How start managing Qubes OS in a corporate environment?

Hey - i am new to Qubes OS but have already experience in virtualized environments and SaltStack.

We decided to start evaluating the use of Qubes OS based NitroPads as developer devices in our company. As part of that evaluation i am currently looking for a way to provide a basic corporate wide basic setup of the devices, f.e. setting up basic tools and a corporate vm.

I aim for a way to provide a single command for an user to run, which ensures that all common corporate resources are installed and up to date.

I guess starting with Salt would just be it, but i am somehow lost how to connect the pieces. Am i supposed to use the admin API?

Any hint how one would get started to organize the different pieces to enable users self updating/fixing their devices in an Qubes idiomatic way would be very appreciated.

If possible i’d try to put my experience into a guide.

You don’t need to use anything other than salt, given your specification

• “provide a single command for an user to run”, although you may want
  to use the admin API to keep an eye on things and provision the salt
  states.
  If you have a trusted repository you could add that to dom0 and
  deploy salt and other packages. I’d suggest setting up and using the user
  environment.
  You can just leverage your existing salt knowledge.
  Bear in mind that Qubes puts a lot of power in the hands of the user, so
  you may want to take steps to control/limit this as best you can.

Thank you very much @unman,

just to be sure i’m getting this right.

I should

1. use a trusted repository (we have that) to roll trusted configs and assets out.
2. concentrate configuration attempts on the user space - leaving dom0 widely untouched (for stability reasons?).
3. use the admin API to connect to the devices and do maintenance (if necessary).

Which leads me to just one further question - is it possible to limit a users rights on dom0 to avoid a user accidentially breaking things there?

I had the impression that a user would need a bunch of rights there to keep things up to date.

The folks at the Freedom of the Press Foundation do this. They use encrypted git repos to push out the changes to the workstations of all of their digital security trainers. They mention it a tiny bit in this talk, I think.

Thank you very much @deeplow - this was a very interesting talk. It shows a pretty understandable setup.

She also references to her collegue Kushal Das who offers nice blog posts about Qubes OS.

I will come back and share what i found out.

You’re welcome! I took and shared some notes of talk here, in case you’re interested.

You’ll probably also want to read this post:

It addresses your exact question:

For Qubes OS to become suitable for use in large organizations and/or corporate environments, it inevitably must become remotely manageable by entities such as corporate IT departments.