Closed roperzh closed 1 year ago
It would be ideal if we could reduce the IT admin involvement to configure this feature.
Thanks Roberto!
For the third bullet, @noahtalerman do you have any ideas?
I think we rely on the IT admin to edit the DEP profile. Do we need to make changes to enable this? Today, the IT admin can use the fleetctl apple-mdm enrollment-profiles create-automatic
correct?
FYI We'll replace this command with a config option in an upcoming story: #9643. See "Add new mdm.apple_bm_unbox_settings
configuration option" section. As of now, this story is scheduled for next sprint.
documenting the required config sounds good, thanks!
UPDATE: I moved this comment to the following "End user authentication during setup (SAML)": https://github.com/fleetdm/fleet/issues/10689#issuecomment-1508665076
Let's discuss there^ instead (noahtalerman 2023-04-13)
Hey @roperzh I think we need to update this issue's requirements now that we're planning to support SAML (covered in #10689).
I have a couple questions before I make the changes:
- [ ] If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters
Managed cloud users will also have to create an Okta app right?
What does this mean? The IT admin has to assign the new Okta app to users in Okta for end user auth during setup to work?
- [ ] The DEP profile (JSON file) needs to be configured with:
- [ ]
"await_device_configured": true
- [ ]
"configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login"
(the actual path needs to be confirmed and will defined in https://github.com/fleetdm/fleet/issues/10272)
We can remove this part right? My understanding is that await_device_configured
doesn't need to be set to true true
for end user auth to work. Also, Fleet will be handling updating configuration_web_url
.
Closing this issue. We'll track docs for end user auth during setup as part of this story: #10689
Okta steps guide, Profiles bloom like blossoms, Users find their path.
Task
"await_device_configured": true
"configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login"
(the actual path needs to be confirmed and will defined in https://github.com/fleetdm/fleet/issues/10272)