fleet/articles/what-api-endpoints-to-expose-to-the-public-internet.md
Noah Talerman 25112f2f50
Update article: What API endpoints to expose to the public internet (#16687)
- Update article according to match our current understand of MDM
features here:
https://github.com/fleetdm/fleet/issues/16633#issuecomment-1932811770
- Add Windows MDM endpoints.
2024-02-20 11:22:18 -05:00

5.5 KiB

Which API endpoints to expose to the public internet?

This guide details which API endpoints to make publicly accessible.

Managing hosts that can travel outside VPN or intranet

If you would like to manage hosts that can travel outside your VPN or intranet, we recommend only exposing the osquery endpoints to the public internet:

  • /api/osquery
  • /api/v1/osquery

Using Fleet Desktop on remote devices

If you are using Fleet Desktop and want it to work on remote devices, the bare minimum API to expose is /api/*/fleet/device/*/desktop. This minimal endpoint will only provide the number of failing policies.

For full Fleet Desktop and scripts functionality, /api/fleet/orbit/* and/api/fleet/device/ping must also be exposed.

Using fleetctl CLI from outside of your network

If you would like to use the fleetctl CLI from outside of your network, the following endpoints will also need to be exposed for fleetctl:

  • /api/setup
  • /api/*/setup
  • /api/*/fleet/*

Using Fleet's MDM features

macOS

If you would like to use Fleet's macOS MDM features, the following endpoints need to be exposed:

  • /mdm/apple/scep: Allows hosts to obtain a SCEP certificate.
  • /mdm/apple/mdm: Allows hosts to reach the server using the MDM protocol.
  • /api/mdm/apple/enroll: If you use automatic enrollment, allows hosts to get an enrollment profile.
  • /api/*/fleet/device/*: Provides end users access to their My device page.
    • This page is where they download their manual enrollment profile, rotate their disk encryption key, and use other features. For more information on these API endpoints see the documentation here.
  • /api/*/fleet/mdm/sso and /api/*/fleet/mdm/sso/callback: If you use automatic enrollment and you require end user authentication during out-of-the-box macOS setup, allows end users to authenticate with your IdP.
  • /api/*/fleet/mdm/setup/eula/*: If you use automatic enrollment and you require that the end user agrees to an End User License Agreement (EULA) during out-of-the-box macOS setup, allows end user to see the EULA.
  • /api/*/fleet/mdm/bootstrap: If you use automatic enrollment and you install a bootstrap package during out-of-the-box macOS setup, installs the bootstrap package.

The /mdm/apple/scep and /mdm/apple/mdm endpoints are outside of the /api path because they are not RESTful and are not intended for use by API clients or browsers.

Windows

If you would like to use Fleet's Windows MDM features, the following endpoints need to be exposed:

Advanced

The /api/*/fleet/* endpoints accessed by the fleetd agent can use mTLS with the certificate provided via the --fleet-tls-client-certificate flag in the fleetctl package command.

The /mdm/apple/mdm and /api/mdm/apple/enroll endpoints can use mTLS with the SCEP certificate issued by the Fleet server.

These endpoints don't use mTLS:

  • /mdm/apple/scep
  • /api/mdm/microsoft/discovery
  • /api/mdm/microsoft/auth
  • /api/mdm/microsoft/policy
  • /api/mdm/microsoft/enroll
  • /api/mdm/microsoft/management
  • /api/mdm/microsoft/tos

For macOS and Windows, the MDM client on the host will send the client certificate in a header. The Fleet server always does additional verification of this certificate.