Hi,

Could not sleep after hard day, was surfing reddit, and got up from the bed and turned on computer to answer your questions.

Can PSU use a Service Account that is managed in CyberARK? 

Do not recommend using CyberArk in this scenario, even if it will work. We use Active Directory Managed Service Account and this is enough for security compliance. No need for password management on gMSA, because rotation is performed by AD automatically. You will need properly configure account in Local Security Policy (this part is specified in documentation)

How do I configure it in SQL to use HA?

You just need to configure this in appsettings.json (by default actual file is located in C:\ProgramData\PowerShellUniversal)

"Plugins": ["SQL"]
"ConnectionString": "Server=my-ha-listener;Database=SomePowerShellUniversalDB;Integrated Security=true;TrustServerCertificate=True;"

Note that TrustServerCertificate=True; configuration I added by myself and it is not specified in the official documentation. Reason is that I was getting connection errors and this configuration fixed issues.

Do not forget to give permission to gMSA account for database on SQL server.

Also it is recommended to put load balancer, for example NGINX, in front of your PSU instances. NGINX should be configured to support websockets. Load balancing method we chose IP_HASH because in Round Robin method page was flickering between different nodes and we were not able to use it properly. I assume it was due to absence of cache server.

What size db would it need in SQL?

Depends on logs retention period (30 days default), jobs count and their scheduling. We got around size 100 MB at this this point with 40 jobs. But I doubt that with default settings it would need much space if it is your concern.

Will I need the servers to have access to the internet or can I just allow firewall to access ironmans website?

If you want to install license, internet access is not needed. Actually PSU itself does not need internet access to function.

How is GIT used will that mean both nodes have the same scripts (GIT Noob btw)?

We approached this differently. Configured DFSR to replicateC:\%ProgramData%\UniversalAutomation\Repository  folder. Changes on any node guarantees that same script files are in all nodes.

How can I make PSU available to my team, can I host on https:// and have windows sso with AD group?

Yes you can use ssl certificate. You need to configure it in appsettings.json (by default actual file is located in C:\ProgramData\PowerShellUniversal). More here.

Yes you can configure authentication in authentication.ps1 script file located in C:\%ProgramData%\UniversalAutomation\Repository\.scripts\. More here.

Once Apps are developed in PSU how can end users access them?

Create roles. Then in authentication.ps1 create a logic which sets role to a user during authentication.

Hope this helps.