Sign macOS configuration profiles

[roperzh]

UPDATE: @marko-lisica and I updated this separate user story to cover signing for enrollment profile and configuration profiles: #10418

Closing this story as a duplicate.

(2024-02-20)

---

Goal

User story
As an IT admin,
I want the configuration profiles installed on my macOS hosts to be signed
so that anyone viewing the profiles in System Settings > Profiles won't see a red "Unsigned" message.

The red "Unsigned" message:

Changes

Product

• [ ] UI changes: TODO
• [ ] CLI usage changes: TODO
• [ ] REST API changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers: TODO

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

@roperzh I think we made the call not to rely on the IT admin to sign profiles for now (Fleet won't do it for them). Here's the thread in Slack where we made this decision: https://fleetdm.slack.com/archives/C03PK8PJDDE/p1668451248215009?thread_ts=1668184679.337339&cid=C03PK8PJDDE

Does this issue cover something else? I could be missing something.

[roperzh]

@noahtalerman for now the main purpose of this task right now is to:

1. keep track somewhere of the work we need to do
2. understand what we need to do (not take immediate action) so we can keep it in mind while building the current set of features. This is why it's currently assigned to Sarah (she's preparing a report with her findings.)

As a side note: I understand not taking action for profiles provided by the IT admin, but what about the enrollment profile? (and potentially any other profile sent by Fleet?)

for example @sharon-fdm was wondering if something was broken with Dogfood because the UI for unsigned profiles is not super reassuring:

[noahtalerman]

keep track somewhere of the work we need to do

understand what we need to do (not take immediate action)

@roperzh got it! Doing the research makes sense. Thanks for filing this issue.

I sent this message this morning because I thought we were taking immediate action (building the feature). This is because I saw the issue in the release board.

I wanted to check if were building it because I would argue that there are other features in the roadmap board that are higher priority. This would let me know that I should work with Luke to move these features (that I think are higher priority) into the release board.

UI for unsigned profiles is not super reassuring

Yeah I agree the red is not great.

[lukeheath]

We are removing this from the product backlog and deferring until higher-priority features are complete.

[noahtalerman]

Encrypting a profile protects the contents from unauthorized access

@roperzh how does encrypting a profile affect the IT admin UX? For example, if a profile is encrypted, can I see its description, settings, and details in System Settings?

[zhumo]

Hi @noahtalerman , this story did not make it into the current sprint, so I'm de-prioritizing it. Please bring it back to FF if necessary.

[roperzh]

potential implementation in this draft PR: https://github.com/fleetdm/fleet/pull/16490/files

[nonpunctual]

https://www.jamf.com/blog/malicious-profiles-come/

[noahtalerman]

Original issue description from @roperzh:

Problem

• Signing a profile guarantees data integrity: tampering with the profile sent by the Fleet server becomes harder.

Requirements

1. All profiles sent by the Fleet server should be signed by Fleet.
2. Update documentation to make sure IT admins understand NOT to sign the profile when they upload it.

[noahtalerman]

@Patagonia121 heads up, @marko-lisica and I updated this separate user story to cover signing for both the enrollment profile and configuration profiles: https://github.com/fleetdm/fleet/issues/10418

Closing this story as a duplicate.

[fleet-release]

Profiles now signed, No red message in sight, trust In clouds, takes flight.