search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.93k stars 409 forks source link

BYOD iOS/iPadOS: API endpoint to retrieve OTA profile #21557

Open roperzh opened 2 weeks ago

roperzh commented 2 weeks ago 
  Content-Length: %d
  Content-Type: application/x-apple-aspen-config; charset=urf-8
  Content-Disposition: attachment;filename="fleet-mdm-enrollment-profile.mobileconfig"
  X-Content-Type-Options: nosniff
georgekarrv commented 2 weeks ago

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @jahzielv @mna @roperzh

jahzielv commented 2 weeks ago

@roperzh do we have any API specs for this ticket? I've implemented something that does what we talked about in sprint kickoff (takes an enroll secret and returns the XML from here filled in with the correct values), but have some questions:

  1. What should the endpoint path and method be? I currently have GET /api/fleet/ota?enroll_secret=foo
  2. The value for the URL key in the XML template should be the server URL from the app config, correct?
  3. Authz: we should skip authz for this endpoint, correct? Since the request will be coming from an enduser's iPhone or iPad
  4. Errors: should we return 404 if the enroll secret isn't found? This could leak information about the secret, but not sure how big a deal it is.

(If it's better for me to check with someone from product, I can do that, my b! Tagging you because you made this issue.)

draft PR: https://github.com/fleetdm/fleet/pull/21655

roperzh commented 2 weeks ago

@jahzielv thanks so much for the ping! I added specs to the issue, please ping me if something is missing or you have more questions! 🙏