TODO: Add MDM config/profile library to website

[zwass]

• @mike-j-thomas: One idea is to extend the existing queries.yml that we use to render the "device health checkz" page such that each query optionally has the ying to its yang; i.e. the control that sets the preset (this allows us to explore the YAML format Fleet uses for importing/exporting queries to/from YML)

---

Goal

User story
As a Fleet user (or really anyone who uses MDM on macOS or Windows),
I want to browse a library of ready to go MDM configurations
so that I can save time and use industry-standard practices to more effectively manage my devices.

How?

I imagine we would extend the query library on fleetdm.com/queries to also support MDM configs (beyond that, maybe also scripts?)

Context

See discussion on LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:7191816141864869888?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7191816141864869888%2C7191834012460441603%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287191834012460441603%2Curn%3Ali%3Aactivity%3A7191816141864869888%29

[mike-j-thomas]

@zwass, some questions:

• Do we have a library of MDM configs that we can list on the site?
• Would we start with the ones that we use in our environment? If yes, are ours tried and tested and good to go?
• What would you expect to see on the page as a fleetdm.com user?
  • Profile name
  • Description
  • Preview of the XML (did I get config language right there? 😅)
  • Download link

@eashaw, assuming I have this right, how big of a lift do you think this would be?

[zwass]

I'm not sure if we have a "library" of them currently but I do imagine we would start with the ones we use in our environment.

Yes, I think what you outlined is basically what would be needed.

@nonpunctual @spokanemac any thoughts on this?

@mike-j-thomas

[spokanemac]

@mike-j-thomas, I have started to compile a few. These are XML files. I think this might be best added to https://github.com/fleetdm/fleet-gitops
@zwass 

Edit: Apple has a repo of these in YAML

[nonpunctual]

@zwass Thanks for making this issue! I have it on a list of things to discuss as projects with @zayhanlon (that list is getting kind of long...)

@spokanemac the  files are schemas. I am not quite clear how those should be used, but, maybe they are supposed to be used in an MDM to GENERATE profiles.

@ddribeiro what's your tolerance for Windows CSP & making profiles like the ones below? :)

I also have a few I've created for customers specifically for Windows & this (to me) is the biggest need:

Screen Lock (device profile)

<Replace>
  <!-- Enforce screenlock -->
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/DevicePasswordEnabled</LocURI>
    </Target>
    <Data>0</Data>
  </Item>
</Replace>
<Replace>
  <!-- Enforce screenlock after 15 minutes -->
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
    </Meta>
    <Target>
      <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock</LocURI>
    </Target>
    <Data>15</Data>
  </Item>
</Replace>

Wi-Fi (device profile)

<Add>
  <Item>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
    </Meta>
    <Target>
      <LocURI>./Device/Vendor/MSFT/WiFi/Profile/{SSID}/WlanXml</LocURI>
    </Target>
    <Data>
      <?xml version="1.0"?>
        <WLANProfile xmlns="https://www.microsoft.com/networking/WLAN/profile/v1">
          <name>Wireless Network</name>
          <SSIDConfig>
            <SSID>
              <name><!-- SSID name here --></name>
            </SSID>
          </SSIDConfig>
          <connectionType>ESS</connectionType>
          <connectionMode>auto</connectionMode>
          <autoSwitch>false</autoSwitch>
          <MSM>
            <security>
              <authEncryption>
                <authentication>WPA2PSK</authentication>
                <encryption>AES</encryption>
                <useOneX>false</useOneX>
              </authEncryption>
              <sharedKey>
                <keyType>passPhrase</keyType>
                <protected>false</protected>
                <keyMaterial> <!-- Password here --> </keyMaterial>
              </sharedKey>
            </security>
          </MSM>
        </WLANProfile>
    </Data>
  </Item>
</Add>

[nonpunctual]

@roperzh @zwass @noahtalerman @zayhanlon @lukeheath @ksatter @spokanemac @dherder @willmayhone88

So, yesterday one of the technicians from a customer asked us about deploying the Dashlane Chrome Browser extension on Windows using a Configuration Profile. Google makes these kinds of configs available for Chrome via open source: https://cloud.google.com/docs/chrome-enterprise/policies/

Dashlane's instructions for creating the profile for Chrome on Windows uses ADMX. This is a template framework for profile creation on Windows used in Intune:

https://support.dashlane.com/hc/en-us/articles/9525584137618-Deploy-Dashlane-browser-extension-using-Intune

My original thought was that we could use Intune to create these profiles & export them, but, profiles created with ADMX templates can't be exported from the Intune GUI.

