Automatically generate certificates for macOS configuration profiles (ex. Wi-Fi)

[dherder]

UPDATE: Closed because it's a duplicate of the following issue:

• https://github.com/fleetdm/fleet/issues/13420

(noahtalerman)

---

Problem

Today we use the mdmscep binary to generate SCEP payloads for the MDM enrollment profile. In order to gain parity with other macOS MDMs, we would need to support generation of SCEP payloads with dynamic challenges for profiles other than the enrollment profile (ie: Enterprise Wifi, device attestation, etc).

From Jamf developer docs:

SCEPChallenge Beginning with Jamf Pro v10.32.0, this event is triggered only when using the Dynamic challenge type for distribution of SCEP payloads. The event is triggered during the assembly of a SCEP payload. The SCEPChallenge event is the only event that currently supports the ability for Jamf Pro to interpret a response. A valid response should consist of the dynamic challenge to be used within the SCEP payload.

https://developer.jamf.com/developer-guide/docs/webhooks#scepchallenge

[noahtalerman]

support generation of SCEP payloads with dynamic challenges for profiles other than the enrollment profile (ie: Enterprise Wifi, device attestation, etc).

@dherder if I'm understanding correctly, this request is about using the Fleet server as a certificate authority (CA) for SCEP certs.

The desired workflow is the IT admin creates a WiFi profile, adds it to Fleet, and Fleet to generates the SCEP certificate for them.

Sound right? (I updated the title of the issue to reflect the above workflow)

Any customers/prospects asking for this?

[dherder]

Yes, this is correct. It seems that from an implementation perspective, it would be easier for us to generate the certificate artifacts than building separate integrations with PKI providers.

[lukeheath]

@greptileai

[greptile-apps[bot]]

To implement dynamic SCEP challenges for macOS configuration profiles, follow these steps:

1. Extend SCEP Payload Generation Logic:

   • Modify GenerateEnrollmentProfileMobileconfig in /server/mdm/apple/apple_mdm.go to support dynamic challenges for other profiles.
   • Add new functions to handle specific profiles like Enterprise Wi-Fi and device attestation.

2. Create New Templates:

   • Create new mobileconfig templates for each profile in /server/mdm/nanomdm/docs/.
   • Example: wifi.mobileconfig, device_attestation.mobileconfig.

3. Update SCEP Challenge Handling:

   • Modify the SCEP challenge generation logic to support dynamic challenges.
   • Update the GenerateEnrollmentProfileMobileconfig function to accept dynamic challenges.

4. Add New Endpoints:

   • Add new API endpoints in /server/service/devices.go to serve the new profiles.
   • Example: getDeviceWiFiProfileEndpoint, getDeviceAttestationProfileEndpoint.

5. Testing:

   • Add tests in /pkg/mdm/mdmtest/apple.go to cover the new profiles and dynamic challenges.

Example Code Snippet for Wi-Fi Profile:

func GenerateWiFiProfileMobileconfig(orgName, fleetURL, scepChallenge, topic string) ([]byte, error) {
    // Similar to GenerateEnrollmentProfileMobileconfig but for Wi-Fi
}

Refer to Jamf developer docs for dynamic challenge implementation: https://developer.jamf.com/developer-guide/docs/webhooks#scepchallenge

References

/server/mdm/apple/apple_mdm.go /server/service/devices.go /server/mdm/nanomdm/docs/enroll.mobileconfig /pkg/mdm/mdmtest/apple.go /ee/tools/mdm /cmd/fleetctl/generate.go

#### About Greptile

This response provides a starting point for your research, not a precise solution. Help us improve! Please leave a 👍 if this is helpful and 👎 if it is irrelevant. [Ask Greptile](https://app.greptile.com/chat/github/fleetdm/fleet/main) · [Edit Issue Bot Settings](https://app.greptile.com/apps/github)

[noahtalerman]

Hey @dherder I just realized that this is a duplicate of the following issue:

• 13420

Closing this issue and carrying over prospect+customer labels. Please let me know if that's not the case.

[fleet-release]

Certificates auto-made, Secure paths for Macs are laid, In cloud city's shade.