Know when the MDM certificate is removed from the Keychain

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.15k stars 431 forks source link

Know when the MDM certificate is removed from the Keychain #6434

Open noahtalerman opened 2 years ago

noahtalerman commented 2 years ago

Problem

An end user can turn off MDM features by removing the MDM certificate from the Keychain application (macOS). This means that the organization can no longer update macOS settings and macOS versions on this host.

More context is here in Slack (internal customer channel)

Goal

Add ability to know when the MDM certificate is removed from the Keychain.

Parent Epic

fleetdm/fleet#397

noahtalerman commented 2 years ago

Think about writing a policy/query first.

noahtalerman commented 2 years ago

@erikng if I recall correctly, you said that this would be the most valuable MDM issue to start with:

Know if/when a user deletes an MDM certificate.

Do you know of any osquery queries that could help us grab this information? This way Fleet could add this info to the Fleet API/UI.

erikng commented 2 years ago

It's probably going to take a few things.

Check the mdm profile plist settings to get the certificate name.

Check the user and system keychains for the presence of that cert.

noahtalerman commented 2 years ago

UPDATE: this issue will be addressed in Q4 2022 (noahtalerman 2022-08-31).

zayhanlon commented 1 year ago

@noahtalerman Removing the Slack thread link per customer request.