Development Environment Setup Checklist

IT pushes the standard golden image with FileVault or BitLocker pre-enabled, MDM enrolled (Jamf, Kandji, or Intune), and the engineer's hardware tier matching their stack — frontend gets the 16GB tier, backend/data gets 32GB+. Ship at least 3 business days before start so the engineer is not unboxing on Day 1.

Capture the OS the engineer will actually develop on. macOS is the default for most app teams; Linux (usually Ubuntu LTS) for platform/SRE; Windows + WSL2 for some .NET teams. The choice drives Docker setup and a few package-manager differences downstream.

SCIM provisioning should already have created the account; the engineer signs in, sets a strong password, and registers a hardware MFA token (YubiKey) plus a TOTP fallback. Phone-only MFA is not allowed for production access roles.

Print the Emergency Kit and store it offline; it is the only way back into the vault if the laptop is lost. Add the engineer to the team vaults appropriate to their role — never the production-credentials vault until the access review in the cloud section is done.

Confirm the device shows up in the MDM console as compliant: disk encrypted, screen-lock under 5 minutes, OS within one major version of current. SOC 2 auditors sample this evidence quarterly.

VS Code with the team workspace recommendations file, JetBrains (IntelliJ / GoLand / PyCharm) for backend Java/Go/Python teams, or Xcode for iOS. Sync the shared settings repo so linter, formatter, and editor config match what CI enforces — fixing whitespace in PRs is a tell that this step was skipped.

Use a version manager (mise, asdf, or rtx) so the engineer can match the .tool-versions file in each repo. Avoid system-wide brew install of Node/Python/Ruby — version drift from a global install is the #1 cause of "works on my machine" bugs in the first month.

Run the team Brewfile, apt manifest, or winget script. Includes git, gh, jq, ripgrep, fzf, direnv, and the deploy/observability CLIs. Keep the manifest in a repo so additions are reviewed rather than each engineer pasting brew commands from Slack.

Use Ed25519, not RSA-2048 — the Ed25519 keys are shorter and faster, and GitHub deprecated weak RSA in 2022. Paste the public key below; IT registers it in the GitHub org and enables SSO authorization for the key.

Set user.email to the corporate address (commits from personal emails do not count toward SSO-attributed contributions). Enable commit signing with the SSH key (git config gpg.format ssh) and turn on "Vigilant mode" in GitHub so unsigned commits are flagged.

Confirm the engineer is added to the right GitHub teams (CODEOWNERS depends on it) and the SAML/SSO authorization shows the key fingerprint. Without SSO authorization the SSH key works for personal repos but not org repos — a confusing failure mode on Day 2.

Run the repo's bootstrap script (script/bootstrap, make setup, or equivalent) which pulls submodules, installs deps, and writes a .envrc template. If bootstrap takes more than 30 minutes on a new laptop, that is the bug — tag the platform team rather than waiting it out.

The pre-commit framework runs gitleaks (secrets), the team linter (eslint/rubocop/golangci-lint), and the formatter on staged files. Bypass with --no-verify is logged; do not make a habit of it. A secret committed to git history is rotated AND scrubbed with git-filter-repo, never just rotated.

Green local tests on the main branch are the contract that the environment is set up correctly. If anything fails, capture the failure output before debugging — it is usually a missing env var or a Docker container that did not start, not a real regression.

Docker Desktop on macOS/Windows (license required for orgs over 250 employees), or rootless Docker / Podman on Linux. Allocate at least 4 CPUs and 8GB RAM to the VM — the default 2/2 is the reason "docker compose up" feels slow.

docker compose up -d brings up the team's standard service set. Pin to the same Postgres major version as production — a v15-vs-v16 mismatch hides migration bugs that only show up after deploy.

Run the seed script (rails db:seed, prisma db seed, or equivalent). Never copy production data into the local DB — even sanitized exports are a HIPAA/GDPR landmine. Use the synthetic fixtures the platform team maintains.

aws configure sso for the dev account; aws-vault stores credentials in the OS keychain instead of ~/.aws/credentials in plaintext. Test with aws sts get-caller-identity. Long-lived IAM access keys are not issued — auditors flag every one they find.

aws eks update-kubeconfig (or gcloud container clusters get-credentials). RBAC binds the engineer to the read-only dev namespace by default; production cluster access is a separate request with VP approval.

Most engineers do not need production cloud console access on Day 3 — it should be requested when the role actually requires it (on-call, platform team, data engineering). Capturing this here keeps the access review trail clean for SOC 2.

Open the access-request ticket with the business justification, the IAM permission set, and the manager + VP Engineering approvers. Production access is time-bound (90 days) and reviewed quarterly; break-glass-only console sessions are logged to the audit trail.

Open the latest main-branch run, confirm the engineer can view logs and re-run failed jobs. Required status checks and branch protection on main are visible in repo settings — note them so the first PR does not surprise with a failed CODEOWNERS review.

Whether the team uses ArgoCD, Spinnaker, a homegrown CLI, or just gh workflow run, dry-run a staging deploy with --plan or --dry-run. The first real deploy should not be the first time the CLI is invoked.

Find the rollback runbook in the platform docs. Confirm it lists: previous container image tag retention, irreversible-migration policy, the one-line redeploy command, and the comms template for #engineering. A documented-but-untested rollback is the most common reason release nights go bad.

SSO into Datadog (or New Relic / Honeycomb) and bookmark the team's golden-signals dashboard — latency p50/p95/p99, traffic, error rate, saturation. In Sentry, subscribe to the team's project alerts so new error fingerprints page the right person.

Most engineers join an on-call rotation after 60-90 days, not Day 1. Capture whether this engineer's role includes on-call so PagerDuty enrollment and the shadow rotation are scheduled — or not.

Add to the PagerDuty schedule as a shadow for at least one full rotation cycle before holding the primary pager. Configure both push and SMS notifications, and test a synthetic page so the engineer knows what 3am wakes up sound like before it actually happens.

Cover SEV1/SEV2/SEV3 thresholds, the IC / comms-lead / scribe roles, the war-room channel pattern, and the blameless PIR commitment (filed within 5 business days of resolution). The runbook is what the engineer actually reads at 3am — not training slides.

Run fdesetup status on macOS or manage-bde -status on Windows; the recovery key escrows to MDM. This evidence is sampled in every SOC 2 Type II audit — "yes, encryption is on" is not enough; the audit trail is the screenshot from MDM.

Vanta / Drata / Secureframe pushes the training module; completion is tracked automatically. Required within the first 30 days for SOC 2 and again annually. Phishing simulation enrollment piggybacks on this step.

Covers customer data classification, where PII/PHI may live (firm-issued laptop and approved SaaS only — never personal email or personal cloud), and the breach-reporting expectation (within 24 hours to the security team, who handle the 72-hour GDPR notification clock).