Navigation
Getting StartedUpdated July 3, 2026

Secure Administrative Workbench (SAW) Bootstrap

getting-startedsawsecurityprivilegedworkstations
<div class="getting-started-hero" markdown="1"> <h1><span class="platform-icon platform-saw"></span>Secure Administrative Workbench (SAW) Bootstrap</h1> <h2>Provision a hardened, high-trust workstation for privileged infrastructure and security administration.</h2> <p>Best for: actions requiring elevated roles not permitted on dev workstations.</p> </div> <ul class="platform-links"> <li><a class="platform-link" href="../bootstrap/">All workstation options</a></li> <li><a class="platform-link" href="macos/">macOS</a></li> <li><a class="platform-link" href="windows/">Windows (WSL2)</a></li> <li><a class="platform-link" href="windows-vdi/">Windows VDI</a></li> <li><a class="platform-link" href="saw/">SAW</a></li> </ul>

At a glance

AspectSummary
PurposePrivileged administrative operations (infra, security)
Hardening focusMinimal tools, enforced logging, restricted egress
Estimated time25–35 minutes (excludes access approval)
Tooling scopeAzure CLI, (optional) Terraform, (optional) Ansible, kubectl (if required)
When to chooseActions requiring elevated roles not permitted on dev workstations

Prerequisites

Steps

  1. Obtain approved provisioning artifact

    • For managed VDI/AVD: use the SAW gold image identifier listed in your team's access-ticket response (image IDs rotate; do not hard-code here).
    • For self-built workstations: pull the baseline script from the SAW provisioning repository referenced in the same access ticket.
  2. Verify cryptographic integrity

    shasum -a 256 saw-bootstrap.sh
    # Compare output to published checksum in release manifest
    
  3. Execute minimal bootstrap (privileged shell)

    sudo bash saw-bootstrap.sh
    
  4. Install required administrative tooling only

    • Azure CLI (no preview extensions unless justified)
    • Terraform (pinned) if infra changes performed from SAW
    • Ansible (read-only unless explicit change window)
    • kubectl / az aks (only if cluster admin tasks in scope)
  5. Apply certificate trust and outbound proxy configuration per security baseline. Import both corporate CAs as on the developer workstation pages: Root CA and Internal Policy CA. Verify fingerprints against the published trust store before saving.

  6. Enforce logging & monitoring agent installation (EDR, syslog forwarder, integrity monitor)

  7. Disable non-required services (Bluetooth, AirDrop, consumer sync, etc.)

  8. Run verification (below) and attach output to access ticket

Verification

Run the following commands and confirm only approved tools are present:

```bash
az version --output json | jq -r '."azure-cli"'
terraform version | head -1 || echo "Terraform not installed (OK if SAW infra-changes not required)"
ansible --version | head -1 || echo "Ansible optional"
```

Expected: Only approved tools present; no extraneous developer IDEs.

Minimum tool versions

ToolMinimumNotes
Azure CLI2.54Remove unused extensions
Terraform1.5Install only if infra changes executed here
Ansible2.14Optional; prefer pipeline automation

Troubleshooting

| Symptom | Context | Resolution |
|---------|---------|-----------|
| Outbound HTTPS blocked | Egress policy too restrictive | Confirm security rule set; request exception for required endpoints. |
| Terraform provider download fails | No proxy or CA mis-trust | Configure proxy variables; import corporate root CA. |
| Azure CLI login conditional access failure | Device not compliant | Verify device posture / Intune compliance state. |

Rollback and decommission

ActionCommand / ProcessNote
Remove Terraform binarysudo rm /usr/local/bin/terraformLeaves state files untouched
Clear Azure tokensaz account clearRequired before handoff
Secure wipe (hardware)Follow device sanitization SOPMandatory at lifecycle end

Security notes

Related documentation

{{ doc_footer(page) }}