mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
175 lines
4.8 KiB
Go
175 lines
4.8 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
apple_mdm "github.com/fleetdm/fleet/v4/server/mdm/apple"
|
|
"github.com/urfave/cli/v2"
|
|
)
|
|
|
|
func generateCommand() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "generate",
|
|
Usage: "Generate certificates and keys required for MDM",
|
|
Flags: []cli.Flag{
|
|
configFlag(),
|
|
contextFlag(),
|
|
debugFlag(),
|
|
},
|
|
Subcommands: []*cli.Command{
|
|
generateMDMAppleCommand(),
|
|
generateMDMAppleBMCommand(),
|
|
},
|
|
}
|
|
}
|
|
|
|
func generateMDMAppleCommand() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "mdm-apple",
|
|
Aliases: []string{"mdm_apple"},
|
|
Usage: "Generates certificate signing request (CSR) and key for Apple Push Notification Service (APNs) and certificate and key for Simple Certificate Enrollment Protocol (SCEP) to turn on MDM features.",
|
|
Flags: []cli.Flag{
|
|
&cli.StringFlag{
|
|
Name: "email",
|
|
Usage: "The email address to send the signed APNS csr to.",
|
|
Required: true,
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "org",
|
|
Usage: "The organization requesting the signed APNS csr.",
|
|
Required: true,
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "apns-key",
|
|
Usage: "The output path for the APNs private key.",
|
|
Value: apnsKeyPath,
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "scep-cert",
|
|
Usage: "The output path for the SCEP CA certificate.",
|
|
Value: scepCACertPath,
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "scep-key",
|
|
Usage: "The output path for the SCEP CA private key.",
|
|
Value: scepCAKeyPath,
|
|
},
|
|
},
|
|
Action: func(c *cli.Context) error {
|
|
email := c.String("email")
|
|
org := c.String("org")
|
|
apnsKeyPath := c.String("apns-key")
|
|
scepCACertPath := c.String("scep-cert")
|
|
scepCAKeyPath := c.String("scep-key")
|
|
|
|
// get the fleet API client first, so that any login requirement are met
|
|
// before printing the CSR output message.
|
|
client, err := clientFromCLI(c)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
fmt.Fprintf(
|
|
c.App.Writer,
|
|
`Sending certificate signing request (CSR) for Apple Push Notification service (APNs) to %s...
|
|
Generating APNs key, Simple Certificate Enrollment Protocol (SCEP) certificate, and SCEP key...
|
|
|
|
`,
|
|
email,
|
|
)
|
|
|
|
csr, err := client.RequestAppleCSR(email, org)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := os.WriteFile(apnsKeyPath, csr.APNsKey, defaultFileMode); err != nil {
|
|
return fmt.Errorf("failed to write APNs private key: %w", err)
|
|
}
|
|
if err := os.WriteFile(scepCACertPath, csr.SCEPCert, defaultFileMode); err != nil {
|
|
return fmt.Errorf("failed to write SCEP CA certificate: %w", err)
|
|
}
|
|
if err := os.WriteFile(scepCAKeyPath, csr.SCEPKey, defaultFileMode); err != nil {
|
|
return fmt.Errorf("failed to write SCEP CA private key: %w", err)
|
|
}
|
|
|
|
fmt.Fprintf(
|
|
c.App.Writer,
|
|
`Success!
|
|
|
|
Generated your APNs key at %s
|
|
|
|
Generated your SCEP certificate at %s
|
|
|
|
Generated your SCEP key at %s
|
|
|
|
Go to your email to download a CSR from Fleet. Then, visit https://identity.apple.com/pushcert to upload the CSR. You should receive an APNs certificate in return from Apple.
|
|
|
|
Next, use the generated certificates to deploy Fleet with `+"`mdm`"+` configuration: https://fleetdm.com/docs/deploying/configuration#mobile-device-management-mdm
|
|
`,
|
|
apnsKeyPath,
|
|
scepCACertPath,
|
|
scepCAKeyPath,
|
|
)
|
|
|
|
return nil
|
|
},
|
|
}
|
|
}
|
|
|
|
func generateMDMAppleBMCommand() *cli.Command {
|
|
return &cli.Command{
|
|
Name: "mdm-apple-bm",
|
|
Aliases: []string{"mdm_apple_bm"},
|
|
Usage: "Generate Apple Business Manager public and private keys to enable automatic enrollment for macOS hosts.",
|
|
Flags: []cli.Flag{
|
|
&cli.StringFlag{
|
|
Name: "public-key",
|
|
Usage: "The output path for the Apple Business Manager public key certificate.",
|
|
Value: bmPublicKeyCertPath,
|
|
},
|
|
&cli.StringFlag{
|
|
Name: "private-key",
|
|
Usage: "The output path for the Apple Business Manager private key.",
|
|
Value: bmPrivateKeyPath,
|
|
},
|
|
},
|
|
Action: func(c *cli.Context) error {
|
|
publicKeyPath := c.String("public-key")
|
|
privateKeyPath := c.String("private-key")
|
|
|
|
publicKeyPEM, privateKeyPEM, err := apple_mdm.NewDEPKeyPairPEM()
|
|
if err != nil {
|
|
return fmt.Errorf("generate key pair: %w", err)
|
|
}
|
|
|
|
if err := os.WriteFile(publicKeyPath, publicKeyPEM, defaultFileMode); err != nil {
|
|
return fmt.Errorf("write public key: %w", err)
|
|
}
|
|
|
|
if err := os.WriteFile(privateKeyPath, privateKeyPEM, defaultFileMode); err != nil {
|
|
return fmt.Errorf("write private key: %w", err)
|
|
}
|
|
|
|
fmt.Fprintf(
|
|
c.App.Writer,
|
|
`Success!
|
|
|
|
Generated your public key at %s
|
|
|
|
Generated your private key at %s
|
|
|
|
Visit https://business.apple.com/ and create a new MDM server with the public key. Then, download the new MDM server's token.
|
|
|
|
Next, deploy Fleet with with `+"`mdm`"+` configuration: https://fleetdm.com/docs/deploying/configuration#mobile-device-management-mdm
|
|
`,
|
|
publicKeyPath,
|
|
privateKeyPath,
|
|
)
|
|
|
|
return nil
|
|
},
|
|
}
|
|
}
|