fleet

empayre/fleet

Fork 0

mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00

Commit Graph

Author	SHA1	Message	Date
Dante Catalfamo	bd3e775e67	Windows MDM Fix Manual Detection (#17721 ) #15565 Replace the use of the isFederated registry key with a keys that check for AAD (Azure Active Directory, now Entra ID) Federated enrollment (`isFederated`) seems to be when windows uses a Discovery MDM endpoint to get its policy and management endpoint configuration. This is always the case when a client is enrolled with fleet, so installations always show up as automatic. It's being replaced by a different key, `AADResourceID`, which appears to identify the resource that controls the automated deployment. In my tests it only appears to be populated when the computer is enrolled through automated deployments. This key appears on both Windows 10 and 11. There is a similar key, `AADTenantID`, which appears to identify the client (tenant) to the Azure cloud. I haven't seen this ID in our systems, so it is likely exclusively used in Azure. Both this key and `AADResourceID` seem to always be set at the same time, so we only check for the `AADResourceID`. I've also added documentation on the registry keys I've analyzed for future reference.	2024-03-21 15:09:05 -04:00
Eric	29e66efc19	Website: Add required meta tag to page in contributing documentation (#17668 ) Changes: - Added a `pageOrderInSection` `<meta>` tag to the `windows-mdm-glossary-and-protocol.md`	2024-03-15 13:19:54 -05:00
Dante Catalfamo	58dc1d4502	Create initial windows MDM glossary and diagram document (#17507 ) ```mermaid sequenceDiagram participant windows as Windows participant orbit as Orbit participant server as fleet server loop every 30 seconds orbit->>+server: POST /api/fleet/orbit/config server-->>-orbit: pending notifications end note over orbit: receive enrollment notification orbit->>windows: mdmregistration.dll<br/>RegisterDeviceWithManagement windows->>+server: POST /api/mdm/microsoft/discovery server-->>-windows: EnrollmentServiceURL, EnrollmentPolicyServiceUrl windows->>+server: POST /api/mdm/microsoft/policy<br/>DeviceEnrollmentUserToken server-->>-windows: Policy Schema, Certificate requirements activate windows note left of windows: Generate keypair deactivate windows windows->>+server: POST /api/mdm/microsoft/enroll<br/>Self-signed CSR & cert values note right of server: Creates certificate signed by WSTEP ident key server-->>-windows: Signed certificate, management endpoint, enrollment parameters loop SYNCML MDM Protocol (mTLS) windows->>+server: POST /api/mdm/microsoft/management server-->>-windows: Response end ```	2024-03-15 10:02:47 -04:00

Author

SHA1

Message

Date

Dante Catalfamo

bd3e775e67

Windows MDM Fix Manual Detection (#17721 )

#15565 

Replace the use of the isFederated registry key with a keys that check
for AAD (Azure Active Directory, now Entra ID)

Federated enrollment (`isFederated`) seems to be when windows uses a
Discovery MDM endpoint to get its policy and management endpoint
configuration. This is always the case when a client is enrolled with
fleet, so installations always show up as automatic.

It's being replaced by a different key, `AADResourceID`, which appears
to identify the resource that controls the automated deployment. In my
tests it only appears to be populated when the computer is enrolled
through automated deployments. This key appears on both Windows 10 and
11.

There is a similar key, `AADTenantID`, which appears to identify the
client (tenant) to the Azure cloud. I haven't seen this ID in our
systems, so it is likely exclusively used in Azure. Both this key and
`AADResourceID` seem to always be set at the same time, so we only
check for the `AADResourceID`.

I've also added documentation on the registry keys I've analyzed for future reference.

2024-03-21 15:09:05 -04:00

Eric

29e66efc19

Website: Add required meta tag to page in contributing documentation (#17668 )

Changes:
- Added a `pageOrderInSection` `<meta>` tag to the
`windows-mdm-glossary-and-protocol.md`

2024-03-15 13:19:54 -05:00

Dante Catalfamo

58dc1d4502

Create initial windows MDM glossary and diagram document (#17507 )

```mermaid
sequenceDiagram
    participant windows as Windows
    participant orbit as Orbit
    participant server as fleet server
    loop every 30 seconds
        orbit->>+server: POST /api/fleet/orbit/config
        server-->>-orbit: pending notifications
    end
    note over orbit: receive enrollment notification
    orbit->>windows: mdmregistration.dll<br/>RegisterDeviceWithManagement
    windows->>+server: POST /api/mdm/microsoft/discovery
    server-->>-windows: EnrollmentServiceURL, EnrollmentPolicyServiceUrl
    windows->>+server: POST /api/mdm/microsoft/policy<br/>DeviceEnrollmentUserToken
    server-->>-windows: Policy Schema, Certificate requirements
    activate windows
    note left of windows: Generate keypair
    deactivate windows
    windows->>+server: POST /api/mdm/microsoft/enroll<br/>Self-signed CSR & cert values
    note right of server: Creates certificate signed by WSTEP ident key
    server-->>-windows: Signed certificate, management endpoint, enrollment parameters
    loop SYNCML MDM Protocol (mTLS)
        windows->>+server: POST /api/mdm/microsoft/management
        server-->>-windows: Response
    end
```

2024-03-15 10:02:47 -04:00

3 Commits