Store fleetd enroll secret in Keychain Access when using MDM for macOS

[getvictor]

Goal

User story
As a security-minded team member at a company using Fleet macOS MDM,
I want to store the enroll secret in Keychain Access on macOS hosts
so that bad actors cannot find the enroll secret and enroll unauthorized hosts in Fleet.

This is the 2nd part of #13832 Discussion notes: https://docs.google.com/document/d/1V8krj0gTJCHnqFT3edlH90dBZ8rWONSkt-SovMKAEjo/edit#heading=h.tbdv30dv5zu9

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] REST API changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers: TODO

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @getvictor and @Patagonia121, heads up, we didn't get to this one in the last design sprint.

Bringing it back to feature fest.

[noahtalerman]

Hey @Patagonia121, heads up, we reviewed this during feature fest.

We don't have the space to take this one in the upcoming design sprint (4.49).

Removing this from the feature fest board.

[mostlikelee]

enrollment secret is stored in plain text in: /Library/Managed Preferences/com.fleetdm.config.plist

as well as in the downloaded enrollment profile in the manual enrollment flow: https://${server}/api/latest/fleet/device/${hostIdentifier}/mdm/apple/manual_enrollment_profile

The later url being an unauthenticated endpoint

[roperzh]

as well as in the downloaded enrollment profile in the manual enrollment flow: https://${server}/api/latest/fleet/device/${hostIdentifier}/mdm/apple/manual_enrollment_profile

The later url being an unauthenticated endpoint

@mostlikelee any chance you're thinking about the SCEP challenge here? we don't include enroll secrets in the enrollment profile. Since the SCEP challenge needs to be there, the approach to improve security is different and tracked here: https://github.com/fleetdm/fleet/issues/8477

Also note that the endpoint is authenticated using the device token which rotates every hour to a random UUID value, and can only be accessed by the host (I can see how the device token can be considered as weaker authentication tho)

[mostlikelee]

@roperzh good point on the device token auth, i missed that.

In the enrollment profile, I'm seeing the enrollment secret as a param:

<key>URL</key>
<string>https://${SERVER}/api/v1/fleet/ota_enrollment?enroll_secret=${SECRET}</string>

[roperzh]

@mostlikelee ahhh you're 100% right, the enroll secret is there for the OTA flow.

It was a product call (cc: @noahtalerman @georgekarrv) but it definitely should be at least considered as part of this story

[getvictor]

One way to implement the fix would be for fleetd to store the secret in the keychain, and then tell Fleet server to resend the config profile, but this time without the secret.