the installation media has not been tampered with since being released by the manufacturer (as best you are able to determine).

Applying the clean source principle to installation media requires validating the software integrity throughout the cycle you possess it including during acquisition, storage, and transfer up until it is used.

For 2Pint Software’s ability to build over the Internet, this means that we build over the wire using HTTPS and that we also securely check and verify the downloaded media, and that all access paths do not include passwords in text files etc.

The source of the software is validated through one or several of the following means:
  • Media that can be tampered with is never stored on media like USB sticks. This includes boot.wim files, which are always fetched from a verifiable (server) source.
  • Boot.wim files are always downloaded over HTTPS with hash verification before trusts.
  • All deployments are verified using user credentials and trackable.
  • Trust is escalated only after successful user verification.
  • Multifactor authentication can be configured for extra security.
  • All software that is obtained from the Internet is validated with vendor-provided file hashes.

2Pint Software remote build scenarios

Build over Internet infrastructure

You can build from the cloud with minimal infrastructure and setup using 2Pint Software tech.

 
 
Build over Internet infrastructure diagram

iPXE 100% remote build

Yes, your OS deployments can be 100% remote and user driven!

 
 
iPXE 100% remote rebuild diagram

Build at home with ethernet

Rebuild a broken PC from home? No problem - ask us how it's done, book a demo!

 
 
Build at home over ethernet diagram

Phone tether expanded

You can even rebuild over a 4/5G connection using mobile phone tethering! Talk to one of our experts today.

 
 
Phone tether expanded diagram

How do we do it?

We boot the machine using an iPXE binary that contains no customer information at all. This then queries the infrastructure for configuration, providing credentials to be verified.

iPXE – where it all starts

The iPXE binary comes from one of the following sources:

  1. From the target machine (if still bootable and previously configured)
  2. A USB drive with only a 300KB stage binary on it
  3. PXE booted directly

By using iPXE as a starting point, we have a non-customizable source point that we can verify the integrity of.

From iPXE to network

Once in iPXE, we query the device for industry standard protocols such as the SNP/NII drivers if using an Ethernet network card, or more likely the user's smartphone (which gives us access to WiFi or LTE type data sources). From this network connection, we then authenticate and take the actions determined by the customer, yeah that’s you reading this. Once all required checks are complete, we download WinPE and move to a higher level.

From WinPE – the world is your oyster

As WinPE is always downloaded from a tamper-free source, we can guarantee no unwanted config is introduced in the process. Typically the process in WinPE is entirely hands-off as well.

From full OS – domain join and VPN set up

So once we leave WinPE we do the actual domain join (offline) via Azure PowerShell automation services or via custom-based web services if required. Once that is completed, the machine is typically configured to set up VPN access with the appropriate configuration using certificates.

Monitoring in real time – proactive operations

We offer the ability to monitor the solution in real time from StifleR, to determine the ongoing deployment's success and performance.
Learn more

2Pint Software technology used

  • iPXE Anywhere 2PXE Server – for initial boot configurations
  • iPXE Anywhere Web Service – for custom scenarios
  • OSD Toolkit – for the WinPE carrier
  • StifleR Enterprise – for operations and monitoring

Works with the following Microsoft technology

  • ConfigMgr (MEMCM)
  • Microsoft Intune
  • PSD – PowerShell Deployment

Book A Tour

Like to know more about remote builds?

We can help you to get things going in your own environment, just drop us a line using this handy form and we will get back to you!