Closed noahtalerman closed 1 year ago
@mikermcneil @zwass I think this issue is an expansion of the existing "Add support for signing APNS certs in fleetdm.com": #8223
In addition to requirements also covered in #8223, this issue also specifies...
This API was discussed during product design review on 2022-10-20
cc @zhumo ^^
Hey @mike-j-thomas @eashaw Another one for Eric's queue...
Thanks, @zhumo!
Hey @zhumo, how's this for the email content? Could use some wordsmithing, but is this roughly what you need?
cc @eashaw
Hey @mike-j-thomas @eashaw. I think that overall looks good. A few notes:
mdm
not mdm_apple
Hey @mike-j-thomas @eashaw. I think that overall looks good. A few notes:
mdm
not mdm_apple
Thanks, @zhumo.
we recommend you use a shared company email, like IT@acme.com, rather than an account attached to your name.
Sign-in options from the portal include signing in with an Apple ID or creating a new one. For the wording on our email, are we recommending that users sign in with either a company-issued Apple ID or create a new Apple ID using a shared company email address?
In the meantime, I think @eashaw is good to continue while we lock down this text.
I used "shared company Apple ID" here. Apple uses "managed Apple IDs," but they may be different.
Hey @mike-j-thomas this is how a competitor and Apple, respectively, offer their recommendation. Apple further goes on to describe the difference between managed:
I think based on that, we should tell them to use the managed apple ID. Maybe we can link them in that email to here: https://support.apple.com/guide/apple-business-manager/use-managed-apple-ids-axm78b477c81/web
Brilliant, thanks for digging that up, @zhumo π
Thanks, @zhumo. Updated wires here https://www.figma.com/file/yLP0vJ8Ms4GbCoofLwptwS/%E2%9C%85-fleetdm.com-(current%2C-dev-ready)?node-id=3609%3A12552
Looks great! For step #3, I think we could be more explicit about what to do with the cert. Currenty, it is "Deploy Fleet with MDM configuration." Maybe we can say:
"Deploy Fleet using this certificate. Click here to see how." Or somehting like that.
From this issue's description:
This email address is on a denylist of domains and was not delivered.
@zhumo which emails will we reject? My current understanding is that we will reject gmail and yahoo emails. Are there others?
cc @michalnicp
Hey @mike-j-thomas @eashaw. I think that overall looks good. A few notes:
- Just the CSR is attached. there is no additional key.
- In step 1 in the email, we recommend you use a shared company email, like IT@acme.com, rather than an account attached to your name. If you leave the company they'll have a lot of trouble switching over. Or, less dramatically, if someone else does the update, you'll have to share your apple ID pw with them.
- The config namespace is just
mdm
notmdm_apple
Just for reference, this is spec'd in https://github.com/fleetdm/fleet/issues/8595 under Task 1. @zhumo
Closing this as dupe of #8223. Let's please try to get that one updated with any relevant information.
@eashaw It turns out the requirements in this ticket are still needed. Please let me know if you have any questions.
@zhumo This was mistakenly closed and still needs to be completed. I'm tagging you to get more visibility on this.
@mike-j-thomas @eashaw Since there was some confusion on this ticket, please confirm that this is back on your radar. This ticket is the final step to closing the loop on setting up MDM.
Thanks, @lukeheath! This issue is back on my radar.
@eashaw, do you have everything you need from @zwass for this?
@eashaw Apologies for the confusion on this ticket. I worked with Noah to combine them. We've moved relevant details from this ticket to #8223, and I am closing this ticket. That way, you can work with one ticket instead of two. Please let me know if you have any questions or run into any blockers. Thank you!
Goal
Add ability for the Fleet product to to tell fleetdm.com to send an email with a CSR for Apple Push Certificates Portal
Related
How?
Yo @eashaw, this is from @mikermcneil:
POST /api/v1/deliver-apple-dev-csr
sails generate action deliver-apple-dev-csr
orgName
csr
Denylist of email domains: https://docs.google.com/spreadsheets/d/1bLrVdh3_LNHU3jKBA2zWrF7zDxW9Yp2pmNTp44vXVTU/edit?usp=sharing