Closed zhumo closed 1 day ago
Noah: Today, why do we send the CSR over email? Noah: How would we automatically generate and store the APNs key and SCEP cert/key?
Marko to add Figma link above
@noahtalerman CSR is sent over email to ensure that the claimed email is a real email address. It was part of our terms with Apple to have some sort of paper trail over who got which certs. All that said, I don't think we are restricted to doing it in that specific way. We should re-review those requirements though.
SCEP cert/key could be auto-generated, but afaik there is no way to automatically submit an APNs key. You need to go to the website and upload the CSR we provide.
@marko-lisica heads up, removed this from the drafting board as part of design sprint review because it didn't get estimated
Hey @marko-lisica @dherder during design sprint kickoff we decided to deprioritize this feature. I added it back to FF because I think we should consider for next design sprint
cc @zhumo
Noah: How does fleetctl-generate work? Will we automatically set the APNs key when the user runs the command? Will this break the connection to MDM?
@zayhanlon @edwardsb bringing this back to Feature Fest with 2 separate customer asks
@zayhanlon @edwardsb bringing this back to Feature Fest with 2 separate customer asks
Thanks. Indeed, It would be amazing for us to have this feature deployed, it's such a pain to have to manually reboot each customer instance everytime we setup their MDM certificate, uploading files throught API is really needed 🙏 👍
Hy @zayhanlon and @dherder it looks like I forgot to pull this one off feature fest board after the last feature fest.
I just pulled it off.
Please bring back to FF if you want to discuss it.
@noahtalerman this continues to be a stumbling block on cloud deployments.
this continues to be a stumbling block on cloud deployments.
@dherder I hear you. Bringing this one to feature fest
Heads up @dherder, this feature request was brought to feature fest on 2024-02-15 and wasn't prioritized for the current design sprint.
@noahtalerman @lukeheath Piggybacking on @dherder comment above this has come up again with a different customer. I added the feature fest tag. Thanks!
@noahtalerman More context about the potential customer impact in this thread.
Hey @nonpunctual, heads up, we didn't have the space to take this one in the current design sprint (4.48).
Please feel free to bring this one back to feature fest!
@noahtalerman @marko-lisica customer comment 20240415
@nonpunctual is that comment from a managed cloud customer? Sounds like a quick win could be adding an item to the docs to contact customer support in Step 3: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#step-3-configure-fleet-with-the-generated-files
@dherder @alexmitchelliii @rfairburn @lukeheath
@noahtalerman
There are 7 customers associated to this issue.
This issue has been open for more than 1 year.
We have a number of initiatives dependent on making the APNS configuration easier: https://github.com/fleetdm/fleet/issues/17970 https://github.com/fleetdm/fleet/issues/16660
I setup an MDM competitor's APNS certs in under 5m in their UI recently. It was as painless as this procedure can be given that it involves a .csr download, a .csr upload to a CA, a certificate download from the CA & an upload to the MDM server. Our process is a barrier to entry for new customers.
APNS certificates have been allowed to expire for a number of customers because there is no automated notification internally or externally to address expiry. In the worst case, this could result in a customer having to re-enroll devices if they lost access to the credentials used to renew their APNS certificate. #11544 addresses expiry notification.
It is a bad practice for Fleet to handle or be responsible for a customer's identity assets in any way even if this is considered trivial by our current standards & workflows.
Alex made a very good point regarding this issue: It may have been deprioritized in the past because we had a small number of MDM customers. The pain around this issue scales up with every new MDM prospect / customer.
In my opinion I don't think we can delay this any further. I consider it my top priority for all the reasons above. We have to put this action into customer / admin user control & make this easier to do.
+1 to @nonpunctual. I think now is the right time to prioritize it because it makes a significant improvement to two Q2 OKR:
1. Improve the self-service tech eval experience.
2. Increase product maturity and fulfill customer promises.
Hey @nonpunctual @lukeheath and @dherder this story didn't make the 3-week drafting => estimation timeline.
Bringing it back to feature fest.
@noahtalerman @lukeheath Does this story need to go through expedited drafting? Thanks. https://fleetdm.com/handbook/product-design#revise-a-draft-currently-in-development
@noahtalerman is there anything I can do to help draft this with you so that we can move this forward?
@noahtalerman There is high demand for this across customers, prospects, and the community. Is there anything we can do in engineering to help get this ready for estimation in the next drafting cycle?
@noahtalerman One new feature we're excited to promote for folks trialing Fleet is the one-click deploy-to-Render button here: https://github.com/fleetdm/fleet/tree/main/infrastructure/render
The great thing is that it deploys in one click with no setup, environment variables, etc. It feels like magic. But, if MDM has to be configured through env vars, and the user still needs to learn how to do that, it means MDM cannot be demoed for anyone going through our soon-to-be recommended approach for trialing Fleet in a self-hosted environment. This will negatively impact our Q2 OKR to improve the self-service tech eval experience.
Is there anything we can do in engineering to help get this ready for estimation in the next drafting cycle?
@lukeheath it's the first thing being drafted next design sprint. So expected timeline is ~6 weeks from now.
Do you think it's valuable enough for the business to ship sooner?
If so, we can give it P2 and try to draft it + ship it next sprint. (~3 week timeline)
@noahtalerman my input is yes, it is valuable enough to the business to ship it sooner. Our whole hosted MDM pipeline is dependent on it as it is table stakes for a secure interaction with Fleet.
@noahtalerman @alexmitchelliii Agreed, adding the P2
label. Thanks for expediting this!
Hey @marko-lisica, when drafting, checkout @georgekarrv's idea on how this could work in the "Theoretical Revision" section in contributor docs: https://github.com/fleetdm/fleet/blob/georgekarrv-mdm-cert-flow/docs/Contributing/MDM-Cert-Setup.md#theoretical-revision
Key part I think: IT admin just gets CSR (or public key for ABM). Everything else goes straight to the DB (obfuscated from the end user).
This issue was prioritized per the "blocking workflow" sort on the Feature Fest board. Thanks.
Hey @georgekarrv heads up, it looks like this story is on the release and drafting board.
The sub-tasks are all on the drafting board.
I removed the story from the drafting board and moved the sub-tasks to the release board.
from @noahtalerman , we're going to generate SCEP challenges as part of this feature too:
QA Testing Complete, notes below.
Two blockers atm
Manual testing steps:
Fresh config (no existing certs)
Verify Default Team for ADE works = PASS
Turn off Automatic Enrollment then erase ADE mac to ensure it does not enroll = PASS
Ensure after turning MDM off hosts don’t receive commands = PASS
Test CLI = generate -h, generate .csr or APNs = PASS
Ensure Windows MDM still functions as expected = PASS
All blockers have been resolved. QA Approved!
Hey @zayhanlon, @Patagonia121, @nonpunctual, and @dherder heads up this customer request was shipped in Fleet 4.51 🚀
Merging in docs is still TODO: #19862
After docs are merged we can close this story.
Closing this one, since #19862 is merged.
Upload certs with ease, Time saved is like a breeze, Admins find peace.
Goal
Context
Changes
Product
19461
19463
19549
POST /api/v1/fleet/mdm/apple/dep/key_pair
POST /api/v1/fleet/mdm/apple/request_csr
Engineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation