harrisonravazzolo
commented
2 weeks ago Open harrisonravazzolo opened 2 weeks ago
harrisonravazzolo
commented
2 weeks ago 
noahtalerman
commented
1 week ago customer-pingali would like the ability to surface this information about a device directly from MDM and not rely on osquery.
Use case: an employee with a BYOD leaves the organization and CorpIT wants to know which certs the device has and revoke them. While this is possible through osquery on Mac/Windows, it's not possible to use this method on iOS. The security queries will return the value they are looking for, certificates, but also data that would be useful for other customers to be able to query and unlock some GitOps lifecylces - i.e. Find My, Management status, Hardware encryption type
All available values: https://support.apple.com/en-gb/guide/deployment/dep5872f7b3c/1/web/1.0
Not possible through Fleet.
Could use osquery on supported platforms or use a custom MDM command, like what this customer is trying to do with certs - https://developer.apple.com/documentation/devicemanagement/list_the_certificates
Being able to hit an API, similar to the List MDM Command https://fleetdm.com/docs/rest-api/rest-api#list-mdm-commands and parse the data returned.
noahtalerman
commented
1 week ago
- @noahtalerman: User requested this because they want to be able to list the certificates on macOS, iOS, iPadOS hosts. What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?
@harrisonravazzolo can you please ask the above on your next call w/ pingali? Thanks!
Also check out the "in the interim" below:
- @noahtalerman: In the interim the user can write an osquery query the ___ table to list certificates on macOS. For iOS/iPadOS, the user can use the run MDM command Fleet API w/ the List the Certificates as the custom command.
noahtalerman
commented
6 days ago
- @noahtalerman: User requested this because they want to be able to list the certificates on macOS, iOS, iPadOS hosts. What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?
@harrisonravazzolo just following up to say that I don't think we can move this request forward to drafting/design until we understand the above.
Can you please ask the above on your next call w/ pingali? Thanks!
harrisonravazzolo
commented
4 days ago The downstream use case for the data returned is not clear on this snippet but they have potentially turned this into a requirement.
noahtalerman
commented
3 days ago @harrisonravazzolo it's still unclear what the desired workflow is.
Do they want to see a list of certificates on the Host details page? You can imagine we'd show a list like the list of users:
harrisonravazzolo
commented
3 days ago Hey @noahtalerman - I can ask Pingali but yeah, I would imagine something like that, but that it's also included in the api.
Don't know how helpful this screenshot is but this is me running the command on my iPhone and getting the certs.
harrisonravazzolo
commented
3 days ago Access to a lot of resources are through certs - so knowing if a device has a particular cert might mean the end user has access to the dev test wifi network, or, they have a kerberos identity for the iOS app test services, or something like that.
noahtalerman
commented
2 days ago @harrisonravazzolo heads up, we peeled this user story off this request and brought it into the current design sprint.
Keep in mind that the user story might not address the entire request. It may just be a small, iterative piece of it.
customer-pingali: Gong snippet: https://us-65885.app.gong.io/call?id=2699116120479648557&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A370%2C%22to%22%3A458%7D%5DUser stories
23235