Add mTLS capability to ChromeOS

[ksatter]

Goal

As a Fleet Premium user, I would like to have the same mTLS functionality that is available in Orbit when using the ChromeOS extension.

From the customer: ChromeOS support + mTLS + Chrome Policies....We currently use the policy AutoSelectCertificateForUrls to tell Chrome to present our internal identity certs for URLs with a specific pattern. I'm wondering if the Fleet ChromeOS agent could leverage that policy?

From Zach: I think it should work. The extension uses the standard browser fetch API, and I think Chrome should choose the certificate the same as usual in an extension. Please let us know if you find an issue.

Next steps: Waiting for customer to test

Context

This would allow greater security and reduce friction during security audits for ChromeOS devices enrolled in Fleet.

[noahtalerman]

Hey @pintomi1989, is customer-starchik planning on deploying fleetd to ChromeOS? Do you know when?

[pintomi1989]

Hey @noahtalerman,

No timeframe was given, but it was stated that this is the item that is blocking them from rolling out to ChromeOS. I've followed up to get a sense of scope.

[getvictor]

We could test this internally.

1. Generate client/server certs and CAs. https://victoronsoftware.com/posts/mtls-hello-world/
2. Add client cert and CA to ChromeOS
3. Enable AutoSelectCertificateForUrls to use the above cert for the Fleet URL.
4. Stand up an mTLS Fleet server or go through a proxy like ngrok. https://ngrok.com/docs/http/mutual-tls/
5. Install fleed-chrome on ChromeOS using the mTLS URL.

[noahtalerman]

Hey @zayhanlon and @Patagonia121 heads up, we didn't get to this air guitar during the current design sprint (ends today).

Added it back to feature fest to discuss prioritization.

[noahtalerman]

Hey @zayhanlon, let's maybe come back to this after the customer migrates macOS.

cc @Patagonia121