Remove certificates delivered through Fleet upon unenrollment

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

Other

3.15k stars 431 forks source link

customer-cisneros: Slack thread: https://fleetdm.slack.com/archives/C072L58U878/p1731611409633929
@noahtalerman: User requested this because they want to cut off access to some internal resource when an end user uninstalls the fleetd agent. Currently, they're installing a certificate that grants access to these internal resources. Fleetd can be uninstalled, by the end user, while the certificates are left on the device. This means that the device is unmanaged but has access to internal resources.
- @noahtalerman: In the interim the end user could use some heuristic to see if the host has checked in to Fleet within the last week.
- @noahtalerman: Eventually fleetd could send some webhook when it's uninstalled. This way the IT admin could catch the webhook and block access. Also, eventually the certificates could be managed within Fleet (instead of hosting them in another location and installing them via scripts). In this scenario Fleet could build some higher level features around removing certs when the agent is uninstalled b/c Fleet would know where/what those certs are.
- @ddribeiro: cisneros builds automations in house. They don't use a low/no-code tool (ex. Tines)

Problem

Many organizations use an MDM solution to distribute certificates to their hosts. Keeping certificate issuance and delivery tied to an MDM solution provides an incentive for their end users to enroll their host in the MDM and keep it enrolled. If a host is not under management, it can’t access the corporate networks.

Today, Fleet can be used to generate and deliver certificates to Linux hosts via scripting solutions. However, the certificates generated with this method remain on the host if the end user unenrolls it from management. This could create a situation where a user enrolls their host only tool to receive the certificate, then unenrolls their host once they have it.

What have you tried?

I tried looking for ways to run a script upon unenrollment, but did not find any option.

Potential solutions

A potential solution could be to have a Fleet-managed directory that admins would install the certificates to. Since Fleet knows about this directory, it could remove the directory along with the contents inside it when the Fleet agent is removed from the computer.

What is the expected workflow as a result of your proposal?

An end user will enroll their Linux host in Fleet to receive a certificate that grants access to the corporate network. After the certificate is delivered to the host, the end user will be incentivized to keep their host enrolled so they can keep the certificate. If the user unenrolls their host from Fleet, the certificate that was delivered when the host enrolled would be removed from the host.

fleetdm / fleet