empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

MDM docs: bootstrap package (#11256)

Browse Source 
Changes made based on feedback during MDM beta session.

- Correction: the URL doesn't have to be publicly accessible
- Clarify how to install the bootstrap package on a team v. "No
team"
- Add confirmation step
This commit is contained in:
Noah Talerman 2023-04-26 10:01:09 -04:00 committed by GitHub
parent 31ff9b0da4
commit 3dbe422ebf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 59 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
docs/Using-Fleet/MDM-macOS-setup.md
View File

@ -37,6 +37,7 @@ To add a bootstrap package to Fleet, we will do the following steps:
1. Download or generate a package
2. Sign the package
3. Upload the package to Fleet
4. Confirm package is uploaded
### Step 1: download or generate a package
@ -46,11 +47,28 @@ Whether you have to download or generate a package depends on what you want to d
* To deploy custom scripts, you need to generate a package. The [munkipkg tool](https://github.com/munki/munki-pkg) is a popular tool for generating packages.
Apple requires that your package is a distribution package. Verify that the package is a distribution package:
1. Run the following commands to expand you package and look at the files in the expanded folder:
```bash
$ pkgutil --expand package.pkg expanded-package
$ ls expanded-package
```
If your package is a distribution package should see a `Distribution` file.
2. If you don't see a `Distribution` file, run the following command to convert your package into a distribution package.
```bash
$ productbuild --package package.pkg distrbution-package.pkg
```
Make sure your package is a `.pkg` file.
### Step 2: sign the package
To sign the package we need a valid Developer ID Installer certificate.
To sign the package we need a valid Developer ID Installer certificate:
1. Login to your [Apple Developer account](https://developer.apple.com/account).
2. Follow Apple's instructions to create a Developer ID Installer certificate [here](https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates).
@ -62,7 +80,7 @@ Confirm that certificate is installed on your Mac by opening the **Keychain Acce
3. Run the following command in the **Terminal** application to sign your package with your Developer ID certificate:
```bash
productsign --sign "Developer ID Installer: Your name (Serial number)" /path/to/package.pkg /path/to/signed-package.pkg
$ productsign --sign "Developer ID Installer: Your name (Serial number)" /path/to/package.pkg /path/to/signed-package.pkg
```
You might be prompted to enter the password for your local account.
@ -70,35 +88,65 @@ You might be prompted to enter the password for your local account.
Confirm that your package is signed by running the following command:
```bash
pkgutil --check-signature /path/to/signed-package.pkg
$ pkgutil --check-signature /path/to/signed-package.pkg
```
In the output you should see that package has a "signed" status.
### Step 3: upload the package to Fleet
Fleet supports installing a unique bootstrap package for each team. In Fleet, a team is a group of hosts.
1. Upload the package to a storage location (ex. S3 or GitHub). In a later step, we'll use this location's URL to upload the package to Fleet.
1. Upload the package to a publicly accessible location on the internet. We'll point Fleet to this location so that Fleet can download the package.
> The storage location must be accessible by the computer that uploads the package to Fleet.
> * This could be your local computer or the computer that runs your CI/CD workflow.
2. Create a `team` YAML document if you don't already have one. Learn how [here](./configuration-files/README.md#teams). If you're uploading the package to a team that already exists, make sure the `name` key in your YAML document matches the name of the team.
2. Choose which team you want to add the bootstrap package to.
> If you want to install a bootstrap package on hosts that are assigned to "No team," use the `config` YAML document. Learn how to create one [here](./configuration-files/README.md#organization-settings).
In this example, we'll add a bootstrap package to the "Workstations (canary)" team so that the package only gets installed on hosts that automatically enroll to this team.
3. Add an `mdm.macos_setup.bootstrap_package` key to your YAML document. This key accepts an absolute URL to the location of the bootstrap package.
3. Create a `workstations-canary-config.yaml` file:
```yaml
apiVersion: v1
kind: team
spec:
team:
name: Workstations
name: Workstations (canary)
mdm:
macos_setup:
bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg
...
```
Run the fleetctl `apply -f <your-team-here>.yml` command to upload your bootstrap package to Fleet.
Learn more about team configurations options [here](./configuration-files/README.md#teams).
If you want to install the package on hosts that automatically enroll to "No team," we'll need to create an `fleet-config.yaml` file:
```yaml
apiVersion: v1
kind: config
spec:
mdm:
macos_setup:
bootstrap_package: https://github.com/organinzation/repository/bootstrap-package.pkg
...
```
Learn more about "No team" configuration options [here](./configuration-files/README.md#organization-settings).
3. Add an `mdm.macos_setup.bootstrap_package` key to your YAML document. This key accepts the URL for the storage location of the bootstrap package.
4. Run the fleetctl `apply -f workstations-canary-config.yml` command to upload your bootstrap package to Fleet.
### Step 4: confirm package is uploaded
Confirm that your bootstrap package was uploaded to Fleet:
If you uploaded the package to a team, run `fleetctl get teams --name=Workstations --yaml`.
If you uploaded the package to "No team," run `fleetctl get config`.
You should see the URL for your bootstrap package as the value for `mdm.macos_setup.bootstrap_package`.
## macOS Setup Assistant

2
docs/Using-Fleet/configuration-files/README.md
View File

@ -311,7 +311,7 @@ spec:
## Organization settings
The `config` YAML file controls Fleet's organization settings.
The `config` YAML file controls Fleet's organization settings and MDM features for hosts assigned to "No team."
The following example file shows the default organization settings: