search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.02k stars 419 forks source link

Deploy an enroll secret and server URL to macOS and Windows #13670

Closed noahtalerman closed 8 months ago

noahtalerman commented 1 year ago

UPDATE: The instructions documented in the comments have been tested and they work. Next step is to pull the instructions into a guide on fleetdm.com/guides.

Goal

User story
As an IT admin,
I want to use an alternative method to enroll my hosts to Fleet by programmatically setting the enroll secret and server URL
so that I only need to generate one package for all my hosts.

Changes

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.
noahtalerman commented 1 year ago

For macOS, these are the steps:

  1. First you need to build an installer that will read the configs from an enrollment profile, using: fleetctl package --type=pkg --use-system-configuration --fleet-desktop

  2. With your MDM (tested using Kandji) send an enrollment configuration profile like this one (replacing YOUR_ENROLL_SECRET_HERE and YOUR_FLEET_URL_HERE):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>EnrollSecret</key>
        <string>YOUR_ENROLL_SECRET_HERE</string>
        <key>FleetURL</key>
        <string>YOUR_FLEET_URL_HERE</string>
        <key>PayloadDisplayName</key>
        <string>Fleetd configuration</string>
        <key>PayloadIdentifier</key>
        <string>com.fleetdm.fleetd.config</string>
        <key>PayloadType</key>
        <string>com.fleetdm.fleetd.config</string>
        <key>PayloadUUID</key>
        <string>476F5334-D501-4768-9A31-1A18A4E1E807</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Fleetd configuration</string>
    <key>PayloadIdentifier</key>
    <string>com.fleetdm.fleetd.config</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>0C6AFB45-01B6-4E19-944A-123CD16381C7</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadDescription</key>
    <string>Default configuration for the fleetd agent.</string>
  </dict>
</plist>
noahtalerman commented 1 year ago

For Windows the steps are the following:

  1. Download the Base MSI installer from https://download.fleetdm.com/fleetd-base.msi (once installed, orbit and fleet-desktop will be upgraded to latest)
  2. Install fleet on Windows boxes by passing the FLEET_URL and FLEET_SECRET properties to the MSI installer:
msiexec /i fleetd-base.msi FLEET_URL="<target_url>" FLEET_SECRET="<secret_to_use>"
Example msiexec execution (we tried this and it works)
msiexec /i fleetd-base.msi FLEET_URL="https://fleet-url.org" FLEET_SECRET="1EM262jFhXlEcWn9nr/kCQGNa5sIh3GM"
zhumo commented 1 year ago

Hey @sharon-fdm this is QA only work. Do you think we could bring this in at the beginning of the sprint?

xpkoala commented 11 months ago

Device enrollment succeeded on both Windows 11 and macOS 14.0

noahtalerman commented 11 months ago

Hey @spokanemac, can you please help me add a guide to fleetdm.com/guides for this?

I think we can call it "Deploy Fleet's agent w/o sensitive credentials"

See the comments above for instructions to do this on macOS and Windows.

spokanemac commented 11 months ago

Working doc

noahtalerman commented 11 months ago

C&C: @noahtalerman to review JD's article

noahtalerman commented 10 months ago

C&C: @noahtalerman to review JD's article

noahtalerman commented 9 months ago

@spokanemac hey! I just dropped some comments on your article: https://docs.google.com/document/d/1pEVedcYXuvox6vALhlhdxfTLBARVPLljlW8Hz_lvREc/edit

spokanemac commented 9 months ago

@noahtalerman I rewrote the introduction for this and added a conclusion with a CTA. We can drop the conclusion if you don't think it's necessary.

noahtalerman commented 8 months ago

@spokanemac and I just spoke. We decided to remove all mention of "security" and instead frame the article around Fleet's differentiators of "openness" and "flexibility."

Aka here's an alternative method for deploying fleetd if generating one package and deploying these options separately is more convenient.

Why? Fleet is not trying to be the most secure MDM. Fleet will be just as secure as other MDM solutions and we'll differentiate by being more open.

noahtalerman commented 8 months ago

C&C: @noahtalerman to review the article

noahtalerman commented 8 months ago

Article is here! https://fleetdm.com/guides/config-less-fleetd-agent-deployment

fleet-release commented 8 months ago

Enroll secret shared, One package for all hosts cared, Efficiency declared.