Upload APNs cert and ABM token

[zhumo]

Goal

User story
As a IT admin,
I want to upload required certs for MDM via the UI,
so that I can avoid re-deploying and adjusting/code-committing to my company's terraform thereby saving a lot of time.

Context

• Product designer: @marko-lisica

Changes

Product

• [x] UI changes: Figma link
• [x] CLI usage changes: Figma link
• [ ] REST API changes: https://github.com/fleetdm/fleet/pull/19862
• [x] Permissions changes:
  • Fleet admin (global) can turn MDM on, turn MDM off, renew APNs certificate
  • Fleet admin (global) can enable automatic enrollment, disable automatic enrollment, renew ABM token
• [x] Outdated documentation changes:

  • 19461

  • 19463

  • 19549

• [x] Other requirements:
  • It's ok to break old endpoints:
  • POST /api/v1/fleet/mdm/apple/dep/key_pair
  • POST /api/v1/fleet/mdm/apple/request_csr
  • Users can upgrade fleetctl to the latest version. We’ll show a warning to the user that there’s an error mismatch
  • Migration: For users that have APNs key, SCEP key/cert/challange stored as environment variable, next time the server starts certs/keys/challenge will be moved into the database.

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Noah: Today, why do we send the CSR over email? Noah: How would we automatically generate and store the APNs key and SCEP cert/key?

[mikermcneil]

Marko to add Figma link above

[zhumo]

@noahtalerman CSR is sent over email to ensure that the claimed email is a real email address. It was part of our terms with Apple to have some sort of paper trail over who got which certs. All that said, I don't think we are restricted to doing it in that specific way. We should re-review those requirements though.

SCEP cert/key could be auto-generated, but afaik there is no way to automatically submit an APNs key. You need to go to the website and upload the CSR we provide.

[noahtalerman]

@marko-lisica heads up, removed this from the drafting board as part of design sprint review because it didn't get estimated

[noahtalerman]

Hey @marko-lisica @dherder during design sprint kickoff we decided to deprioritize this feature. I added it back to FF because I think we should consider for next design sprint

cc @zhumo

[noahtalerman]

Noah: How does fleetctl-generate work? Will we automatically set the APNs key when the user runs the command? Will this break the connection to MDM?

[dherder]

@zayhanlon @edwardsb bringing this back to Feature Fest with 2 separate customer asks

[valentinpezon-primo]

@zayhanlon @edwardsb bringing this back to Feature Fest with 2 separate customer asks

Thanks. Indeed, It would be amazing for us to have this feature deployed, it's such a pain to have to manually reboot each customer instance everytime we setup their MDM certificate, uploading files throught API is really needed 🙏 👍

[noahtalerman]

Hy @zayhanlon and @dherder it looks like I forgot to pull this one off feature fest board after the last feature fest.

I just pulled it off.

Please bring back to FF if you want to discuss it.

[dherder]

@noahtalerman this continues to be a stumbling block on cloud deployments.

[noahtalerman]

this continues to be a stumbling block on cloud deployments.

@dherder I hear you. Bringing this one to feature fest

[noahtalerman]

Heads up @dherder, this feature request was brought to feature fest on 2024-02-15 and wasn't prioritized for the current design sprint.

[nonpunctual]

@noahtalerman @lukeheath Piggybacking on @dherder comment above this has come up again with a different customer. I added the feature fest tag. Thanks!

[lukeheath]

@noahtalerman More context about the potential customer impact in this thread.

[noahtalerman]

Hey @nonpunctual, heads up, we didn't have the space to take this one in the current design sprint (4.48).

Please feel free to bring this one back to feature fest!

[JoStableford]

Related to a Slack conversation

[nonpunctual]

@noahtalerman @marko-lisica customer comment 20240415

[noahtalerman]

@nonpunctual is that comment from a managed cloud customer? Sounds like a quick win could be adding an item to the docs to contact customer support in Step 3: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#step-3-configure-fleet-with-the-generated-files

[nonpunctual]

@dherder @alexmitchelliii @rfairburn @lukeheath

@noahtalerman

There are 7 customers associated to this issue.

This issue has been open for more than 1 year.

We have a number of initiatives dependent on making the APNS configuration easier: https://github.com/fleetdm/fleet/issues/17970 https://github.com/fleetdm/fleet/issues/16660

I setup an MDM competitor's APNS certs in under 5m in their UI recently. It was as painless as this procedure can be given that it involves a .csr download, a .csr upload to a CA, a certificate download from the CA & an upload to the MDM server. Our process is a barrier to entry for new customers.

APNS certificates have been allowed to expire for a number of customers because there is no automated notification internally or externally to address expiry. In the worst case, this could result in a customer having to re-enroll devices if they lost access to the credentials used to renew their APNS certificate. #11544 addresses expiry notification.

It is a bad practice for Fleet to handle or be responsible for a customer's identity assets in any way even if this is considered trivial by our current standards & workflows.

Alex made a very good point regarding this issue: It may have been deprioritized in the past because we had a small number of MDM customers. The pain around this issue scales up with every new MDM prospect / customer.

