Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

Connect end users to Wi-Fi/VPN: Example Windows profile (#36993)

Browse source 
Based on learnings w/ `pingali`:
https://docs.google.com/document/d/11sFA_IbgwH4OHv8QBTiRRSx-9cP-CcbdPe5ZQkGeDKg/edit?tab=t.0
This commit is contained in:
Noah Talerman 2025-12-10 07:08:59 -08:00 committed by GitHub
parent dcc1e5454d
commit d87d07d8e8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 35 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
articles/connect-end-user-to-wifi-with-certificate.md
View file

@ -71,9 +71,9 @@ When Fleet delivers the profile to your hosts, Fleet will replace the variables.
<array>
<dict>
<key>Password</key>
<string>$FLEET_VAR_DIGICERT_PASSWORD_CA_NAME</string>
<string>$FLEET_VAR_DIGICERT_PASSWORD_<CA_NAME></string>
<key>PayloadContent</key>
<data>$FLEET_VAR_DIGICERT_DATA_CA_NAME</data>
<data>$FLEET_VAR_DIGICERT_DATA_<CA_NAME></data>
<key>PayloadDisplayName</key>
<string>CertificatePKCS12</string>
<key>PayloadIdentifier</key>
@ -248,7 +248,7 @@ When the profile is delivered to your hosts, Fleet will replace the variables. I
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_CA_NAME</string>
<string>$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_<CA_NAME></string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
@ -271,7 +271,7 @@ When the profile is delivered to your hosts, Fleet will replace the variables. I
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_CA_NAME</string>
<string>$FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_<CA_NAME></string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
@ -431,7 +431,7 @@ When the profile is delivered to your hosts, Fleet will replace the variables. I
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_CA_NAME</string>
<string>$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME></string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
@ -454,7 +454,7 @@ When the profile is delivered to your hosts, Fleet will replace the variables. I
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_CA_NAME</string>
<string>$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME></string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
@ -486,12 +486,12 @@ When the profile is delivered to your hosts, Fleet will replace the variables. I
<details>
<summary>Windows configuration profile</summary>
To get the CAThumbprint of your SCEP server, see the [advanced section](#how-to-get-the-cathumbprint-for-windows-scep-profiles) below.
All options in the example profile are required. To get the [CAThumbprint of your SCEP server] follow [these steps](#how-to-get-the-cathumbprint-for-windows-scep-profiles).
Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows/client-management/mdm/clientcertificateinstall-csp), can be configured with the SCEP profile.
You can add any other options listed under Device/SCEP in the [Microsoft documentation](https://learn.microsoft.com/en-us/windows/client-management/mdm/clientcertificateinstall-csp).
```xml
<Add>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID</LocURI>
@ -500,8 +500,8 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/KeyUsage</LocURI>
@ -511,8 +511,8 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/KeyLength</LocURI>
@ -522,8 +522,8 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/HashAlgorithm</LocURI>
@ -533,8 +533,8 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/SubjectName</LocURI>
@ -542,10 +542,10 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID</Data>
<Data>CN=$FLEET_VAR_HOST_HARDWARE_SERIAL WIFI</Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/EKUMapping</LocURI>
@ -555,8 +555,8 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
</Meta>
<Data>1.3.6.1.5.5.7.3.2</Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/ServerURL</LocURI>
@ -564,10 +564,10 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_CA_NAME</Data>
<Data>$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME></Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/Challenge</LocURI>
@ -575,10 +575,10 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_CA_NAME</Data>
<Data>$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME></Data>
</Item>
</Add>
<Add>
</Replace>
<Replace>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/CAThumbprint</LocURI>
@ -586,9 +586,9 @@ Any options listed under [Device/SCEP](https://learn.microsoft.com/en-us/windows
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>2133EC6A3CFB8418837BB395188D1A62CA2B96A6</Data>
<Data><CA_THUMBPRINT></Data>
</Item>
</Add>
</Replace>
<Exec>
<Item>
<Target>
@ -807,11 +807,13 @@ Custom SCEP proxy:
### How to get the CAThumbprint for Windows SCEP profiles
An example CAThumprint looks like this: `2133EC6A3CFB8418837BB395188D1A62CA2B96A6`
Steps to get CAThumbrint from your SCEP server:
1. Use GetCACert operation to download certificate. For example, open in browser: https://scep-server-url/scep?operation=GetCACert
2. Run the following command to get the SHA1 Thumbprint
1. **Terminal (MacOS)** -> `openssl x509 -inform DER -in /path/to/downloaded-cert.cer -noout -fingerprint -sha1 | sed 's/sha1 Fingerprint=//; s/://g`
1. In your browser, open the following URL to download a certificate: https://<your-scep-server-url>/scep?operation=GetCACert
2. Run the following command to get the SHA1 Thumbprint:
1. **Terminal (macOS)** -> `openssl x509 -inform DER -in /path/to/downloaded-cert.cer -noout -fingerprint -sha1 | sed 's/sha1 Fingerprint=//; s/://g`
2. **PowerShell (Windows)** -> `$cert = Get-PfxCertificate -FilePath "Z:\scep (1).cer";$cert.Thumbprint`
3. It will return the SHA1 Thumbprint without colons and text. Copy this.
4. Use the copied value for `./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/$FLEET_VAR_SCEP_WINDOWS_CERTIFICATE_ID/Install/CAThumbprint` option.