Install unique, custom certificate as part of Wi-Fi and Ethernet macOS configuration profiles

[noahtalerman]

Goal

User story
As an IT admin,
I want to install custom certificates as part of the Wi-Fi and Ethernet profiles
so that I can use this cert to grant the end user access to my organization’s network.

• ✅ "Custom certificate authority" (Fleet Premium)
• ✅ "Custom WiFi and Ethernet certificates" (Fleet Premium)

User journey

• IT admin creates a custom Wi-Fi or Ethernet profile in iMazing with Wi-Fi or Ethernet payload and a com.apple.security.root payload with the public key
• IT admin saves this profile, opens it in their text editor, and adds a com.apple.security.pkcs1 payload with empty data, and System for the PayloadScope
• Fleet goes and gets the cert from the CA and installs the profile w/ Wi-Fi or Ethernet settings, public key, and cert on end user's device Keychain

Changes

• IT admin can add a custom Wi-Fi or VPN profile that points the device to Fleet to get a certificate from the certificate authority (CA).
• Fleet sends an MDM command to send a public key to the host via the device channel
  • Note that the requester uses the com.apple.security.pkcs1 MDM payload to install the key
• When the IT admin adds a profile that requires a certificate, Fleet gets a cert from the CA and sends it to the host via the device channel. Cert gets installed on device Keychain

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers TODO

Engineering

• [ ] REST API changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Documentation changes complete

Product quality

• [ ] QA complete
• [ ] ...

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.

[noahtalerman]

Fleet sends an MDM command to send a public key to the host via the device channel

When the IT admin adds a profile that requires a certificate, Fleet gets a cert from the CA and sends it to the host via the device channel. Cert gets installed on device Keychain

First pass at the workflow for this^ in Fleet:

• IT admin creates a Wi-Fi or Ethernet profile in iMazing with Wi-Fi or Ethernet payload and a com.apple.security.root payload with the public key
• IT admin saves this profile, opens it in their text editor, and adds a com.apple.security.pkcs1 payload with empty data, and System for the PayloadScope
• Fleet goes and gets the cert from the CA and installs the profile w/ Wi-Fi or Ethernet settings, public key, and cert on device's Keychain

[noahtalerman]

Hey @Patagonia121, heads up, we didn't have the space to take this on in the current design sprint (4.48).

It's a relatively large level of effort.

Like #13418, let's move quickly and meet with @alexmitchelliii to discuss the plan for addressing this customer request.