Installation¶
Info
This install guide is for connectivity to NAV systems. If you are not a NAV employee or a consultant hired by NAV, install a different version of naisdevice as described here.
Warning
To make sure you are using naisdevice as securely as possible, make sure you are a member of the Slack channel #naisdevice. Important information will be published there. This also where you find us, if you need any help.
Device-specific installation steps¶
macOS Installation¶
-
The Kolide agent will be added to your Slack app, and let you know when there are recommended updates or security issues you need to address - and how to address them. They have been vetted by the NAIS team and should be followed to keep your device safe.
-
Install Homebrew unless you already have it.
Homebrew makes it possible to install and maintain apps using the terminal app on your Mac.
-
Open terminal (Use
<Command> + <Space>
to findTerminal.app
) and add the nais tap by typing or pasting the text below and press<Enter>
.Adding the nais tap lets Homebrew know where to get and update files from. Do not worry about where it will be installed, we got you covered.
-
When the tap is added, you are ready to install naisdevice, by typing or pasting the following in terminal and press
<Enter>
. -
You will be asked for your local device account's password to finish the installation.
- The password is not accepted unless you have administrator privileges, so you need to get that first.
- If you're running a NAV Mac: Open your
Privileges.app
(Use<Command> + <Space>
to find thePrivileges.app
and request privileges. When this is done, you can enter your password in terminal. The privileges last 10 minutes. The limited time is due to security reasons, because we know many of us forget to turn it off afterwards.
-
Turn on your freshly installed
naisdevice
app.- Use
<Command> + <Space>
to find yournaisdevice.app
and press<Enter>
. - Follow the instructions to connect your nais device.
- Use
-
If you need to connect to anything running in K8s cluster, remember to update your kubeconfig
Windows Installation¶
Install using Scoop¶
-
The Kolide agent will be added to your Slack app, and let you know when there are recommended updates or security issues you need to address - and how to address them. They have been vetted by the NAIS team and should be followed to keep your device safe.
-
Install Scoop unless you already have it.
Scoop makes it possible to install and maintain programs from the command line.
-
Use the following command in the command line to add the nais bucket to let Scoop know where to get and update files from. Do not worry about where it will be installed, we got you covered.
- When the bucket is added, you are ready to install naisdevice, by typing the following in the command line: (you will be asked for administrator access to run the installer)
- If you need to connect to anything running in K8s cluster, remember to update your kubeconfig
- Start naisdevice from the Start menu
Manual installation¶
-
The Kolide agent will be added to your Slack app, and let you know when there are recommended updates or security issues you need to address - and how to address them. They have been vetted by the NAIS team and should be followed to keep your device safe.
-
Download and install naisdevice.exe (you will be asked for administrator access when you run the installer)
- If you need to connect to anything running in K8s cluster, remember to update your kubeconfig
- Start naisdevice from the Start menu
Ubuntu Installation¶
Warning
Using Gnome DE on latest Ubuntu LTS - only supported variant atm
- Install Kolide agent.
-
Add the nais PPA repo:
NAIS_GPG_KEY="/etc/apt/keyrings/nav_nais_gar.asc" curl -sfSL "https://europe-north1-apt.pkg.dev/doc/repo-signing-key.gpg" | sudo dd of="$NAIS_GPG_KEY" echo "deb [arch=amd64 signed-by=$NAIS_GPG_KEY] https://europe-north1-apt.pkg.dev/projects/nais-io nais-ppa main" | sudo tee /etc/apt/sources.list.d/nav_nais_gar.list sudo apt update
NOTE curl is not installed in a "fresh" ubuntu:
-
Install the naisdevice package:
- Turn on your freshly installed
naisdevice
application.- Find
naisdevice
in your application menu, or use thenaisdevice
command in a terminal to start the application. - Follow the instructions to connect your nais device.
- Find
- Remember to update your kubeconfig.
Installation steps, regardless of your device type¶
Install Kolide agent¶
The Kolide agent will be added to your Slack app, and let you know when there are recommended updates or security issues you need to address - and how to address them. The apps are found in the bottom left of your Slack app (scroll, scroll, scroll).
