What is Client Platform Engineering?
One of the growing ideas in tech is the idea of a “Client Platform Engineering” (CPE) team. I looked around and to my surprise I couldn’t find much in the way of content for what these teams do. I managed the Client Platform Engineering team at Shopify and worked closely with our team in Atlassian when I was leading the enterprise security team there so I figured I would attempt to demystify the team and what they do.
If I had to boil it down this would be the summary:
Client Platform Engineering teams deploy, manage, secure and decommission endpoints at an enterprise scale. The main goal of the team is to provide an excellent user experience to every employee and set secure defaults from day one on every endpoint no matter the operating system, form factor or device type.
What is an “endpoint” you ask? Well it’s pretty much any employee facing form of computer. This could be laptop, a mobile, a VM or even a cloud workspace.
What’s Involved?
The CPE team is responsible for both usability and security so it puts them in the difficult middle ground of ensuring that devices are secure but not so much so that you limit devs from actually doing their job. The team is also responsible for user onboarding/offboarding and ensuring that the device setup experience is as smooth as possible, after all the first impression a person gets with a company is with their onboarding!
There isn’t really a “day to day” list for Client Platform Engineers, it’s going to heavily depend on your company culture, your industry and more but some typical tasks are below.
- Enrolling new devices into your management tools. Whether it’s new employees, company acquisitions or contractors they all need to be managed.
- Creating a smooth device setup procedure for new hires so that all software they need is deployed on day one.
- Deploying out software that everyone needs or listing commonly used software in your self-service application portals.
- Ensuring that you are up to date with new operating systems and have migration plans in place for major versions.
- Working with your enterprise security team to deploy security tooling such as NGAV, EDR, Logging, Application Allowlisting and more.
- Aligning your operating systems to the Centre for Internet Security Benchmarks.
- Supporting new technologies required by the business, whether that’s a new operating system or a new technology like AWS Virtual Workspaces.
- Work with IT logistics in order to make sure that devices are locked/wiped when a user leaves and that they return the device.
- Dealing with operational work, every sysadmin type role has it. You’ll have users blocked by something, an application a user wants installed but had issues, automation gone awry and stuff you’ll need to fix.
- Coding up projects to fill in the gaps that the tools don’t fill, whether that’s just querying an API or building out fully functional zero trust systems.
- Automating the operational work so you have time to do everything else.
Tools and Operating Systems
One of the main tools we use is MDM (Mobile Device Management) or EMM (Enterprise Mobility Management) which are often used interchangeably. These are tools that let us enroll devices and manage them remotely, some provide huge amounts of options for a single platform and some allow you to do everything yourself. Below aren’t recommendations but simply some common tools to manage the various platforms, something to be aware of in this realm however is that the more tools you have the more pain you will experience. Sometimes it’s better to use a few MDMs that support more platforms than a very detailed one for each operating system as that can get both expensive and difficult to maintain.
Some common tools are as follows but are by no means inclusive:
| Platform | Tooling example |
|---|---|
| MacOS | Jamf, Kandji, Fleetsmith |
| Windows | SCCM, InTune, VMWare WorkspaceOne |
| Linux | Chef, Ansible(Tower), JumpCloud |
| ChromeOS | GSuite, ManageEngine, VMWare WorkspaceOne |
| iOS | Jamf, VMWare WorkspaceOne |
| Android | GSuite, VMWare WorkspaceOne |
Tools are absolutely not required however and the tools above simply help interact with the APIs of the various platforms. I would be lying however if I said the tools didn’t make life much easier. If cost is a barrier there is open source tooling available such as MicroMDM but it is not as feature-rich or updated as quickly as the enterprise tools.
Device Types
Generally, we categorise devices into two buckets, the first is BYO devices (Bring your own) and the second is a corporate issued device. In startups and smaller companies, every device may be BYOD and completely unmanaged which is pretty normal but as you scale up you are going to want to secure these devices and that generally means central management of some kind.
In most enterprises they will lock down access to sensitive services to corporate devices only, this is for two reasons. The first is that we can enforce stronger security controls on a corporate device; I don’t think many employees in tech would enroll their personal mobile in any tools we have if we’re going to install logging software and remotely have the ability to wipe the device. We might still allow BYO devices in the enterprise but simply segment the services they can access down so that the most sensitive services. We might still ask people to enroll their BYO device but in our tools, we can limit our access so that we cannot see what goes on or remotely manage the device, it’ll just let us check the basics such as encryption, device version and rooted status.
Most people automatically assume that corporate device = laptop and BYO = mobile but there can be exceptions to that rule. We might allow an employee to enroll their Windows laptop in our MDM to get access to their email and calendar. We might also have corporate-owned mobiles if you have a mobile development team in your company so it really can go both ways.
CPE vs Sysadmin
The Client Platform Engineer title is very much used in Big Tech and was really created by teams like Facebook, Uber and Pinterest. There isn’t a huge difference between what a sysadmin in a typical company does vs a CPE but the main focus is the platforms and the scale at which they operate. As companies scale the teams get more focused and in big tech you will have whole teams managing Cloud DevOps, FinOps, IT Asset Management, Enterprise Security and more. In CPE you are going to likely be managing fleets of 10k endpoints and beyond, this is going to include heavy use of MacOS, Linux and other platforms not typically seen in most enterprises due to the developer userbase.
CPE is more similar to DevOps as a role since we are generally writing infrastructure as code, testing it, deploying it and managing it via Git. The coding part is really the important part here, you can survive without being able to code in an admin role but being able to automate systems and interact with APIs is going to save hours of manual effort for people who can do this in the long run. When it comes to the Ops part of the equation it’s more about deploying changes to fleets of machines and dealing with exceptions. Most MDMs these days are based in the Cloud but there still can be some who prefer to keep their services on-prem as a compromise of an MDM tool is pretty much a total compromise of your company and should be included in your “crown jewels” for security. Even if you are using 100% cloud software there will still be some element of tool maintenance to stop your instance becoming a mess of groups and rules in the long run.
Skills To Get Started
Like anything in engineering learning the tools is good but it isn’t what makes a good engineer. When hiring engineers for this type of role I generally look for the following:
- Knowledgeable with Git and SCM software. Most of what you do is going to be committed and maintained via Git after all.
- Good skills in scripting, ideally Bash and/or PowerShell as these are native on Linux/MacOS and Windows respectively.
- Hands-on experience in the MDM tools, or for an intern/graduate role knowledge of managing and securing operating systems such as plists, SIP, XProtect, configuration profiles and the likes for MacOS.
- Basic security knowledge such as OWASP Top 10, understanding encryption, hardware security and AuthZ/AuthN.
These are the nice to haves:
- Skilled in programming in any language, being able to interact with the MDM APIs is really handy in any situation to be able to pull custom reports or build custom software.
- Experienced with device telemetry and logging, things like WinLogBeat, OSQuery, Fleetdm etc.
- Security tool knowledge, such as binary authorization tools like Google Santa, NGAV and EDR tooling experience like Crowdstrike or SentinelOne.
- Personally I don’t care about certifications but some people do so Jamf, Microsoft or Google MDM certifications wouldn’t hurt.
Where Do I Go To Learn More?
A few recommendations from me:
MacAdmins Website.
Meta CPE GitHub.
Uber CPE GitHub.
Jamf Blog.