In Fleet UI, add ability to turn on MDM features

[noahtalerman]

Goal

In the settings, a new area for MDM.

Setup APNS

• Ask for email and org name (can be autofilled by pre-existing information, but overrided)
• Email must be not a personal email account such as gmail (I will provide full list)
• If all valid, then Fleet generates an APNS certificate signing request (CSR)
• After this, the user needs to do stuff off of Fleet UI: -- go to apple developer site and upload it. Apple will return a cert. -- go to fleet server and change the env variables

Setup SCEP

• Click a button to get two certs (no validations needed)
• Upload the two certs to the fleet server's env variables

Related

• Parent: #7726
• Previous CLI experience that parallels the UX. Has some copy for the post-cert instructions: https://github.com/fleetdm/fleet/pull/7523/files

[noahtalerman]

@mike-j-thomas FYI Mo let me know that you and Mo started to talk about setting up MDM in the Fleet UI. So that I can catch up, I plan to attend the next product design review call with you and Mike.

[mike-j-thomas]

@noahtalerman, Mo, and I spoke. He's going to write up an issue for me to start work on later this week.

[noahtalerman]

Mo, and I spoke. He's going to write up an issue for me to start work on later this week.

Got it! @zhumo please feel free to update this existing issue.

[noahtalerman]

@mike-j-thomas I assigned myself this issue and removed it from the digital experience board.

[noahtalerman]

@lucasmrod is it possible to reuse the same .crt and .key for SCEP that Fleet uses for AWS (Fleet server)? We'd like there to be just a "set of keys" for Fleet.

This way, we can simplify the setup by removing the concept of SCEP.

[lucasmrod]

is it possible to reuse the same .crt and .key for SCEP that Fleet uses for AWS (Fleet server)? We'd like there to be just a "set of keys" for Fleet.

What do you mean by "that Fleet uses for AWS (Fleet server)"?

Assuming you mean the TLS certificate used in the Fleet server: No, because the SCEP certificate is used for a different purpose: for signing client certificates for apple devices as part of the MDM enroll process.

[noahtalerman]

What do you mean by "that Fleet uses for AWS (Fleet server)"?

Ah, shoot. @lucasmrod I confused myself. I meant APNS instead of AWS.

Let me rephrase my question:

Is it possible to reuse the same .crt and .key for SCEP and APNS?

This way we can simplify the setup by removing the concept of SCEP.

[lucasmrod]

I meant APNS instead of AWS.

Gotcha.

Is it possible to reuse the same .crt and .key for SCEP and APNS? This way we can simplify the setup by removing the concept of SCEP.

No. Because SCEP certs are generated/managed by the Fleet operator, whereas APNS certificates are issued by Apple. (And they serve distinct purposes, so the certificates have different properties.)

[noahtalerman]

distinct purposes, so the certificates have different properties.

Makes sense.

simplify the setup by removing the concept of SCEP.

@lucasmrod to achieve this, can we hide SCEP away from the user?

Meaning, instead of this...

1. user gets APNS certs from Apple
2. user uploads APNS certs to Fleet
3. user gets SCEP certs from Fleet
4. user uploads SCEP certs to Fleet
5. DONE

we do something like this...

1. user gets APNS certs from Apple
2. user uploads APNS certs to Fleet
3. DONE (behind the scenes Fleet generates and uploads SCEP certs to Fleet)

[lucasmrod]

Yes, could be behind the scenes. Unlike APNS or DEP credentials, SCEP cert+key generation does not need User+Apple interaction.

PS: This is assuming we solve the issue of how to store sensitive credentials in Fleet. So I will start discussions with the team.

[noahtalerman]

Yes, could be behind the scenes.

👍

@zhumo I created user journeys for set up (new Fleet users) and turn on (existing Fleet users):

• “Set up Fleet with MDM features” drawing (internal): https://docs.google.com/drawings/d/1Cg0MY_IjSt5q4TZwRg9SFj3NEG44M7ChnK38LOcDP-I/edit
• “Turn on MDM features” drawing (internal): https://docs.google.com/drawings/d/1X6Y3g74dp1B-ln3vjumcHkkf93DrWE_KYZzK4rWBQnM/edit

What do you think? Please feel free to edit / leave notes.

[zhumo]

@noahtalerman

• what is the first diagram for? Is this for people who are setting up fleet from scratch whereas the second one is if they are already have fleet?
• I wonder if enabling MDM would be on by default always. We just have to find a tasteful way to show hosts in non-MDM state that would gesture towards what's possible while simultaneously not being too much of an ad.
• Even if we end up needing to enable MDM by some dev action, should this be a config rather than an ENV var?
• When you get an APNS CSR cert, we could pre-fill it for you with your org name and email.
• There is no need to update your email if you end up needing to use a different email.

Can you grab a time to review this together? This is a good exericse for both of us to talk through. Thanks for drawing it up.

[noahtalerman]

Can you grab a time to review this together?

@zhumo let's discuss during our call today @1:30p PST.

[noahtalerman]

UPDATE: Lucas please ignore my question below. I confirmed the user journeys are missing DEP steps (noahtalerman 2022-09-27).

I created user journeys for set up (new Fleet users) and turn on (existing Fleet users)

Heads up, I think these user journeys are missing steps to set up automatic enrollment (DEP). @lucasmrod is this correct?

