Sign macOS enrollment and configuration profiles

[zhumo]

Goal

User story
As an IT admin,
I want my the enrollment profile and configuration profiles installed on my macOS hosts to be signed
so that anyone viewing the enrollment profile in System Settings > Profiles won't see a red "Unsigned" message.

Context

• Product designer: @marko-lisica

Changes

Product

• [ ] Changes:
  • Add mdm.apple​_scep​_cert as a trusted certificate root to the host's keychain
  • Profiles uploaded to Fleet should automatically be signed with SCEP certificate that's added to root ^
  • fleetd should add certificate to the root
  • Profiles should be signed in following scenarios:
    • After automatic enrollment
    • After manual enrollment described in docs (when fleetd is installed prior to enrollment profile)
    • After manual enrollment via enrollment profile (when fleetd is installed after enrollment profile)
    • NOTE: The enrollment profile will appear as "Unverified" before end-user review and install profile and immediately after it's installed will show up as verified as well as a configuration profiles.
  • Profiles installed before the upgrade won't be retroactively signed
• [ ] Outdated documentation changes: TODO Release notes that existing profiles won't be retroactively signed (they must be re-installed). UPDATE: This didn't make it into the release notes. Pulling it into a comment here.

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

unfortunately is the name we currently put in the SCEP cert, we can absolutely change that for new certs we generate tho.

@roperzh got it! I tracked this as a feature request here: https://github.com/fleetdm/fleet/issues/18427

[noahtalerman]

Hey @dherder, @pintomi1989, @Patagonia121 heads up, this prospect/customer request was shipped in 4.49 ✨

Note that existing profiles won't be retroactively signed (they must be re-installed).

[rachaelshaw]

C&C: need to check for out-of-date documentation (@marko-lisica can you help with this when you're back?)

[noahtalerman]

Closing this issue.

Did a search through Custom OS settings doc page and we don't mention signing at all.

This is ok because we think IT admins expect profiles to be signed by default.

[fleet-release]

Profiles signed, secure, Trust in systems restored, pure. Fleet aids, reassures.

[noahtalerman]

Existing profiles won't be retroactively signed (they must be re-installed).