One advantage with standardized workstation OS images, is the bugs/updates/compatibility only requires a 1 support ticket solution.
Deploy a gpg signed public script to periodically download and install updates from a public server. i.e. anyone that has to update knows the package is from you, and the machine role is pre-defined by you with a config file in "/etc/example/myhost.conf". If secrecy is required, than publish host specific encrypted public payloads named for their primary interface MAC.
This is how to handle clowns pulling drives in colocation data-centers.
Deploy a gpg signed public script to periodically download and install updates from a public server. i.e. anyone that has to update knows the package is from you, and the machine role is pre-defined by you with a config file in "/etc/example/myhost.conf". If secrecy is required, than publish host specific encrypted public payloads named for their primary interface MAC.
This is how to handle clowns pulling drives in colocation data-centers.
Cheers =)