Closed noahtalerman closed 8 months ago
For macOS, these are the steps:
First you need to build an installer that will read the configs from an enrollment profile, using:
fleetctl package --type=pkg --use-system-configuration --fleet-desktop
With your MDM (tested using Kandji) send an enrollment configuration profile like this one (replacing YOUR_ENROLL_SECRET_HERE
and YOUR_FLEET_URL_HERE
):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>EnrollSecret</key>
<string>YOUR_ENROLL_SECRET_HERE</string>
<key>FleetURL</key>
<string>YOUR_FLEET_URL_HERE</string>
<key>PayloadDisplayName</key>
<string>Fleetd configuration</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.fleetd.config</string>
<key>PayloadType</key>
<string>com.fleetdm.fleetd.config</string>
<key>PayloadUUID</key>
<string>476F5334-D501-4768-9A31-1A18A4E1E807</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Fleetd configuration</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.fleetd.config</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0C6AFB45-01B6-4E19-944A-123CD16381C7</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadDescription</key>
<string>Default configuration for the fleetd agent.</string>
</dict>
</plist>
For Windows the steps are the following:
FLEET_URL
and FLEET_SECRET
properties to the MSI installer:msiexec /i fleetd-base.msi FLEET_URL="<target_url>" FLEET_SECRET="<secret_to_use>"
Example msiexec execution (we tried this and it works)
msiexec /i fleetd-base.msi FLEET_URL="https://fleet-url.org" FLEET_SECRET="1EM262jFhXlEcWn9nr/kCQGNa5sIh3GM"
Hey @sharon-fdm this is QA only work. Do you think we could bring this in at the beginning of the sprint?
Device enrollment succeeded on both Windows 11 and macOS 14.0
Hey @spokanemac, can you please help me add a guide to fleetdm.com/guides for this?
I think we can call it "Deploy Fleet's agent w/o sensitive credentials"
See the comments above for instructions to do this on macOS and Windows.
C&C: @noahtalerman to review JD's article
C&C: @noahtalerman to review JD's article
@spokanemac hey! I just dropped some comments on your article: https://docs.google.com/document/d/1pEVedcYXuvox6vALhlhdxfTLBARVPLljlW8Hz_lvREc/edit
@noahtalerman I rewrote the introduction for this and added a conclusion with a CTA. We can drop the conclusion if you don't think it's necessary.
@spokanemac and I just spoke. We decided to remove all mention of "security" and instead frame the article around Fleet's differentiators of "openness" and "flexibility."
Aka here's an alternative method for deploying fleetd if generating one package and deploying these options separately is more convenient.
Why? Fleet is not trying to be the most secure MDM. Fleet will be just as secure as other MDM solutions and we'll differentiate by being more open.
C&C: @noahtalerman to review the article
Article is here! https://fleetdm.com/guides/config-less-fleetd-agent-deployment
Enroll secret shared, One package for all hosts cared, Efficiency declared.
UPDATE: The instructions documented in the comments have been tested and they work. Next step is to pull the instructions into a guide on fleetdm.com/guides.
Goal
Changes
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation