Set up Apple Push Certificates Portal and Apple Business Manager (APNs, SCEP, and ABM)

[noahtalerman]

Goal

As a Fleet admin I want to turn on MDM features in Fleet so that I can automatically enroll and enforce configuration on macOS hosts when they're first unboxed.

Related

• Parent Epic: #7726

Website

• API for getting the certificate signing request (CSR): #8223

Backend only

• 7456

• 7515

Backend and frontend

• 7958

• 8537

Frontend

• 8855

Docs

• 8799

Requirements

• In UI and CLI, Fleet admin can get certificates and keys required for APNs and SCEP (gen. .csr w/ email and org and email confirmation, upload to Apple, set up w/ Fleet)
• fleetdm.com saves email and org name, and other data for those who request APNs CSR from us.
• Fleet user can turn on MDM in Fleet by setting certificates and keys as config options, env vars, or CLI flags for Fleet server
• In UI and CLI, Fleet admin can see the status of APNS, including the renewal date
• In UI and CLI, Fleet admin can specify a team for automatically enrolled hosts (DEP) to join (default to no team). Premium only feature
• Fleet uses a default enrollment profile for automatically enrolled hosts: https://github.com/fleetdm/confidential/blob/main/mdm_profiles/fleet_dep.json
  • The profile_name is set to the organization name Fleet.
• Hosts in Apple Business Manager automatically enrolls in the team via standard DEP flow (Premium only feature)
• In UI, Fleet user sees the pending hosts, able to transfer them to the desired team. Premium only feature
• In UI and CLI, Fleer user sees when they need to agree to new Apple Business Manager terms (Premium only).

Figma

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=9683%3A318828

[noahtalerman]

@mike-j-thomas FYI Mo let me know that you and Mo started to talk about setting up MDM in the Fleet UI. So that I can catch up, I plan to attend the next product design review call with you and Mike.

[mike-j-thomas]

@noahtalerman, Mo, and I spoke. He's going to write up an issue for me to start work on later this week.

[noahtalerman]

Mo, and I spoke. He's going to write up an issue for me to start work on later this week.

Got it! @zhumo please feel free to update this existing issue.

[noahtalerman]

@mike-j-thomas I assigned myself this issue and removed it from the digital experience board.

[noahtalerman]

@lucasmrod is it possible to reuse the same .crt and .key for SCEP that Fleet uses for AWS (Fleet server)? We'd like there to be just a "set of keys" for Fleet.

This way, we can simplify the setup by removing the concept of SCEP.

[lucasmrod]

is it possible to reuse the same .crt and .key for SCEP that Fleet uses for AWS (Fleet server)? We'd like there to be just a "set of keys" for Fleet.

What do you mean by "that Fleet uses for AWS (Fleet server)"?

Assuming you mean the TLS certificate used in the Fleet server: No, because the SCEP certificate is used for a different purpose: for signing client certificates for apple devices as part of the MDM enroll process.

[noahtalerman]

What do you mean by "that Fleet uses for AWS (Fleet server)"?

Ah, shoot. @lucasmrod I confused myself. I meant APNS instead of AWS.

Let me rephrase my question:

Is it possible to reuse the same .crt and .key for SCEP and APNS?

This way we can simplify the setup by removing the concept of SCEP.

[lucasmrod]

I meant APNS instead of AWS.

Gotcha.

Is it possible to reuse the same .crt and .key for SCEP and APNS? This way we can simplify the setup by removing the concept of SCEP.

No. Because SCEP certs are generated/managed by the Fleet operator, whereas APNS certificates are issued by Apple. (And they serve distinct purposes, so the certificates have different properties.)

[noahtalerman]

distinct purposes, so the certificates have different properties.

Makes sense.

simplify the setup by removing the concept of SCEP.

@lucasmrod to achieve this, can we hide SCEP away from the user?

Meaning, instead of this...

1. user gets APNS certs from Apple
2. user uploads APNS certs to Fleet
3. user gets SCEP certs from Fleet
4. user uploads SCEP certs to Fleet
5. DONE

we do something like this...

1. user gets APNS certs from Apple
2. user uploads APNS certs to Fleet
3. DONE (behind the scenes Fleet generates and uploads SCEP certs to Fleet)

[lucasmrod]

Yes, could be behind the scenes. Unlike APNS or DEP credentials, SCEP cert+key generation does not need User+Apple interaction.

PS: This is assuming we solve the issue of how to store sensitive credentials in Fleet. So I will start discussions with the team.

[noahtalerman]

Yes, could be behind the scenes.

👍

@zhumo I created user journeys for set up (new Fleet users) and turn on (existing Fleet users):

• “Set up Fleet with MDM features” drawing (internal): https://docs.google.com/drawings/d/1Cg0MY_IjSt5q4TZwRg9SFj3NEG44M7ChnK38LOcDP-I/edit
• “Turn on MDM features” drawing (internal): https://docs.google.com/drawings/d/1X6Y3g74dp1B-ln3vjumcHkkf93DrWE_KYZzK4rWBQnM/edit

What do you think? Please feel free to edit / leave notes.

[zhumo]

@noahtalerman

• what is the first diagram for? Is this for people who are setting up fleet from scratch whereas the second one is if they are already have fleet?
• I wonder if enabling MDM would be on by default always. We just have to find a tasteful way to show hosts in non-MDM state that would gesture towards what's possible while simultaneously not being too much of an ad.
• Even if we end up needing to enable MDM by some dev action, should this be a config rather than an ENV var?
• When you get an APNS CSR cert, we could pre-fill it for you with your org name and email.
• There is no need to update your email if you end up needing to use a different email.

Can you grab a time to review this together? This is a good exericse for both of us to talk through. Thanks for drawing it up.

[noahtalerman]

Can you grab a time to review this together?

@zhumo let's discuss during our call today @1:30p PST.

[noahtalerman]

UPDATE: Lucas please ignore my question below. I confirmed the user journeys are missing DEP steps (noahtalerman 2022-09-27).

I created user journeys for set up (new Fleet users) and turn on (existing Fleet users)

Heads up, I think these user journeys are missing steps to set up automatic enrollment (DEP). @lucasmrod is this correct?

I'm linking to the user journeys here:

• “Set up Fleet with MDM features” drawing (internal): https://docs.google.com/drawings/d/1Cg0MY_IjSt5q4TZwRg9SFj3NEG44M7ChnK38LOcDP-I/edit
• “Turn on MDM features” drawing (internal): https://docs.google.com/drawings/d/1X6Y3g74dp1B-ln3vjumcHkkf93DrWE_KYZzK4rWBQnM/edit

[noahtalerman]

Decision: De-prioritize the "Set up Fleet with MDM features" journey for now (noahtalerman 2022-09-26).

Reasoning:

• Upgrading existing Fleet users is a priority over new users.
• The "Turn on MDM features" journey can also be used by new users.

[noahtalerman]

@lucasmrod we'd like Fleet to be able to determine if the APNs certificate or DEP server token is invalid. How difficult is this?

Check out the UI wireframes for the desired behavior:

[zhumo]

To add more color here, does Apple provide various APIs to check on the status of a cert?

[lucasmrod]

Hi @noahtalerman. I believe the wireframes are assuming some automation (via a Fleet DM hosted service).

For reference, here are the steps if we were to implement "full manual" UI wireframes:

1. Fleet server generates a push .key and push .csr. Push key is stored internally (user doesn't need to know of it). User downloads the push .csr file.
2. User sends push .csr to a Fleet representative. (Via e-mail/slack.)
3. Fleet representative signs the .csr. Sends back a signed .req file to the user. (Via e-mail/slack.)
4. User uploads .req to their Apple account.
5. User downloads .pem from their Apple account.
6. User uploads .pem to Fleet.

If we automate (1), (2) and (3) which needs some discussion, then it would look like the UI wireframes. But it won't be a single Download operation, it will instead consist of: Fleet would generate .key + .csr and send the .csr as a request to a Fleet DM hosted service that will return a signed .req that the user can then download.

Looping @GuillaumeRoss and @zwass because the Fleet DM hosted service for signing .csrs needs some discussion, security-wise.

Let me know if that makes sense.

[lucasmrod]

we'd like Fleet to be able to determine if the APNs certificate or DEP server token is invalid.

Yes. When the user uploads the final PEM to Fleet, I believe there will be a way to connect via TLS to verify the uploaded PEM certificate (via making a test TLS connection to api.push.apple.com:443).

[noahtalerman]

If we automate (1), (2) and (3) which needs some discussion, then it would look like the UI wireframes.

Makes sense. I think we want this automation as part of the production release.

it won't be a single Download operation, it will instead consist of: Fleet would generate .key + .csr and send the .csr as a request to a Fleet DM hosted service that will return a signed .req that the user can then download.

I'm not sure I understand. The user could still take a single action (click), correct?

Say, I click Download. Then, behind the scenes Fleet takes care of the steps to generated a signed .req. Last, the download begins automatically in my browser.

cc @zhumo

[noahtalerman]

Decision: Punt on adding the ability to renew APNs certificate or DEP server token for now.

Reasoning: We can come back to this because the certificate and server token are valid for 1 year.

(noahtalerman 2022-09-20)

[lucasmrod]

I'm not sure I understand. The user could still take a single action (click), correct? Say, I click Download. Then, behind the scenes Fleet takes care of the steps to generated a signed .req. Last, the download begins automatically in my browser.

Yes, from user standpoint it's one action "Download". On Fleet, this would involve multiple steps, one of them being a request to a Fleet DM hosted service and the last one being the download of the .csr

[noahtalerman]

@lucasmrod can Fleet handle renewing SCEP certificates for the user?

