fleetdm
More host vitals for iOS/iPadOS hosts
customer-eponym: Slack thread: https://fleetdm.slack.com/archives/C04QDDZNQ2H/p1753798511727779- @noahtalerman:
eponymwants Fleet to add these vitals (from this request) so that they don't have to map devices to this info in a separate IT asset management tool:- International Mobile Equipment Identity (IMEI)
- Phone number
- Integrated Circuit Card Identifier (ICCID)
- Battery level
- Device capacity (the "disk space" equivalent)
- @allenhouchins: Apple has labeled the IMEI, phone number, ICCID as deprecated. Best practice is get these from Apple Business Manager (ABM) or the carrier.
- @noahtalerman:
customer-deebradel: Gong snippet: https://us-65885.app.gong.io/call?id=7996083350690689023&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1184%2C%22to%22%3A1317%7D%5Dcustomer-pingali: Slack thread: https://fleetdm.slack.com/archives/C050XE4CQNA/p1737574908260579?thread_ts=1737574534.713049&cid=C050XE4CQNA- @alexmitchelliii:
customer-pingali's highest priority is the status of a passcode on the device. Is a passcode set?- @noahtalerman: I think it's to replace what WS1 calls "Compliance Policies": https://us-65885.app.gong.io/call?id=1384880456235185241&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A4097%2C%22to%22%3A4483%7D%5D
- Instead, with Fleet, Zuul will hit host vitals to decide if end users can log in via Okta.
- @noahtalerman: I think it's to replace what WS1 calls "Compliance Policies": https://us-65885.app.gong.io/call?id=1384880456235185241&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A4097%2C%22to%22%3A4483%7D%5D
- @alexmitchelliii:
- @noahtalerman: User requested this because they want to see more host vitals for iOS hosts security and compliance use cases:
- applications installed
- passcode enabled/disabled
- encryption enabled/disabled
- certificates installed (including their details around when they are valid and when they expire)
- serial number
- @noahtalerman: In the interim, the user can run a custom MDM command that looks like this: https://github.com/fleetdm/fleet/issues/26337#issuecomment-2669497246
- @noahtalerman: Eventually, Fleet could add host vitals for all vitals included in the MDM command.
- @allenhouchins: I also want to use these host vitals to create labels in Fleet. Why? This way I can scope different profiles based on the iPhones carrier (
CurrentCarrierNetwork). For example, we apply different restrictions to T Mobile v. Verizon iPhones. - @allenhouchins: See the MDM command results for all info we could show using the GetDeviceInfo MDM command.
- @allenhouchins: Another way to collect additional details for Apple mobile devices (DDM): https://support.apple.com/guide/deployment/declarative-status-reports-depd90ee8a5f/1/web/1.0
- @allenhouchins: Could also use the MDM protocol for macOS host vitals.
