Add authentication to Windows MDM endpoints

[marcosd4h]

Goal

User story
As an IT admin using Windows MDM features,
I want the Windows MDM endpoints to be authenticated
so that I know Fleet's Windows MDM features are as secure as other Windows MDM solutions.

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] REST API changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers: TODO

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[roperzh]

@marcosd4h could you please add specifics about the windows versions with problems in the linked issue? just so we know what to test

[marcosd4h]

@marcosd4h could you please add specifics about the windows versions with problems in the linked issue? just so we know what to test

Sure! This was found with Windows 10 RS5 (Version 1809 - Major Build 17763). I'm using this version mostly because this was the first version where MDM enrollment and management clients were introduced according to this

I found a doc from Microsoft with information that was not in the spec. See here. I need to try this out, but it seems that on latest versions for the TLS cert to go through, the certificate used to provision the device identity cannot be a self-signed cert.

[marcosd4h]

FYI - @georgekarrv @roperzh @mna

I've pushed an updated to the Windows MDM PoC with the research I've done around MS-MDM Application Level Authentication

Details can be found here - https://github.com/fleetdm/fleet/pull/14802

I've also created a doc with the details of the findings here

[marko-lisica]

@georgekarrv @roperzh This didn't finish this design sprint. Removing it from the drafting board, please let us know if we should bring it back.

[roperzh]

@marko-lisica just seeing this comment, sorry. I added ~feature-fest because this is an important thing to do.

[noahtalerman]

@marcosd4h heads up, I moved your original issue description here:

According to the MS-MDM spec in section 1.3.1, MS-MDM protocol can be authenticated through transport-level security, which relies on TLS transport. If this mechanism is unavailable, authentication can be performed through a legacy application-level security mechanism specified in an OMA-DM Open Mobile Alliance specification here

The latest version of Windows doesn't populate TLS.PeerCertificates array with the certificate information provisioned during device enrollment. This means that transport-level security cannot be used, and that authentication should be performed through application-level security.

This story aims to research how application-level security algorithm works and create a PoC if possible.

[noahtalerman]

Hey @roperzh heads up, I updated this issue to use Fleet's user story template.

When you get the chance, can you please help me update the issue to include the required changes?

Also, please feel free to update the user story. Especially if it's misleading.

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna @roperzh