[lucasmrod]

can Fleet handle renewing SCEP certificates for the user?

We still need to support this scenario for rotating SCEP CA certificates. We've discussed some ideas. AFAICS, all of them require some administrator/manual interaction.

/cc @GuillaumeRoss

[noahtalerman]

We still need to support this scenario for rotating SCEP CA certificates.

Guillaume or Lucas, do you know why we need to support this? Instead of Fleet handling the rotation for the user.

[lucasmrod]

We still need to support this scenario for rotating SCEP CA certificates.

Guillaume or Lucas, do you know why we need to support this? Instead of Fleet handling the rotation for the user.

For on-premise this is the responsibility of the Fleet administrator. (On a cloud solution this would be solved automatically by the cloud provider.)

CA certificate rotation is a pretty manual and involved process. They are not performed often (given how long CA certs live). It is also necessary whenever the CA is suspected to be compromised.

Maybe @GuillaumeRoss can provide more insight.

[GuillaumeRoss]

A scenario where it is compromised is the most likely, and you could also have companies that are quite security conscious and have a lot of automation use expirations that aren't long in decades for example.

[noahtalerman]

For on-premise this is the responsibility of the Fleet administrator.

Does this have to be the case?

@GuillaumeRoss @lucasmrod let's say Fleet renews SCEP certs for the user when the user renews APNs. Wouldn't this handle the use case in which the user believes certificates (SCEP or APNs) are compromised?

cc @zhumo

[noahtalerman]

@zhumo I assigned you this issue and the following issue: #7957

My understanding is that these issues are ready for engineering review, specification, and implementation.

[noahtalerman]

@zhumo I assigned you this issue.

The Fleet UI now points the customer to use fleet serve with appropriate flags instead of uploading the certificates.

[noahtalerman]

@zwass can you please break out child issues for this epic?

[noahtalerman]

@zwass I assigned you this issue. This epic is unblocked.

[noahtalerman]

Mo (2022-10-28):

I just spoke to Zach about SCEP. Based off that conversation, I think we need some UI for it. The conclusions from Zach were:

• Apple requires SCEP for device authentication for MDM
• Until we do the cert storage stuff, we will need to ask the user to set an env var, as we do with the ABM and APNS stuff.
• There is no need to go upload it to anywhere, we just generate the keys then user puts it in the env vars
• There is no need to manage renewal. SCEP will handle all that in the background.

[noahtalerman]

@zhumo heads up, the decisions made in the "Connect to Apple Developer" call impact the Fleet UI for MDM setup.

This is a link to a GitHub comment that documents the decisions: https://github.com/fleetdm/fleet/issues/7456#issuecomment-1299109592

The changes to the Fleet UI are below:

• Change "Apple Developer to "Apple Push Certificate Portal"
• Change request functionality from emailing all material to sending CSR to email and downloading APNs key, SCEP cert, and SCEP key in the browser.
• Remove the disconnect APNs and Apple Business Manager functionality. This is because Fleet is not storing the certificates.
  • I moved these screens to the Figma archive safekeeping: https://www.figma.com/file/PrWu3D5vobpO2yi6dtoRI5/Fleet-(2022-archive)?node-id=662%3A33141

[noahtalerman]

the decisions made in the "Connect to Apple Developer" call impact the Fleet UI for MDM setup

cc @mikermcneil ^

See the above comment for the UI changes.

[noahtalerman]

@michalnicp @zwass during a call with Michal, Guillaume, and I, we discussed using our internal automatic enrollment profile (linked below) as the default automatic enrollment profile in Fleet.

How much effort would it take to use the organization name in Fleet as the profile_name property in the enrollment profile?

This way, when the device user with a fresh Mac sees the "Install MDM profile" step in the set up wizard, they see their organization's name.

• Fleet uses a default enrollment profile for automatically enrolled hosts: https://github.com/fleetdm/confidential/blob/main/mdm_profiles/fleet_dep.json
  • The profile_name is set to the organization name in Fleet.

[michalnicp]

Should that organization name be updated when app config is updated? We currently don't sync changes to the dep_profile.json.

[noahtalerman]

Should that organization name be updated when app config is updated?

@michalnicp I think yes.

We currently don't sync changes to the dep_profile.json.

Got it. If we do this now, I think we'll reduce the amount of work later. I could be wrong here.

Later, I think we'll allow the user to update more pieces of the dep_profile.json. For example, choose which set up screens to hide during Mac set up.

[zhumo]

Hey all, I want to make sure we're covering requirement #3 "fleetdm.com saves email and org name, and other data for those who request CSR from us." We should record this info so that we can lookback on it. @zwass @eashaw

[lukeheath]

@zhumo You probably want to edit/comment on https://github.com/fleetdm/fleet/issues/8223 since that's where the fleetdm.com work will happen.

[fleet-release]

Configuring fleets made easy
APNs, SCEP and ABM
Streamline device setup