empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
351d2c93c4
fleet/tools/mdm/apple/dogfood.md
Lucas Manuel Rodriguez 9191f4ce66
Add Apple MDM functionality (#7940) 
* WIP

* Adding DEP functionality to Fleet

* Better organize additional MDM code

* Add cmdr.py and amend API paths

* Fix lint

* Add demo file

* Fix demo.md

* go mod tidy

* Add munki setup to Fleet

* Add diagram to demo.md

* Add fixes

* Update TODOs and demo.md

* Fix cmdr.py and add TODO

* Add endpoints to demo.md

* Add more Munki PoC/demo stuff

* WIP

* Remove proposals from PoC

* Replace prepare commands with fleetctl commands

* Update demo.md with current state

* Remove config field

* Amend demo

* Remove Munki setup from MVP-Dogfood

* Update demo.md

* Add apple mdm commands (#7769)

* fleetctl enqueue mdm command

* fix deps

* Fix build

Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>

* Add command to upload installers

* go mod tidy

* fix subcommands help

There is a bug in urfave/cli where help text is not generated properly when subcommands
are nested too deep.

* Add support for installing apps

* Add a way to list enrolled devices

* Add dep listing

* Rearrange endpoints

* Move DEP routine to schedule

* Define paths globally

* Add a way to list enrollments and installers

* Parse device-ids as comma-separated string

* Remove unused types

* Add simple commands and nest under enqueue-command

* Fix simple commands

* Add help to enqueue-command

* merge apple_mdm database

* Fix commands

* update nanomdm

* Split nanomdm and nanodep schemas

* Set 512 MB in memory for upload

* Remove empty file

* Amend profile

* Add sample commands

* Add delete installers and fix bug in DEP profile assigning

* Add dogfood.md deployment guide

* Update schema.sql

* Dump schema with MySQL 5

* Set default value for authenticate_at

* add tokens to enrollment profiles

When a device downloads an MDM enrollment profile, verify the token passed
as a query parameter. This ensures untrusted devices don't enroll with
our MDM server.

- Rename enrollments to enrollment profiles. Enrollments is used by nano
  to refer to devices that are enrolled with MDM
- Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles
- Generate a token for authentication when creating an enrollment profile
- Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token=

* remove mdm apple server url

* update docs

* make dump-test-schema

* Update nanomdm with missing prefix table

* Add docs and simplify changes

* Add changes file

* Add method docs

* Fix compile and revert prepare.go changes

* Revert migration status check change

* Amend comments

* Add more docs

* Clarify storage of installers

* Remove TODO

* Remove unused

* update dogfood.md

* remove cmdr.py

* Add authorization tests

* Add TODO comment

* use kitlog for nano logging

* Add yaml tags

* Remove unused flag

* Remove changes file

* Only run DEP routine if MDM is enabled

* Add docs to all new exported types

* Add docs

* more nano logging changes

* Fix unintentional removal

* more nano logging changes

* Fix compile test

* Use string for configs and fix config test

* Add docs and amend changes

* revert changes to basicAuthHandler

* remove exported BasicAuthHandler

* rename rego authz type

* Add more information to dep list

* add db tag

* update deps

* Fix schema

* Remove unimplemented

Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com>
Co-authored-by: Michal Nicpon <michal@fleetdm.com>
2022-10-05 19:53:54 -03:00

2.1 KiB
Raw Blame History

Guide for Infrastructure Team

Memory requirements

Fleet and MySQL servers will need +500 MB extra of memory.

MySQL

MySQL must be run with --max_allowed_packet=536870912 // 512 MB

Configuration

Apple MDM is enabled with the following configuration:

FLEET_MDM_APPLE_ENABLE=1

Additional configuration is generated using fleetctl. These credentials are highly sensitive and should be stored securely (e.g. on AWS secretsmanager) and provided to Fleet via environment variables. Also, ensure that server_settings.server_url is set to the public URL of the Fleet deployment. This should already be the case.

SCEP

Generate SCEP CA certificate and key:

fleetctl apple-mdm setup scep \
    --validity-years=5 \
    --cn "FleetDM" \
    --organization "Fleet Device Management Inc." \
    --organizational-unit "Fleet Device Management Inc." \
    --country US

The content of such generated files must be stored securely and then fed to Fleet via the following environment variables:

FLEET_MDM_APPLE_SCEP_CA_CERT_PEM=<contents of SCEP CA certificate>
FLEET_MDM_APPLE_SCEP_CA_KEY_PEM=<contents of SCEP CA certificate key>

We also need to generate a random passphrase and store it somewhere (it's less sensitive than the other credentials defined herein, but for consistency it could be stored securely).

FLEET_MDM_APPLE_SCEP_CHALLENGE=<some random text>

For example, the challenge can be generated using openssl

openssl rand -base64 24

APN

Zach Wasserman will provide the Apple Push Notification service (APNs) certificate and key. The contents must be stored securely and be provided to Fleet via the following environment variables:

FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM=<contents of APNs certificate>
FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM=<contents of APNs certificate key>

DEP

Follow the instructions in DEP setup. The output is a fleet-mdm-apple-dep.token file which contents must be stored securely and then provided to Fleet via an environment variable:

FLEET_MDM_APPLE_DEP_TOKEN=<contents of DEP token>