- @noahtalerman: Maybe there are some vitals that we can't get with osquery?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>Queries</key>
<array>
<string>UDID</string>
<string>Languages</string>
<string>Locales</string>
<string>DeviceID</string>
<string>OrganizationInfo</string>
<string>LastCloudBackupDate</string>
<string>AwaitingConfiguration</string>
<string>MDMOptions</string>
<string>iTunesStoreAccountIsActive</string>
<string>iTunesStoreAccountHash</string>
<string>DeviceName</string>
<string>OSVersion</string>
<string>BuildVersion</string>
<string>ModelName</string>
<string>Model</string>
<string>ProductName</string>
<string>SerialNumber</string>
<string>DeviceCapacity</string>
<string>AvailableDeviceCapacity</string>
<string>BatteryLevel</string>
<string>CellularTechnology</string>
<string>ICCID</string>
<string>BluetoothMAC</string>
<string>WiFiMAC</string>
<string>EthernetMACs</string>
<string>CurrentCarrierNetwork</string>
<string>SubscriberCarrierNetwork</string>
<string>CurrentMCC</string>
<string>CurrentMNC</string>
<string>SubscriberMCC</string>
<string>SubscriberMNC</string>
<string>SIMMCC</string>
<string>SIMMNC</string>
<string>SIMCarrierNetwork</string>
<string>CarrierSettingsVersion</string>
<string>PhoneNumber</string>
<string>DataRoamingEnabled</string>
<string>VoiceRoamingEnabled</string>
<string>PersonalHotspotEnabled</string>
<string>IsRoaming</string>
<string>IMEI</string>
<string>MEID</string>
<string>ModemFirmwareVersion</string>
<string>IsSupervised</string>
<string>IsDeviceLocatorServiceEnabled</string>
<string>IsActivationLockEnabled</string>
<string>IsDoNotDisturbInEffect</string>
<string>EASDeviceIdentifier</string>
<string>IsCloudBackupEnabled</string>
<string>OSUpdateSettings</string>
<string>LocalHostName</string>
<string>HostName</string>
<string>CatalogURL</string>
<string>IsDefaultCatalog</string>
<string>PreviousScanDate</string>
<string>PreviousScanResult</string>
<string>PerformPeriodicCheck</string>
<string>AutomaticCheckEnabled</string>
<string>BackgroundDownloadEnabled</string>
<string>AutomaticAppInstallationEnabled</string>
<string>AutomaticOSInstallationEnabled</string>
<string>AutomaticSecurityUpdatesEnabled</string>
<string>OSUpdateSettings</string>
<string>LocalHostName</string>
<string>HostName</string>
<string>IsMultiUser</string>
<string>IsMDMLostModeEnabled</string>
<string>MaximumResidentUsers</string>
<string>PushToken</string>
<string>DiagnosticSubmissionEnabled</string>
<string>AppAnalyticsEnabled</string>
<string>IsNetworkTethered</string>
<string>ServiceSubscriptions</string>
<string>DevicePropertiesAttestation</string>
</array>
<key>RequestType</key>
<string>DeviceInformation</string>
</dict>
<key>CommandUUID</key>
<string>0001_DeviceInformation</string>
</dict>
</plist>
Problem
Several customers have requested that Fleet expand the information that it collects and displays in the UI for iOS devices. Specifically:
- Passcode status (enabled/disabled)
- Encryption enabled
- Certificates installed
- Include details around when they expire
- IMEI
What have you tried?
Today, Fleet admins are able to retrieve this information by using the API to send SecurityInfo and CertificateList commands to the host, then parse the response. The results of the MDM commands do not appear in the Fleet UI. They must be retrieved via the API and decoded.
Potential solutions
In addition to the DeviceInformation and InstalledApplicationList commands we already send, Fleet could send SecurityInfo and CertificateList commands when host vitals are fetched. These commands include the information requested by the customer.
The DeviceInformation command used to be able to retrieve the IMEI number of an iOS device, but that query was deprecated with iOS 16. IMEI is available in Apple Business Manager. Perhaps it is included in the sync from ABM -> Fleet?
What is the expected workflow as a result of your proposal?
A Fleet admin wants to see if an iOS device has a passcode enabled. The Fleet admin would visit the host details page for that iOS device. In the UI, Fleet would display the result of the most recent SecurityInfo command that was sent when the host vitals were fetched.
@noahtalerman I haven't been able to get customer-pingali directly into a call to grab an official snippet, but we had a Slack thread here dating back to Jan that outlines exactly what they want to collect for iOS and why it's important to them:
https://fleetdm.slack.com/archives/C050XE4CQNA/p1737574908260579?thread_ts=1737574534.713049&cid=C050XE4CQNA
Another way to collect additional details for Apple mobile devices: https://support.apple.com/guide/deployment/declarative-status-reports-depd90ee8a5f/1/web/1.0
We are also interested in having all this info built-in in fleet, especially IMEI
@noahtalerman, if we need to prioritize data, customer-pingali would first like to first get the status of a passcode on the device.
