Might be a good use case for something like deep freeze? I think you can do a lot of what you want through software and don't need to go desoldering things like some have suggested!
https://www.faronics.com/en-uk/products/deep-freeze/enterprise
It basically locks a computers configuration in place and prevents any modification.
>Deep Freeze wipes out any infection
Nope needs a reboot to overwrite an infection, according to their website
Freezing a snapshot of a computer’s desired configuration and settings defined by the IT Admin. With an instant reboot, any unwelcome or unwanted changes are removed from the system, restoring it to its pristine Frozen state.
https://www.faronics.com/en-uk/products/deep-freeze/enterprise
Thank you for taking the time to write this post!
It is quite a lot of digest, and you (and others) are right - it's a pretty multi-faceted question (if not many questions)....lol.
For us - PII is a bit of a mixed bag, but it's basically any information the customer provides to us. I know there are DLP products out there, I am hoping we don't need to go down the path of needing to deploy them here, but it's good to know they're available.
Malware - yeah, I guess we'll need to add AV scanning to the mix. I'm a bit out of touch on the Windows AV front - what are the popular Enterprise products these days? I've heard good things about Crowdstrike, but not sure what's in vogue now.
Network segregation - yes, we'll definitely keep these test/reproduction devices segregated from our production network. And they shouldn't be able to access business emails/drive from those devices.
We can get MS Intune or MDM.
For locking down admin access - a colleague suggested looking into Privileged Access Management (PAM). Do you know any products on the Windows or MacOS side that support this kind of model, for handing out say, time-limited admin access.
I'm looking into MS Autopilot (as well as the previously mentioned Intune) - seems we need some kind of E3 licensing for that.
I also found this product - Faronics Deep Freeze - apparently it's a kernel-level driver that automatically reverts a system back after every reboot. For our use-case (test machines to reproduce customer issues), this could actually work as well.
We'd still obviously need to harden the machines down, and have monitoring/telemetry.
For MacOS MDM's - it seems Jamf is the most popular option, right? Any others people can suggest based on experience?
Apart from Intune - any others on the Windows side people would recommend?
My problem when I looked into docker integrated was that I wanted every docker image to have its own real dhcp lease so I could do selective routing via pfsense.
The posts I found online stated that it wasn't possible, and some of the workarounds you could have were the likes of creating bridges. I've just had a google around and theres something called macvlan which might fit the bill for what I want. Although i'm not sure how that works in relation to broadcast traffic (if its creating vlans).
If you miss that easy reverting, you could check out deep freeze i've yet to install that, but it looks like something thats really fun to play with.