empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Docs: Update SCEP configuration (#14234)

Browse Source 
- Update configuration docs to clarify this and what the workaround is
if changing the cert/key is necessary (due to compromise)
- Remove words from macOS setup docs
This commit is contained in:
Noah Talerman 2023-10-12 11:27:49 -04:00 committed by GitHub
parent 7cbcb94720
commit e89a919d06
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/Configuration/fleet-server-configuration.md
View File

@ -2789,6 +2789,10 @@ The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An
-----END CERTIFICATE-----
```
The SCEP certificate/key pair [generated by Fleet](../Using%20Fleet/MDM-setup.md#step-1-generate-the-required-files) expires every 10 years. It's recommended to never change these unless they were compromised.
If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' **Host details** page until the keys are [reset by the end user](../Using%20Fleet/MDM-migration-guide.md#how-to-turn-on-disk-encryption).
##### mdm.apple_scep_key_bytes
The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via `fleetctl generate mdm-apple`.

11
docs/Using Fleet/MDM-macOS-setup.md
View File

@ -155,6 +155,8 @@ The SCEP certificates generated by Fleet and uploaded to the environment variabl
By connecting Fleet to ABM, Macs purchased through Apple or an authorized reseller can automatically enroll to Fleet when theyre first unboxed and set up by your end user.
New or wiped macOS hosts that are in ABM, before they've been set up, appear in Fleet with **MDM status** set to "Pending".
This section will guide you through how to:
1. Generate certificate and private key for ABM
@ -226,11 +228,11 @@ Set Fleet to be the MDM for all future Macs purchased via Apple or an authorized
4. Click **MDM Server Assignment**
5. Switch Macs to the new Fleet instance.
### Step 6 (optional): set the default team for hosts enrolled via ABM
### Step 6: set the default team for hosts enrolled via ABM
All automatically-enrolled hosts will be assigned to a default team of your choosing after they are unboxed and set up. The host will receive the configurations and behaviors set for that team. If no default team is set, then the host will be placed in "No Teams".
All hosts that automatically enroll will be assigned to the default team. If no default team is set, then the host will be placed in "No team".
> A host can be transferred to a new (not default) team before it enrolls. Learn how [here](./Teams.md#transfer-hosts-to-a-team). Transferring a host will automatically enforce the new team's settings when it enrolls.
> A host can be transferred to a new (not default) team before it enrolls. Learn how [here](./Teams.md#transfer-hosts-to-a-team).
Use either of the following methods to change the default team:
@ -250,9 +252,6 @@ Use either of the following methods to change the default team:
3. Run the `fleetctl apply -f <your-YAML-file-here>` command.
### Pending hosts
Some time after you purchase a Mac through Apple or an authorized reseller, but before it has been set up, the Mac will appear in ABM as in transit. When the Mac appears in ABM, it will also appear in Fleet with **MDM status** set to "Pending." After the new host is set up, the **MDM Status** will change to "On" and the host will be assigned to the default team.
## Renewing ABM
> Apple expires ABM server tokens certificates once every year or whenever the account that downloaded the token has their password changed.