I'm linking to the user journeys here:

• “Set up Fleet with MDM features” drawing (internal): https://docs.google.com/drawings/d/1Cg0MY_IjSt5q4TZwRg9SFj3NEG44M7ChnK38LOcDP-I/edit
• “Turn on MDM features” drawing (internal): https://docs.google.com/drawings/d/1X6Y3g74dp1B-ln3vjumcHkkf93DrWE_KYZzK4rWBQnM/edit

[noahtalerman]

Decision: De-prioritize the "Set up Fleet with MDM features" journey for now (noahtalerman 2022-09-26).

Reasoning:

• Upgrading existing Fleet users is a priority over new users.
• The "Turn on MDM features" journey can also be used by new users.

[noahtalerman]

@lucasmrod we'd like Fleet to be able to determine if the APNs certificate or DEP server token is invalid. How difficult is this?

Check out the UI wireframes for the desired behavior:

[zhumo]

To add more color here, does Apple provide various APIs to check on the status of a cert?

[lucasmrod]

Hi @noahtalerman. I believe the wireframes are assuming some automation (via a Fleet DM hosted service).

For reference, here are the steps if we were to implement "full manual" UI wireframes:

1. Fleet server generates a push .key and push .csr. Push key is stored internally (user doesn't need to know of it). User downloads the push .csr file.
2. User sends push .csr to a Fleet representative. (Via e-mail/slack.)
3. Fleet representative signs the .csr. Sends back a signed .req file to the user. (Via e-mail/slack.)
4. User uploads .req to their Apple account.
5. User downloads .pem from their Apple account.
6. User uploads .pem to Fleet.

If we automate (1), (2) and (3) which needs some discussion, then it would look like the UI wireframes. But it won't be a single Download operation, it will instead consist of: Fleet would generate .key + .csr and send the .csr as a request to a Fleet DM hosted service that will return a signed .req that the user can then download.

Looping @GuillaumeRoss and @zwass because the Fleet DM hosted service for signing .csrs needs some discussion, security-wise.

Let me know if that makes sense.

[lucasmrod]

we'd like Fleet to be able to determine if the APNs certificate or DEP server token is invalid.

Yes. When the user uploads the final PEM to Fleet, I believe there will be a way to connect via TLS to verify the uploaded PEM certificate (via making a test TLS connection to api.push.apple.com:443).

[noahtalerman]

If we automate (1), (2) and (3) which needs some discussion, then it would look like the UI wireframes.

Makes sense. I think we want this automation as part of the production release.

it won't be a single Download operation, it will instead consist of: Fleet would generate .key + .csr and send the .csr as a request to a Fleet DM hosted service that will return a signed .req that the user can then download.

I'm not sure I understand. The user could still take a single action (click), correct?

Say, I click Download. Then, behind the scenes Fleet takes care of the steps to generated a signed .req. Last, the download begins automatically in my browser.

cc @zhumo

[noahtalerman]

Decision: Punt on adding the ability to renew APNs certificate or DEP server token for now.

Reasoning: We can come back to this because the certificate and server token are valid for 1 year.

(noahtalerman 2022-09-20)

[lucasmrod]

I'm not sure I understand. The user could still take a single action (click), correct? Say, I click Download. Then, behind the scenes Fleet takes care of the steps to generated a signed .req. Last, the download begins automatically in my browser.

Yes, from user standpoint it's one action "Download". On Fleet, this would involve multiple steps, one of them being a request to a Fleet DM hosted service and the last one being the download of the .csr

[noahtalerman]

@lucasmrod can Fleet handle renewing SCEP certificates for the user?

[lucasmrod]

can Fleet handle renewing SCEP certificates for the user?

We still need to support this scenario for rotating SCEP CA certificates. We've discussed some ideas. AFAICS, all of them require some administrator/manual interaction.

/cc @GuillaumeRoss

[noahtalerman]

We still need to support this scenario for rotating SCEP CA certificates.

Guillaume or Lucas, do you know why we need to support this? Instead of Fleet handling the rotation for the user.

[lucasmrod]

We still need to support this scenario for rotating SCEP CA certificates.

Guillaume or Lucas, do you know why we need to support this? Instead of Fleet handling the rotation for the user.

For on-premise this is the responsibility of the Fleet administrator. (On a cloud solution this would be solved automatically by the cloud provider.)

CA certificate rotation is a pretty manual and involved process. They are not performed often (given how long CA certs live). It is also necessary whenever the CA is suspected to be compromised.

Maybe @GuillaumeRoss can provide more insight.

[GuillaumeRoss]

A scenario where it is compromised is the most likely, and you could also have companies that are quite security conscious and have a lot of automation use expirations that aren't long in decades for example.

[noahtalerman]

For on-premise this is the responsibility of the Fleet administrator.

Does this have to be the case?

@GuillaumeRoss @lucasmrod let's say Fleet renews SCEP certs for the user when the user renews APNs. Wouldn't this handle the use case in which the user believes certificates (SCEP or APNs) are compromised?

cc @zhumo

[noahtalerman]

@zhumo I assigned you this issue and the following issue: #7957

My understanding is that these issues are ready for engineering review, specification, and implementation.

[noahtalerman]

@zhumo I assigned you this issue.

The Fleet UI now points the customer to use fleet serve with appropriate flags instead of uploading the certificates.