It seems they can be exported from the Microsoft Graph API, but, I don't know if the exported entity would be in a useable state for Fleet or if it can only be imported to another Intune instance (still testing...)

Concern: It's hard to make Configuration Profiles for Windows. It seems that Microsoft has tools for doing so, but, unsurprisingly. they are not making them easy to use outside of Intune.

Question: what is the appetite for fulfilling this request by building the Microsoft ADMX template framework into Fleet?

Rather than building a library of profiles, this might actually be the safest, easiest, best option for customers.

Alternatively, maybe creating something outside Fleet similar to the iMazing Profile Creator but for Windows based on ADMX also seems doable.

Thanks.

[ddribeiro]

@nonpunctual I don't have much experience with Windows CSP, but I can certainly take a look at creating comparable profiles for Windows computers.

[noahtalerman]

My original thought was that we could use Intune to create these profiles & export them, but, profiles created with ADMX templates can't be exported from the Intune GUI.

@nonpunctual yeah... 😢

what is the appetite for fulfilling this request by building the Microsoft ADMX template framework into Fleet?

Alternatively, maybe creating something outside Fleet similar to the iMazing Profile Creator but for Windows based on ADMX also seems doable.

Let's track it as a feature request so we don't lose it! My gut says it's a bigger request (research and design) so I'm not sure we'll get to it soon. @marko-lisica might have some early stage designs for this IIRC.

In the meantime, I think slowly creating a library of Windows profiles that we know are handy would be awesome!

This would also help product design the right feature when we do get to adding it to Fleet.

[N0rthg4t3]

@nonpunctual Maybe the Windows configuration designer (WCD / ICD) app from Microsoft is "something outside fleet" that would be helpful? The handling here is comparable to the Intune GUI.

For the exact reason you describe - which I came across about 4 weeks ago - I have taken a look at that app and to my surprise, under certain configuration formats there ARE .xml files containing a trace of the relevant CSP / ADMX settings in several outputs of configuration / provisioning packages. However, they seem to have a different convention compared to the format that fleetdm would expect. I still have to think about what I can do with these files or if a small parser would be robust enough for this to be helpful.

For reference to WCD / ICD: https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd - specifically see the custom configuration options instead of the provisioning package options.

[N0rthg4t3]

Something that just came to mind right now: When creating an advanced provisioning configuration, the app accesses some kind of information to populate the GUI with relevant runtime settings. Maybe these can be extracted somehow or reference to some pre-existing library from Microsoft that could theoretically be parsed...? I will take a look at that.

[N0rthg4t3]

Turns out there are several .dat files in the app's root directory referencing to several of these advanced configuration options. These files according to several reverse engineering tools represent some form of MS registry hives in a certain format. I was able to mount and humanly read these files with regedit and discovered that certain parts in these nested hives could theoretically be parsed with their full CSP configuration path (and possibly even ADMX, have not looked at that yet). I am currently experiment to find a way to do this and if it could be robust enough for further processing.

[nonpunctual]

@N0rthg4t3 Well if you find the Rosetta Stone let us know! Thanks for the update!

[phtardif1]

We have a large prospect with 20K endpoints wanting to support Windows profiles via ADMX. Will this feature support that ?

[mike-j-thomas]

Hey all, I'm checking in on this ticket. Looks like it inspired a lot of conversation. Bringing it back to the website, Is https://github.com/fleetdm/fleet-gitops/tree/main/lib our current go-to list?

[mike-j-thomas]

@spokanemac (forgot to tag you in the previous comment)