In my opinion I don't think we can delay this any further. I consider it my top priority for all the reasons above. We have to put this action into customer / admin user control & make this easier to do.

[lukeheath]

+1 to @nonpunctual. I think now is the right time to prioritize it because it makes a significant improvement to two Q2 OKR:

1. Improve the self-service tech eval experience.

• Self-service tech eval of MDM (especially Apple) is painful and requires extensive configuration via environment variables.

2. Increase product maturity and fulfill customer promises.

• The ability to upload MDM certs via the UI is standard for all commercial MDM products. By not offering it, our product appears to lack maturity.
• A common sentiment among the community is that this this a table stake for being a player at the MDM table.

[noahtalerman]

Hey @nonpunctual @lukeheath and @dherder this story didn't make the 3-week drafting => estimation timeline.

Bringing it back to feature fest.

[nonpunctual]

@noahtalerman @lukeheath Does this story need to go through expedited drafting? Thanks. https://fleetdm.com/handbook/product-design#revise-a-draft-currently-in-development

[dherder]

@noahtalerman is there anything I can do to help draft this with you so that we can move this forward?

[lukeheath]

@noahtalerman There is high demand for this across customers, prospects, and the community. Is there anything we can do in engineering to help get this ready for estimation in the next drafting cycle?

[lukeheath]

@noahtalerman One new feature we're excited to promote for folks trialing Fleet is the one-click deploy-to-Render button here: https://github.com/fleetdm/fleet/tree/main/infrastructure/render

The great thing is that it deploys in one click with no setup, environment variables, etc. It feels like magic. But, if MDM has to be configured through env vars, and the user still needs to learn how to do that, it means MDM cannot be demoed for anyone going through our soon-to-be recommended approach for trialing Fleet in a self-hosted environment. This will negatively impact our Q2 OKR to improve the self-service tech eval experience.

[noahtalerman]

Is there anything we can do in engineering to help get this ready for estimation in the next drafting cycle?

@lukeheath it's the first thing being drafted next design sprint. So expected timeline is ~6 weeks from now.

Do you think it's valuable enough for the business to ship sooner?

If so, we can give it P2 and try to draft it + ship it next sprint. (~3 week timeline)

[alexmitchelliii]

@noahtalerman my input is yes, it is valuable enough to the business to ship it sooner. Our whole hosted MDM pipeline is dependent on it as it is table stakes for a secure interaction with Fleet.

[lukeheath]

@noahtalerman @alexmitchelliii Agreed, adding the P2 label. Thanks for expediting this!

[noahtalerman]

Hey @marko-lisica, when drafting, checkout @georgekarrv's idea on how this could work in the "Theoretical Revision" section in contributor docs: https://github.com/fleetdm/fleet/blob/georgekarrv-mdm-cert-flow/docs/Contributing/MDM-Cert-Setup.md#theoretical-revision

Key part I think: IT admin just gets CSR (or public key for ABM). Everything else goes straight to the DB (obfuscated from the end user).

[nonpunctual]

This issue was prioritized per the "blocking workflow" sort on the Feature Fest board. Thanks.

[noahtalerman]

Hey @georgekarrv heads up, it looks like this story is on the release and drafting board.

The sub-tasks are all on the drafting board.

I removed the story from the drafting board and moved the sub-tasks to the release board.

[roperzh]

[roperzh]

from @noahtalerman , we're going to generate SCEP challenges as part of this feature too:

[PezHub]

QA Testing Complete, notes below.

Two blockers atm

1. Bad Error message if FLEET SERVER PRIVATE KEY is not configured
2. Generate mdm-apple-bm from CLI does not work

Manual testing steps:

• Fresh config (no existing certs)

  • Ensure mdm works on existing hosts = PASS
  • Ensure mdm works with newly enrolled hosts. VMs and ADE = PASS
  • Confirm on first click APNS key, SCEP key, SCEP cert, and SCEP challenge are stored in database = PASS
  • Check copy matches FIGMA = PASS
  • Test Renewal Process for APNs = PASS
  • Test Renewal Process for ABM Token = PASS
  • Test Turning off/on MDM, then re-enrolling hosts = PASS

• Verify Default Team for ADE works = PASS

• Turn off Automatic Enrollment then erase ADE mac to ensure it does not enroll = PASS

• Ensure after turning MDM off hosts don’t receive commands = PASS

• Test CLI = generate -h, generate .csr or APNs = PASS

  • generate certs for ABM = FAIL. Bug Ticket filed

• Ensure Windows MDM still functions as expected = PASS

[PezHub]

All blockers have been resolved. QA Approved!

[noahtalerman]

Hey @zayhanlon, @Patagonia121, @nonpunctual, and @dherder heads up this customer request was shipped in Fleet 4.51 🚀

Merging in docs is still TODO: #19862

After docs are merged we can close this story.

[marko-lisica]

Closing this one, since #19862 is merged.

[fleet-release]

Upload certs with ease, Time saved is like a breeze, Admins find peace.