Connect end users to Wi-Fi: dynamic SCEP challenge with Smallstep

michalnicp commented 2 years ago

customer-reedtimmer: Gong snippets:
- https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1278%2C%22to%22%3A1390%7D%5D
- https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1342%2C%22to%22%3A1369%7D%5D

dherder commented 4 months ago

Integrating with the smallstep CA would be valuable for use cases other than the MDM enrollment. Related to #20213

noahtalerman commented 2 weeks ago

Goal

The current Apple MDM solution uses https://github.com/micromdm/scep for issuing SCEP CA certificates during MDM enrollment. However, it does not seem to be ready for production use. We also had to fork it to add storage in MySQL. From the author https://macadmins.slack.com/archives/C023Z6A2DL0/p1664901582278619

I’ve been contemplating recommending folks check-out step-ca if they want a “real” SCEP environment — it just uses micromdm/scep’s library (though that feature is newer). micromdm/scep’s depot is super simplistic and lacks some important features (like revocation, for example).

We should investigate using smallstep. It is Apache licensed and written in Go, meaning we could probably find a way to make it part of the fleet server.

How?

[ ]

fleetdm / fleet

Connect end users to Wi-Fi: dynamic SCEP challenge with Smallstep #8269

https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1342%2C%22to%22%3A1369%7D%5D

Goal

How?