From e89a919d06fefc6984d108c92162456da44ececd Mon Sep 17 00:00:00 2001 From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Date: Thu, 12 Oct 2023 11:27:49 -0400 Subject: [PATCH] Docs: Update SCEP configuration (#14234) - Update configuration docs to clarify this and what the workaround is if changing the cert/key is necessary (due to compromise) - Remove words from macOS setup docs --- docs/Configuration/fleet-server-configuration.md | 4 ++++ docs/Using Fleet/MDM-macOS-setup.md | 11 +++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/Configuration/fleet-server-configuration.md b/docs/Configuration/fleet-server-configuration.md index 588b00021..4f0457277 100644 --- a/docs/Configuration/fleet-server-configuration.md +++ b/docs/Configuration/fleet-server-configuration.md @@ -2789,6 +2789,10 @@ The content of the Simple Certificate Enrollment Protocol (SCEP) certificate. An -----END CERTIFICATE----- ``` +The SCEP certificate/key pair [generated by Fleet](../Using%20Fleet/MDM-setup.md#step-1-generate-the-required-files) expires every 10 years. It's recommended to never change these unless they were compromised. + +If your certificate/key pair was compromised and you change the pair, the disk encryption keys will no longer be viewable on all macOS hosts' **Host details** page until the keys are [reset by the end user](../Using%20Fleet/MDM-migration-guide.md#how-to-turn-on-disk-encryption). + ##### mdm.apple_scep_key_bytes The content of the PEM-encoded private key for the Simple Certificate Enrollment Protocol (SCEP). Typically generated via `fleetctl generate mdm-apple`. diff --git a/docs/Using Fleet/MDM-macOS-setup.md b/docs/Using Fleet/MDM-macOS-setup.md index 12614b30f..62732d83e 100644 --- a/docs/Using Fleet/MDM-macOS-setup.md +++ b/docs/Using Fleet/MDM-macOS-setup.md @@ -155,6 +155,8 @@ The SCEP certificates generated by Fleet and uploaded to the environment variabl By connecting Fleet to ABM, Macs purchased through Apple or an authorized reseller can automatically enroll to Fleet when they’re first unboxed and set up by your end user. +New or wiped macOS hosts that are in ABM, before they've been set up, appear in Fleet with **MDM status** set to "Pending". + This section will guide you through how to: 1. Generate certificate and private key for ABM @@ -226,11 +228,11 @@ Set Fleet to be the MDM for all future Macs purchased via Apple or an authorized 4. Click **MDM Server Assignment** 5. Switch Macs to the new Fleet instance. -### Step 6 (optional): set the default team for hosts enrolled via ABM +### Step 6: set the default team for hosts enrolled via ABM -All automatically-enrolled hosts will be assigned to a default team of your choosing after they are unboxed and set up. The host will receive the configurations and behaviors set for that team. If no default team is set, then the host will be placed in "No Teams". +All hosts that automatically enroll will be assigned to the default team. If no default team is set, then the host will be placed in "No team". -> A host can be transferred to a new (not default) team before it enrolls. Learn how [here](./Teams.md#transfer-hosts-to-a-team). Transferring a host will automatically enforce the new team's settings when it enrolls. +> A host can be transferred to a new (not default) team before it enrolls. Learn how [here](./Teams.md#transfer-hosts-to-a-team). Use either of the following methods to change the default team: @@ -250,9 +252,6 @@ Use either of the following methods to change the default team: 3. Run the `fleetctl apply -f ` command. -### Pending hosts -Some time after you purchase a Mac through Apple or an authorized reseller, but before it has been set up, the Mac will appear in ABM as in transit. When the Mac appears in ABM, it will also appear in Fleet with **MDM status** set to "Pending." After the new host is set up, the **MDM Status** will change to "On" and the host will be assigned to the default team. - ## Renewing ABM > Apple expires ABM server tokens certificates once every year or whenever the account that downloaded the token has their password changed.