harrisonravazzolo
commented
1 month ago Open harrisonravazzolo opened 1 month ago
harrisonravazzolo
commented
1 month ago 
noahtalerman
commented
1 month ago customer-pingali would like the ability to surface this information about a device directly from MDM and not rely on osquery.
Use case: an employee with a BYOD leaves the organization and CorpIT wants to know which certs the device has and revoke them. While this is possible through osquery on Mac/Windows, it's not possible to use this method on iOS. The security queries will return the value they are looking for, certificates, but also data that would be useful for other customers to be able to query and unlock some GitOps lifecylces - i.e. Find My, Management status, Hardware encryption type
All available values: https://support.apple.com/en-gb/guide/deployment/dep5872f7b3c/1/web/1.0
Not possible through Fleet.
Could use osquery on supported platforms or use a custom MDM command, like what this customer is trying to do with certs - https://developer.apple.com/documentation/devicemanagement/list_the_certificates
Being able to hit an API, similar to the List MDM Command https://fleetdm.com/docs/rest-api/rest-api#list-mdm-commands and parse the data returned.
noahtalerman
commented
1 month ago
- @noahtalerman: User requested this because they want to be able to list the certificates on macOS, iOS, iPadOS hosts. What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?
@harrisonravazzolo can you please ask the above on your next call w/ pingali? Thanks!
Also check out the "in the interim" below:
- @noahtalerman: In the interim the user can write an osquery query the ___ table to list certificates on macOS. For iOS/iPadOS, the user can use the run MDM command Fleet API w/ the List the Certificates as the custom command.
noahtalerman
commented
1 month ago
- @noahtalerman: User requested this because they want to be able to list the certificates on macOS, iOS, iPadOS hosts. What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?
@harrisonravazzolo just following up to say that I don't think we can move this request forward to drafting/design until we understand the above.
Can you please ask the above on your next call w/ pingali? Thanks!
harrisonravazzolo
commented
4 weeks ago The downstream use case for the data returned is not clear on this snippet but they have potentially turned this into a requirement.
noahtalerman
commented
4 weeks ago @harrisonravazzolo it's still unclear what the desired workflow is.
Do they want to see a list of certificates on the Host details page? You can imagine we'd show a list like the list of users:
harrisonravazzolo
commented
4 weeks ago Hey @noahtalerman - I can ask Pingali but yeah, I would imagine something like that, but that it's also included in the api.
Don't know how helpful this screenshot is but this is me running the command on my iPhone and getting the certs.
harrisonravazzolo
commented
4 weeks ago Access to a lot of resources are through certs - so knowing if a device has a particular cert might mean the end user has access to the dev test wifi network, or, they have a kerberos identity for the iOS app test services, or something like that.
noahtalerman
commented
4 weeks ago @harrisonravazzolo heads up, we peeled this user story off this request and brought it into the current design sprint.
Keep in mind that the user story might not address the entire request. It may just be a small, iterative piece of it.
rachaelshaw
commented
2 weeks ago @harrisonravazzolo @noahtalerman wondering if we ever got the answer to this question in the issue description:
What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?
noahtalerman
commented
2 weeks ago @rachaelshaw I don't think we know for sure if pingali is building an automation.
That said, I chatted w/ Allen (subject matter expert), and other MDM solutions present a list of certificates on their equivalent of the Host details page. This way, the IT admin can confirm they're present on the device. So, I think it's safe to assume that pingali is at least looking for this.
In the user story we're working on now, I think we start w/ adding certificates to the Host details page (host vitals API too).
Later, we might add a view that shows all certificates across hosts or fire webhooks when a certificate fails to install (to aid automations if they exist).
allenhouchins
commented
2 days ago I was able to look into this a little more.
When you run a query like SELECT * FROM certificates; it is pulling all certificates, even system root certificates that are the default, built-in certificates provided by the operating system. Admins likely don't want these listed on a host record since every host will have them and know they can dig them up through osquery if needed.
What admins are likely asking for is a UI that shows the results of SELECT * FROM certificates where path = '/Library/Keychains/System.keychain'; attached to a host since these are certificates installed on top of the defaults.
Here is what other MDMs show:
Here is the osquery result of the command I suggested -- the discrepancy in results is because certificates that were installed by Jamf have been removed from the device:
Here is the list of System certificates on the device:
Here is the list of System Roots installed on the device which come up when running SELECT * FROM certificates; in addition to the ones in the previous screenshot:
Summary: The UI should not show all certificates, only the results of SELECT * FROM certificates where path = '/Library/Keychains/System.keychain'; since these are certificates that had to be installed through some process.
customer-pingali: Gong snippet: https://us-65885.app.gong.io/call?id=2699116120479648557&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A370%2C%22to%22%3A458%7D%5DUser stories
23235