fleet
fleet copied to clipboard
fleetdm
Upload APNs cert and ABM token
Goal
| User story |
|---|
| As a IT admin, |
| I want to upload required certs for MDM via the UI, |
| so that I can avoid re-deploying and adjusting/code-committing to my company's terraform thereby saving a lot of time. |
Context
- Product designer: @marko-lisica
Changes
Product
- [ ] UI changes: Figma link
- [ ] CLI usage changes: Figma link
- [ ] REST API changes: TODO
- [ ] Permissions changes: TODO
- [ ] Outdated documentation changes: TODO
- [ ] Changes to paid features or tiers: TODO
Engineering
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
Noah: Today, why do we send the CSR over email? Noah: How would we automatically generate and store the APNs key and SCEP cert/key?
@noahtalerman CSR is sent over email to ensure that the claimed email is a real email address. It was part of our terms with Apple to have some sort of paper trail over who got which certs. All that said, I don't think we are restricted to doing it in that specific way. We should re-review those requirements though.
SCEP cert/key could be auto-generated, but afaik there is no way to automatically submit an APNs key. You need to go to the website and upload the CSR we provide.
@marko-lisica heads up, removed this from the drafting board as part of design sprint review because it didn't get estimated
Hey @marko-lisica @dherder during design sprint kickoff we decided to deprioritize this feature. I added it back to FF because I think we should consider for next design sprint
cc @zhumo
Noah: How does fleetctl-generate work? Will we automatically set the APNs key when the user runs the command? Will this break the connection to MDM?
@zayhanlon @edwardsb bringing this back to Feature Fest with 2 separate customer asks
@zayhanlon @edwardsb bringing this back to Feature Fest with 2 separate customer asks
Thanks. Indeed, It would be amazing for us to have this feature deployed, it's such a pain to have to manually reboot each customer instance everytime we setup their MDM certificate, uploading files throught API is really needed 🙏 👍
Hy @zayhanlon and @dherder it looks like I forgot to pull this one off feature fest board after the last feature fest.
I just pulled it off.
Please bring back to FF if you want to discuss it.
this continues to be a stumbling block on cloud deployments.
@dherder I hear you. Bringing this one to feature fest
Heads up @dherder, this feature request was brought to feature fest on 2024-02-15 and wasn't prioritized for the current design sprint.
@noahtalerman @lukeheath Piggybacking on @dherder comment above this has come up again with a different customer. I added the feature fest tag. Thanks!
Hey @nonpunctual, heads up, we didn't have the space to take this one in the current design sprint (4.48).
Please feel free to bring this one back to feature fest!
@nonpunctual is that comment from a managed cloud customer? Sounds like a quick win could be adding an item to the docs to contact customer support in Step 3: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#step-3-configure-fleet-with-the-generated-files
@dherder @alexmitchelliii @rfairburn @lukeheath
@noahtalerman
There are 7 customers associated to this issue.
This issue has been open for more than 1 year.
We have a number of initiatives dependent on making the APNS configuration easier: https://github.com/fleetdm/fleet/issues/17970 https://github.com/fleetdm/fleet/issues/16660
I setup an MDM competitor's APNS certs in under 5m in their UI recently. It was as painless as this procedure can be given that it involves a .csr download, a .csr upload to a CA, a certificate download from the CA & an upload to the MDM server. Our process is a barrier to entry for new customers.
APNS certificates have been allowed to expire for a number of customers because there is no automated notification internally or externally to address expiry. In the worst case, this could result in a customer having to re-enroll devices if they lost access to the credentials used to renew their APNS certificate. #11544 addresses expiry notification.
It is a bad practice for Fleet to handle or be responsible for a customer's identity assets in any way even if this is considered trivial by our current standards & workflows.
Alex made a very good point regarding this issue: It may have been deprioritized in the past because we had a small number of MDM customers. The pain around this issue scales up with every new MDM prospect / customer.
In my opinion I don't think we can delay this any further. I consider it my top priority for all the reasons above. We have to put this action into customer / admin user control & make this easier to do.
+1 to @nonpunctual. I think now is the right time to prioritize it because it makes a significant improvement to two Q2 OKR:
1. Improve the self-service tech eval experience.
- Self-service tech eval of MDM (especially Apple) is painful and requires extensive configuration via environment variables.
2. Increase product maturity and fulfill customer promises.
- The ability to upload MDM certs via the UI is standard for all commercial MDM products. By not offering it, our product appears to lack maturity.
- A common sentiment among the community is that this this a table stake for being a player at the MDM table.
Hey @nonpunctual @lukeheath and @dherder this story didn't make the 3-week drafting => estimation timeline.
Bringing it back to feature fest.
@noahtalerman @lukeheath Does this story need to go through expedited drafting? Thanks. https://fleetdm.com/handbook/product-design#revise-a-draft-currently-in-development
@noahtalerman is there anything I can do to help draft this with you so that we can move this forward?
@noahtalerman There is high demand for this across customers, prospects, and the community. Is there anything we can do in engineering to help get this ready for estimation in the next drafting cycle?
@noahtalerman One new feature we're excited to promote for folks trialing Fleet is the one-click deploy-to-Render button here: https://github.com/fleetdm/fleet/tree/main/infrastructure/render
The great thing is that it deploys in one click with no setup, environment variables, etc. It feels like magic. But, if MDM has to be configured through env vars, and the user still needs to learn how to do that, it means MDM cannot be demoed for anyone going through our soon-to-be recommended approach for trialing Fleet in a self-hosted environment. This will negatively impact our Q2 OKR to improve the self-service tech eval experience.
Is there anything we can do in engineering to help get this ready for estimation in the next drafting cycle?
@lukeheath it's the first thing being drafted next design sprint. So expected timeline is ~6 weeks from now.
Do you think it's valuable enough for the business to ship sooner?
If so, we can give it P2 and try to draft it + ship it next sprint. (~3 week timeline)
@noahtalerman my input is yes, it is valuable enough to the business to ship it sooner. Our whole hosted MDM pipeline is dependent on it as it is table stakes for a secure interaction with Fleet.
@noahtalerman @alexmitchelliii Agreed, adding the P2 label. Thanks for expediting this!
Hey @marko-lisica, when drafting, checkout @georgekarrv's idea on how this could work in the "Theoretical Revision" section in contributor docs: https://github.com/fleetdm/fleet/blob/georgekarrv-mdm-cert-flow/docs/Contributing/MDM-Cert-Setup.md#theoretical-revision
Key part I think: IT admin just gets CSR (or public key for ABM). Everything else goes straight to the DB (obfuscated from the end user).
This issue was prioritized per the "blocking workflow" sort on the Feature Fest board. Thanks.