Warning
The issues reported by Kolide must be addressed - these remediations have been vetted by the NAIS team and should be followed. Depending on the issue, you might lose naisdevice
connectivity if an issue is left unresolved for a sufficient length of time.
If you run into problems, you can always ask in the Slack channel #naisdevice
You install Kolide by following these steps:
- Send a message to the Kolide app on Slack. Choose one of the two options below:
- Paste the following command (in any message input field) in Slack:
- Find the "Kolide" app within Slack and directly message it the word
installers
(case independent)
- Follow Kolide's walk-through:
- Select
Enroll a Device
- Select
Enroll your device
- Select platform and wait for Kolide to create your installer.
- Select
- Install the package created by Kolide in your chat with the app (named
xkxp-*-kolide-launcher.{pkg,msi,deb}
).- There is no success feedback given by Kolide in Slack.
- No error message means that the installation was successful.
- Allow a couple of minutes to let Kolide check the state of your device, but if you're stuck at "Waiting for your device to connect" just go to the next step.
- Check your devices status:
- Paste the following command (in any message input field) in Slack:
- If Kolide reports any issues, follow the instructions on how to remediate them. If a remediation required by Kolide makes you feel unsafe - feel free to ask in #naisdevice Slack channel.
Go back to macOS, Windows or Ubuntu installations to continue.
Connect naisdevice through task/sys -tray icon¶
When you have opened naisdevice, you may be concerned that nothing happened. The little naisdevice icon has appeared in your Systray (where all your small program icons are located - see above picture for how it looks on Mac):
- Find your
naisdevice
icon (pictured above - though it should not be red at first attempted connection). - Left-click it and select
Connect
. - Read and accept the End-User terms and agreement (The
Do's and Don'ts
ofnaisdevice
). - Left-click the
naisdevice
icon again and clickConnect
. You might need to allow ~20 seconds to pass before clickingConnect
turns yournaisdevice
icon green. - If naisdevice gives a pop-up notification about your device being unhealthy, open Slack and find the Kolide app in the bottom left (scroll, scroll, scroll). Check if it still reports your device as healthy, or follow the steps Kolide suggests to make sure your device is secure. (The naisdevice systray-icon should have turned into a yellow color).
Tip
If Kolide reports your device to be healthy, but naisdevice won't let you connect, try to disconnect and re-connect naisdevice
.
If naisdevice still won't let you connect, be aware that it may take up to 5 minutes for the naisdevice
server to register that Kolide now thinks your device is okay.
If all else fails, we are always available to answer your questions in the Slack channel #naisdevice.
How to accept the "Do's and don'ts" of naisdevice
¶
Info
If you have not accepted the "Do's and don'ts", you will automatically be redirected to them when connecting to naisdevice
.
- Read through the list of "Do's and don'ts".
- If you've got any questions, you may join the Slack channel #naisdevice.
(which happens to be one of the required "Do's" anyway
)
- If you accept the terms (they are non-negotiable); click the green "Accept" button at the botttom of the page! The button should turn into a red "Reject" button once your acceptance has been processed!
The list of "Do's and don'ts" of naisdevice
¶
naisdevice removes the need for full blown management of your device. This means that there are some do's and don'ts. You have to agree to the following set of guidelines to be admitted to the "program":
Do¶
- join #naisdevice on Slack as soon as possible
- make sure that you have activated your screen lock, especially if running on Linux. And beware of apps that override, i.e. Caffeine/Amphetamine etc.
- your best to secure your device
- report any security shortcomings you discover
- ask the naisdevice team if in doubt
Don't¶
- enroll anything other than NAV owned devices.
- share your device with others. A naisdevice is a personal device.
- turn on sshd or similar services on your device.
- set up your device as a proxy. For anything!
- share network interfaces with virtual machines, meaning set them up as separate nodes on the network.
- take shortcuts
- move credentials off your device and transport them elsewhere
And otherwise: Just be nais.
Connecting to NAIS clusters¶
In a terminal/shell of your choice run nais kubeconfig
- If you haven't installed nais-cli: cli/install
- If you are using onprem clusters run:
nais kubeconfig --include-onprem
- Add
--clear
to clear old config, or use--overwrite
to overwrite same names
Created: 2020-06-17