fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.16k stars 432 forks source link

Enforce IdP authentication before BYOD iOS/iPadOS enrollment #22529

Open harrisonravazzolo opened 1 month ago

harrisonravazzolo commented 1 month ago
noahtalerman commented 1 month ago

Moved the original issue description here for safekeeping:

@harrisonravazzolo asks: When a user goes to enroll a BYOD device and pulls a profile, what is the first point in which Fleet will capture who the user of that device is?

Problem

As a CPE and Security Team Member, I want to authenticate users before they can enroll in MDM so that I can associate a user and a device and better secure BYOD enrollment.

A problem with the current iteration of BYOD is that this uses the user-initiated enrollment style with an URL endpoint to pull a configuration profile. Alternatively, Apple recommends the 'User Enrollment' approach where after authentication happens the profile can then be pulled down to the device. Screenshot of the device setting:

IMG_9736

When this flow occurs, the mechanism will be similar to the end user authentication part of MacOS enrollment and the device will have a user associated with it.

The current enrollment method leaves a lack of authentication and prevents a sys admin from being able to associate a device and restrict enrollment to known users on an approved domain.

There are other data segmentation and management features with this enrollment style but I think a separate ticket is more appropriate.

What have you tried?

Tried other methods of capturing this user data but none exist.

Potential solutions

Support Apples User Enrollment through Work or School flow of device enrollment which has an authentication component.

What is the expected workflow as a result of your proposal?

Instead of a user hitting an endpoint to grab a profile, they will leverage iOS's enrollment profile flow in the Settings.

noahtalerman commented 1 month ago

Hey @ambrusps, when you get the chance can you please add the Gong snippet or Slack thread for banshear? Thanks!

noahtalerman commented 1 month ago

Hey @ambrusps just giving you another ping! Can you please share the Gong snippet for banshear? Thanks :)

ambrusps commented 1 month ago

@noahtalerman thank you!! fell thru the cracks. I've reached out to the team for an update on this feature as I'm not sure we have a good gong snippet to attach at the moment. I'll update once I hear back

noahtalerman commented 1 month ago

Hey @ambrusps just checking, do we have an update for banshear?

ambrusps commented 1 month ago

@noahtalerman removed the prospect-brashear label as I haven't heard back. This is still a very important requirement for customer-pingali. Harrison added gong snippets above for reference. Thanks for checking!