Document steps required to set up end user auth during setup

[roperzh]

Task

• [ ] If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters
• [ ] Regardless of the previous bullet, the IT admin needs to assign an application to the users that will use the DEP login in Okta
• [ ] The DEP profile (JSON file) needs to be configured with:
  • [ ] "await_device_configured": true
  • [ ] "configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login" (the actual path needs to be confirmed and will defined in https://github.com/fleetdm/fleet/issues/10272)

[roperzh]

It would be ideal if we could reduce the IT admin involvement to configure this feature.

• The first bullet can be managed by us for Fleet Cloud deployments
• The second bullet can't be automated AFAIK
• For the third bullet, @noahtalerman do you have any ideas? this is also related to #9569 so I think it needs your input

[noahtalerman]

Thanks Roberto!

For the third bullet, @noahtalerman do you have any ideas?

I think we rely on the IT admin to edit the DEP profile. Do we need to make changes to enable this? Today, the IT admin can use the fleetctl apple-mdm enrollment-profiles create-automatic correct?

FYI We'll replace this command with a config option in an upcoming story: #9643. See "Add new mdm.apple_bm_unbox_settings configuration option" section. As of now, this story is scheduled for next sprint.

[roperzh]

documenting the required config sounds good, thanks!

[noahtalerman]

UPDATE: I moved this comment to the following "End user authentication during setup (SAML)": https://github.com/fleetdm/fleet/issues/10689#issuecomment-1508665076

Let's discuss there^ instead (noahtalerman 2023-04-13)

Hey @roperzh I think we need to update this issue's requirements now that we're planning to support SAML (covered in #10689).

I have a couple questions before I make the changes:

• [ ] If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters

Managed cloud users will also have to create an Okta app right?

• [ ] Regardless of the previous bullet, the IT admin needs to assign an application to the users that will use the DEP login in Okta

What does this mean? The IT admin has to assign the new Okta app to users in Okta for end user auth during setup to work?

• [ ] The DEP profile (JSON file) needs to be configured with:
  • [ ] "await_device_configured": true
  • [ ] "configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login" (the actual path needs to be confirmed and will defined in https://github.com/fleetdm/fleet/issues/10272)

We can remove this part right? My understanding is that await_device_configured doesn't need to be set to true true for end user auth to work. Also, Fleet will be handling updating configuration_web_url.

[noahtalerman]

Closing this issue. We'll track docs for end user auth during setup as part of this story: #10689

[fleet-release]

Okta steps guide, Profiles bloom like blossoms, Users find their path.