Closed noahtalerman closed 5 months ago
cc @pauldittmer2 @dherder
Note: This list also includes everything around fleet desktop as well:
/api/*/fleet/device/*/migrate_mdm
/api/*/fleet/device/*
/api/*/fleet/device/*/rotate_encryption_key
/api/*/fleet/device/*/debug/errors
/api/*/fleet/device/*/desktop
/api/*/fleet/device/*/refetch
/api/*/fleet/device/*/transparency
Since fleet desktop is already otherwise solved for the customer, I'll make sure to limit this down to only the mdm-specific ones needed as a final answer for this. Some overlap will likely exist in order to obtain the rotating UUID, but I'll confirm the specifics.
I spent some time going over the existing mTLS vs non-mTLS configuration/ingresses with the mdm team and how that would interact with existing mdm features, and this is how things would need to be configured currently in order to work:
/mdm/apple/scep
/mdm/apple/mdm
/mdm/apple/enroll
ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST
are not currently supported./api/*/fleet/device/*/mdm/apple/manual_enrollment_profile
) will use orbit's existing mTLS capability assuming the fleetctl package
command used to generate it included the mTLS certificates.Please let me know if there are further questions or clarifications needed. @noahtalerman
Closing this issue out because the docs PR is merged.
@Patagonia121 please let us know if there are any further questions from the customer. Thanks!
Endpoints clear and bright, Adding security, pure light. Fleet's power in sight.
Goal
Currently, this "Which API endpoints to expose to the public internet?" article lists these endpoints:
@rfairburn mentioned that these endpoints also need to be exposed:
/api/*/fleet/device/*/migrate_mdm
/api/*/fleet/device/*
/api/*/fleet/device/*/rotate_encryption_key
/api/*/fleet/device/*/debug/errors
/api/*/fleet/device/*/desktop
/api/*/fleet/device/*/refetch
/api/*/fleet/device/*/transparency
Changes
Product
ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST
affects these endpoints if at allContext
ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST
to a value that's different from the URLs that osquery uses