Closed ghernandez345 closed 1 year ago
@mna not much detail here but i dont think this has many requirements other than having an endpoint that sends back an enrolment profile.
@lukeheath @noahtalerman Couple questions to clarify the specs:
@lukeheath @noahtalerman
nevermind regarding 1. above, I found the enrollment profile generation in the prototype code, it's in server/service/apple_mdm.go
, function generateEnrollmentProfileMobileconfig
.
@mna
Is there any special authorization associated with that endpoint? I'm guessing not, because every user should be able to download the enrollment profile to manually enroll their host, so as long as the request is authenticated it should be allowed?
Correct, this is my understanding. Let's spec with this assumption and confirm with Noah when this ticket is estimated.
That's correct, having the URL with the correct token is what "authorizes" you to access the profile.
@mna while some settings can be tweaked, I don't think we want to give the user any control on that (at least for now.) The current settings we're sending are also OK.
@lukeheath @noahtalerman @mna in regards to my previous comment 👆
Authentication
The request to get the profile needs to be authenticated in some way, my previous comment assumes that the IT admin will have the ability to share a URL to download the token, but on second thought it actually depends on the workflows we want to support:
Generation
Currently, the IT admin has to run at some point the following command to create the profile:
$ fleetctl apple-mdm enrollment-profiles create-manual
For manual profiles, this is just to generate the token (DEP profiles are different), so if we just want to support workflow 1
above, maybe we could also skip this step?
@roperzh I know we will want item 1, manual enrollment via the "My Device" page. I have yet to see any flows that indicate the admin shares a link to download the profile, but let's confirm with @zhumo. He will be back on Friday this week. Martin will be back next Monday.
@lukeheath @roperzh my understanding is that the admin should ask users to install Fleetd w/ Fleet Desktop enabled.
@roperzh @lukeheath Yeah from the figma associated with the UI part of this ticket, the manual enrollment is via the "My Device" page so it would be the case 1. in Roberto's comment. I'll go ahead and estimate+start working on this ticket for the "My Device" scenario.
@noahtalerman One thing I want to point out, to generate the manual enrollment profile we need the SCEP challenge key (https://github.com/fleetdm/fleet/blob/main/server/service/apple_mdm.go#L807-L818). AFAIK, we haven't covered this configuration option for the "official" MDM feature - it still uses the configuration option that was created for the prototype (the yaml key is mdm_apple.scep.challenge
).
Wanted to let you know because for the official feature, we've used mdm
instead of mdm_apple
as parent key, so it would likely need to be changed to mdm.apple_scep_challenge
?
@roperzh correct me if I'm wrong regarding the scep challenge being required?
@mna that sounds correct, the plan is to get rid of that config option and use dynamic SCEP challenges (#8477)
@roperzh @noahtalerman oh gotcha, thanks Roberto! So my understanding is:
that matches my understanding, thanks for the summary!
@roperzh @mna my understanding is that the user won't have to configure a SCEP challenge. Is this still the case?
@noahtalerman yes, that's correct. It'll be automatically generated
@noahtalerman regarding what happens with the profile once downloaded (related to its content-type of application/x-apple-aspen-config
that Apple knows about), @RachelElysia was able to demo it to me now that the frontend is calling the endpoint, and what it does is:
So all in all I think it does a bit of a better job than what we expected (the user doesn't have to deal with the file beyond clicking on it after download), but not as good as I thought it would (it just pops a notification, you have to manually navigate to the settings/profile window to continue).
we still have to do that manually (open settings, find "profile" section)
the user doesn't have to deal with the file beyond clicking on it after download
@mna got it 👍 This is what I've seen too. Thanks for the follow up.
it just pops a notification, you have to manually navigate to the settings/profile window to continue
Right. The directions on the My device page (screenshot below) are for walking the end user through this part. Curious, if you've had a chance to see this screen, to hear how this felt as an end user.
Curious, if you've had a chance to see this screen, to hear how this felt as an end user.
cc @RachelElysia
@noahtalerman @RachelElysia those instructions look great, as I recall it that's exactly what Rachel did to get to it (although a lot of scrolling had to be done to access the "Profiles" section, despite searching for it in section settings? Rachel might be able to better describe/show what happened there).
One nit on step 4, would it be worth mentioning "Enter your macOS password"? I.e. not your Fleet password. Might not be obvious to all users?
One nit on step 4, would it be worth mentioning "Enter your macOS password"? I.e. not your Fleet password. Might not be obvious to all users?
@mna ah, interesting. These instructions are for end users only (My device page). End users won't have Fleet passwords. I'm curious if this changes your thinking...
@noahtalerman
These instructions are for end users only (My device page). End users won't have Fleet passwords.
Oh! That's true, sorry, I did not think that through.
Gain control with ease
Device enrollment profile
Fleet's helping hands
We need an endpoint that enables the downloading of an enrolment profile for manual MDM enrolment.
Requirements
Design
UI
https://www.figma.com/file/qbjRu8jf01BzEfdcge1dgu/Fleet-style-guide-2022-(WIP)?node-id=213%3A30333&t=YR1JSBx88ugXllm2-0
Related
Parent Epic
UI
Tasks
1
GET /fleet/device/{token}/mdm/apple/manual_enrollment_profile
(rationale: the prefix up to /mdm is consistent with all device-authenticated endpoints, and then it's the structure used for mdm-related endpoints. Maybe we could do without/apple/
and auto-detect based on the device's OS, but the My Device page already has to know this as the callout is only shown if the host is macos for now - see figma https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=10058%3A317839&t=HxIvSLi6gH4EJE59-0).GET /fleet/hosts/report
, we add aContent-Disposition
header and some other headers such asContent-Type
).server/service/apple_mdm.go
, functiongenerateEnrollmentProfileMobileconfig
.2
docs/Contributing/API-for-contributors.md