Create API endpoint that receives CSR data from Fleet server and sends email to user

[noahtalerman]

Goal

Add ability for the Fleet product to to tell fleetdm.com to send an email with a CSR for Apple Push Certificates Portal

Related

• Parent epic: #7726
• API to create signed CSRs: #8223

How?

Yo @eashaw, this is from @mikermcneil:

• POST /api/v1/deliver-apple-dev-csr
  • Send the parameters however you want, it'll work.
• sails generate action deliver-apple-dev-csr
  • inputs
  • orgName
    • The name of the organization.
    • String, required
  • csr
    • A Base64 encoded CSR string.
    • String, required
    • Note: The user's email address will be available in the CSR after decoding.
  • exits
  • success
    • description: 'Delivered email to specified email address with certificate signing request attached.'
    • Save this data in our db
  • emailNotDelivered
    • description: 'This email address is on a denylist of domains and was not delivered.'
    • =>Mike: Probably ok just to hard-code this as an array in the action. If concerned, make it config and use env var:MDM CSR Signing Banned Email Domains
  • what all's it do
  • deliver the email
  • save the email and org name to a database, which we can download later and check, when desired.
  • also post email and org name to Slack channel #mdm-csr-signups “an MDM CSR was generated for #{orgname} - #{email}”
• Example usage: await sails.helpers.http.sendHttpRequest() .intercept('emailNotDelivered', (err)=>{ … });

Denylist of email domains: https://docs.google.com/spreadsheets/d/1bLrVdh3_LNHU3jKBA2zWrF7zDxW9Yp2pmNTp44vXVTU/edit?usp=sharing

[noahtalerman]

@mikermcneil @zwass I think this issue is an expansion of the existing "Add support for signing APNS certs in fleetdm.com": #8223

In addition to requirements also covered in #8223, this issue also specifies...

• Sending the email
• Error exit
• Posting email and org name to Slack channel

This API was discussed during product design review on 2022-10-20

[noahtalerman]

cc @zhumo ^^

[zhumo]

Hey @mike-j-thomas @eashaw Another one for Eric's queue...

[mike-j-thomas]

Thanks, @zhumo!

[mike-j-thomas]

Hey @zhumo, how's this for the email content? Could use some wordsmithing, but is this roughly what you need?

cc @eashaw

[zhumo]

Hey @mike-j-thomas @eashaw. I think that overall looks good. A few notes:

1. Just the CSR is attached. there is no additional key.
2. In step 1 in the email, we recommend you use a shared company email, like IT@acme.com, rather than an account attached to your name. If you leave the company they'll have a lot of trouble switching over. Or, less dramatically, if someone else does the update, you'll have to share your apple ID pw with them.
3. The config namespace is just mdm not mdm_apple

[zhumo]

Hey @mike-j-thomas @eashaw. I think that overall looks good. A few notes:

1. Just the CSR is attached. there is no additional key.
2. In step 1 in the email, we recommend you use a shared company email, like IT@acme.com, rather than an account attached to your name. If you leave the company they'll have a lot of trouble switching over. Or, less dramatically, if someone else does the update, you'll have to share your apple ID pw with them.
3. The config namespace is just mdm not mdm_apple

[mike-j-thomas]

Thanks, @zhumo.

we recommend you use a shared company email, like IT@acme.com, rather than an account attached to your name.

Sign-in options from the portal include signing in with an Apple ID or creating a new one. For the wording on our email, are we recommending that users sign in with either a company-issued Apple ID or create a new Apple ID using a shared company email address?

In the meantime, I think @eashaw is good to continue while we lock down this text.

[mike-j-thomas]

I used "shared company Apple ID" here. Apple uses "managed Apple IDs," but they may be different.

[zhumo]

Hey @mike-j-thomas this is how a competitor and Apple, respectively, offer their recommendation. Apple further goes on to describe the difference between managed:

I think based on that, we should tell them to use the managed apple ID. Maybe we can link them in that email to here: https://support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/web

[mike-j-thomas]

Brilliant, thanks for digging that up, @zhumo 🙌

[mike-j-thomas]

Thanks, @zhumo. Updated wires here https://www.figma.com/file/yLP0vJ8Ms4GbCoofLwptwS/%E2%9C%85-fleetdm.com-(current%2C-dev-ready)?node-id=3609%3A12552

[zhumo]

Looks great! For step #3, I think we could be more explicit about what to do with the cert. Currenty, it is "Deploy Fleet with MDM configuration." Maybe we can say:

"Deploy Fleet using this certificate. Click here to see how." Or somehting like that.

[noahtalerman]

From this issue's description:

This email address is on a denylist of domains and was not delivered.

@zhumo which emails will we reject? My current understanding is that we will reject gmail and yahoo emails. Are there others?

cc @michalnicp

[zhumo]

@noahtalerman https://docs.google.com/spreadsheets/d/1bLrVdh3_LNHU3jKBA2zWrF7zDxW9Yp2pmNTp44vXVTU/edit?usp=sharing

[michalnicp]

Hey @mike-j-thomas @eashaw. I think that overall looks good. A few notes:

1. Just the CSR is attached. there is no additional key.
2. In step 1 in the email, we recommend you use a shared company email, like IT@acme.com, rather than an account attached to your name. If you leave the company they'll have a lot of trouble switching over. Or, less dramatically, if someone else does the update, you'll have to share your apple ID pw with them.
3. The config namespace is just mdm not mdm_apple

Just for reference, this is spec'd in https://github.com/fleetdm/fleet/issues/8595 under Task 1. @zhumo

[zwass]

Closing this as dupe of #8223. Let's please try to get that one updated with any relevant information.

[lukeheath]

@eashaw It turns out the requirements in this ticket are still needed. Please let me know if you have any questions.

[lukeheath]

@zhumo This was mistakenly closed and still needs to be completed. I'm tagging you to get more visibility on this.

[lukeheath]

@mike-j-thomas @eashaw Since there was some confusion on this ticket, please confirm that this is back on your radar. This ticket is the final step to closing the loop on setting up MDM.

[eashaw]

Thanks, @lukeheath! This issue is back on my radar.

[mike-j-thomas]

@eashaw, do you have everything you need from @zwass for this?

[lukeheath]

@eashaw Apologies for the confusion on this ticket. I worked with Noah to combine them. We've moved relevant details from this ticket to #8223, and I am closing this ticket. That way, you can work with one ticket instead of two. Please let me know if you have any questions or run into any blockers. Thank you!