Development Environment Setup Checklist

IT pushes the standard golden image with FileVault or BitLocker pre-enabled, MDM enrolled (Jamf, Kandji, or Intune), and the engineer's hardware tier matching their stack — frontend gets the 16GB tier, backend/data gets 32GB+. Ship at least 3 business days before start so the engineer is not unboxing on Day 1.

Capture the OS the engineer will actually develop on. macOS is the default for most app teams; Linux (usually Ubuntu LTS) for platform/SRE; Windows + WSL2 for some .NET teams. The choice drives Docker setup and a few package-manager differences downstream.

SCIM provisioning should already have created the account; the engineer signs in, sets a strong password, and registers a hardware MFA token (YubiKey) plus a TOTP fallback. Phone-only MFA is not allowed for production access roles.

Print the Emergency Kit and store it offline; it is the only way back into the vault if the laptop is lost. Add the engineer to the team vaults appropriate to their role — never the production-credentials vault until the access review in the cloud section is done.

VS Code with the team workspace recommendations file, JetBrains (IntelliJ / GoLand / PyCharm) for backend Java/Go/Python teams, or Xcode for iOS. Sync the shared settings repo so linter, formatter, and editor config match what CI enforces — fixing whitespace in PRs is a tell that this step was skipped.

Use a version manager (mise, asdf, or rtx) so the engineer can match the .tool-versions file in each repo. Avoid system-wide brew install of Node/Python/Ruby — version drift from a global install is the #1 cause of "works on my machine" bugs in the first month.

Use Ed25519, not RSA-2048 — the Ed25519 keys are shorter and faster, and GitHub deprecated weak RSA in 2022. Paste the public key below; IT registers it in the GitHub org and enables SSO authorization for the key.

Set user.email to the corporate address (commits from personal emails do not count toward SSO-attributed contributions). Enable commit signing with the SSH key (git config gpg.format ssh) and turn on "Vigilant mode" in GitHub so unsigned commits are flagged.

Run the repo's bootstrap script (script/bootstrap, make setup, or equivalent) which pulls submodules, installs deps, and writes a .envrc template. If bootstrap takes more than 30 minutes on a new laptop, that is the bug — tag the platform team rather than waiting it out.

The pre-commit framework runs gitleaks (secrets), the team linter (eslint/rubocop/golangci-lint), and the formatter on staged files. Bypass with --no-verify is logged; do not make a habit of it. A secret committed to git history is rotated AND scrubbed with git-filter-repo, never just rotated.

Docker Desktop on macOS/Windows (license required for orgs over 250 employees), or rootless Docker / Podman on Linux. Allocate at least 4 CPUs and 8GB RAM to the VM — the default 2/2 is the reason "docker compose up" feels slow.

docker compose up -d brings up the team's standard service set. Pin to the same Postgres major version as production — a v15-vs-v16 mismatch hides migration bugs that only show up after deploy.

aws configure sso for the dev account; aws-vault stores credentials in the OS keychain instead of ~/.aws/credentials in plaintext. Test with aws sts get-caller-identity. Long-lived IAM access keys are not issued — auditors flag every one they find.

aws eks update-kubeconfig (or gcloud container clusters get-credentials). RBAC binds the engineer to the read-only dev namespace by default; production cluster access is a separate request with VP approval.

Most engineers do not need production cloud console access on Day 3 — it should be requested when the role actually requires it (on-call, platform team, data engineering). Capturing this here keeps the access review trail clean for SOC 2.

Open the latest main-branch run, confirm the engineer can view logs and re-run failed jobs. Required status checks and branch protection on main are visible in repo settings — note them so the first PR does not surprise with a failed CODEOWNERS review.

Whether the team uses ArgoCD, Spinnaker, a homegrown CLI, or just gh workflow run, dry-run a staging deploy with --plan or --dry-run. The first real deploy should not be the first time the CLI is invoked.

SSO into Datadog (or New Relic / Honeycomb) and bookmark the team's golden-signals dashboard — latency p50/p95/p99, traffic, error rate, saturation. In Sentry, subscribe to the team's project alerts so new error fingerprints page the right person.

Most engineers join an on-call rotation after 60-90 days, not Day 1. Capture whether this engineer's role includes on-call so PagerDuty enrollment and the shadow rotation are scheduled — or not.

Add to the PagerDuty schedule as a shadow for at least one full rotation cycle before holding the primary pager. Configure both push and SMS notifications, and test a synthetic page so the engineer knows what 3am wakes up sound like before it actually happens.

Run fdesetup status on macOS or manage-bde -status on Windows; the recovery key escrows to MDM. This evidence is sampled in every SOC 2 Type II audit — "yes, encryption is on" is not enough; the audit trail is the screenshot from MDM.

Vanta / Drata / Secureframe pushes the training module; completion is tracked automatically. Required within the first 30 days for SOC 2 and again annually. Phishing simulation enrollment piggybacks on this step.