Skip to content
Indus LeveL
ansible automation sysadmin linux workstation deployment security

Automating Workstation Application Deployment and Auditing with Ansible

A practical sysadmin guide to mass-deploying and auditing Microsoft Teams and Firefox across remote workstation fleets using Ansible ad-hoc raw commands and playbooks over custom SSH ports.

3 min read
Cover illustration representing automated mass application deployment and auditing across workstation fleets using Ansible

During a recent company-wide remote work-from-home (WFH) initiative, I was assigned the task of updating multiple engineering workstations and installing essential productivity packages—specifically, Microsoft Teams and Mozilla Firefox.

With dozens of machines distributed across various subnets and operating on custom SSH ports (2748), logging into each workstation manually one by one to execute package installations and verify versions would have taken hours of tedious, repetitive work.

Instead of doing it manually, I leveraged Ansible. By constructing a custom remote inventory file, configuring dedicated SSH keys, and executing Ansible ad-hoc raw commands alongside automated playbooks, I successfully deployed the packages and audited compliance across the entire fleet in a matter of minutes.

In this guide, I will share the exact inventory structure, SSH authentication checks, deployment playbook execution, and ad-hoc auditing commands I used to automate this workflow.

Prerequisites

You will need an administrative control node with Ansible installed, alongside a dedicated SSH key pair (ansible_rsa) provisioned across all target remote workstations.


Step 1: Structuring the Remote Workstation Inventory

To manage workstations operating on non-standard SSH ports (e.g., port 2748), we construct a dedicated inventory file (inventory-wfh). This allows Ansible to target specific subnets and route connections correctly without modifying global SSH client configurations.

Create the inventory file /home/wazeem/teams-install/inventory-wfh:

[wfh_workstations]
10.16.12.101 ansible_port=2748
10.16.12.102 ansible_port=2748
10.16.12.103 ansible_port=2748
10.16.12.104 ansible_port=2748
10.16.12.105 ansible_port=2748
10.16.12.106 ansible_port=2748
10.16.12.107 ansible_port=2748
10.16.12.108 ansible_port=2748
10.16.12.109 ansible_port=2748
10.16.12.110 ansible_port=2748
10.16.12.111 ansible_port=2748
10.16.12.112 ansible_port=2748
10.16.12.113 ansible_port=2748
10.16.12.114 ansible_port=2748
10.16.12.115 ansible_port=2748
10.16.13.101 ansible_port=2748
10.16.13.102 ansible_port=2748
10.16.13.103 ansible_port=2748
10.16.13.104 ansible_port=2748
10.16.13.105 ansible_port=2748
10.16.13.106 ansible_port=2748
10.16.13.107 ansible_port=2748
10.16.13.108 ansible_port=2748
10.16.13.109 ansible_port=2748

[engineering_workstations]
10.13.12.21  ansible_port=2748
10.13.12.24  ansible_port=2748
10.13.12.26  ansible_port=2748
10.13.12.32  ansible_port=2748
10.13.12.42  ansible_port=2748
10.13.12.44  ansible_port=2748
10.13.12.46  ansible_port=2748
10.13.12.49  ansible_port=2748
10.13.12.50  ansible_port=2748
10.13.12.53  ansible_port=2748
10.13.12.54  ansible_port=2748
10.13.12.55  ansible_port=2748
10.13.12.57  ansible_port=2748
10.13.12.186 ansible_port=2748
10.13.12.187 ansible_port=2748
10.13.12.188 ansible_port=2748
10.13.12.189 ansible_port=2748
10.13.12.190 ansible_port=2748
10.13.12.191 ansible_port=2748
10.13.12.192 ansible_port=2748
10.13.13.18  ansible_port=2748
10.13.13.47  ansible_port=2748

Step 2: Verifying Connectivity and Key Authentication

Before running mass automation, verify that your control node can successfully establish SSH connections and authenticate using the dedicated private key (ansible_rsa).

# Test ICMP reachability
ping -c 3 10.16.12.105

# Verify SSH key authentication over custom port
ssh -i /home/wazeem/teams-install/ssh-key/ansible_rsa -l ansible -p 2748 10.16.12.105

Manual Pre-Checks on Target Nodes

You can perform manual spot-checks on individual workstations to inspect existing package installations:

ssh -i /home/wazeem/teams-install/ssh-key/ansible_rsa -l ansible -p 2748 -o StrictHostKeyChecking=no 10.16.13.101 "rpm -qa | egrep -i 'teams|firefox'"
ssh -i /home/wazeem/teams-install/ssh-key/ansible_rsa -l ansible -p 2748 -o StrictHostKeyChecking=no 10.16.13.102 "rpm -qa | egrep -i 'teams|firefox'"
ssh -i /home/wazeem/teams-install/ssh-key/ansible_rsa -l ansible -p 2748 -o StrictHostKeyChecking=no 10.16.13.105 "rpm -qa | egrep -i 'teams|firefox'"

Step 3: Executing the Mass Deployment Playbook

With connectivity established, execute your deployment playbook (site.yml). This playbook connects to target workstations, escalates privileges via sudo, and installs or updates Microsoft Teams and Mozilla Firefox.

Execute the playbook against specific targets or the entire inventory:

# Run playbook against a specific target node with verbose output
ansible-playbook -vvv -i 10.16.13.108:2748, -u ansible -b --private-key=/home/wazeem/teams-install/ssh-key/ansible_rsa /home/wazeem/teams-install/playbook/site.yml

# Run playbook against the entire workstation inventory
ansible-playbook -i /home/wazeem/teams-install/inventory-wfh -u ansible -b --private-key=/home/wazeem/teams-install/ssh-key/ansible_rsa /home/wazeem/teams-install/playbook/site.yml

Step 4: Performing Instant Compliance Audits (Ad-Hoc Queries)

Once the deployment playbook finishes, you can instantly verify compliance across the entire fleet without writing additional playbooks. Ansible's ad-hoc raw module allows you to execute raw shell commands concurrently across all inventory endpoints.

Execute the following forensic auditing commands to query installed RPM packages across all workstations:

# 1. Audit specific host groups or single nodes
ansible -i /home/wazeem/teams-install/inventory-wfh -m raw -a "rpm -qa | egrep -i 'firefox|teams'" wfh_workstations

# 2. Audit the entire fleet concurrently using dedicated SSH key
ansible -i /home/wazeem/teams-install/inventory-wfh -m raw -a "rpm -qa | egrep -i 'firefox|teams'" --private-key=/home/wazeem/teams-install/ssh-key/ansible_rsa -u ansible all

References

Back to Blog
Share:

Follow along

Stay in the loop — new articles, thoughts, and updates.