1f73ea6d6a
Added a guide for which API endpoints to expose and fixed an associated broken link. See https://github.com/fleetdm/fleet/issues/15115 for context. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Manual QA for all new/changed functionality
1.9 KiB
Which API endpoints to expose to the public internet?
This guide details which API endpoints to make publicly accessible.
Managing hosts that can travel outside VPN or intranet
If you would like to manage hosts that can travel outside your VPN or intranet, we recommend only exposing the osquery endpoints to the public internet:
/api/osquery/api/v1/osquery
Using Fleet Desktop on remote devices
If you are using Fleet Desktop and want it to work on remote devices, the bare minimum API to expose is /api/latest/fleet/device/*/desktop. This minimal endpoint will only provide the number of failing policies.
For full Fleet Desktop and scripts functionality, /api/fleet/orbit/* and/api/fleet/device/ping must also be exposed.
Using fleetctl CLI from outsite of your network
If you would like to use the fleetctl CLI from outside of your network, the following endpoints will also need to be exposed for fleetctl:
/api/setup/api/v1/setup/api/latest/fleet/*/api/v1/fleet/*
Using Fleet's MDM features
If you would like to use Fleet's MDM features, the following endpoints need to be exposed:
/mdm/apple/scepto allow hosts to obtain a SCEP certificate./mdm/apple/mdmto allow hosts to reach the server using the MDM protocol./api/mdm/apple/enrollto allow DEP-enrolled devices to get an enrollment profile./api/*/fleet/device/*/mdm/apple/manual_enrollment_profileto allow manually enrolled devices to download an enrollment profile.
The
/mdm/apple/scepand/mdm/apple/mdmendpoints are outside of the/apipath because they are not RESTful and are not intended for use by API clients or browsers.