Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 17:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 83

Remove very old and outdated MDM docs (#16043)

Browse source 
Running some cleanup of very old docs around initial MDM implementation.
This commit is contained in:
Lucas Manuel Rodriguez 2024-01-11 11:53:51 -03:00 committed by GitHub
parent 3b2e97db89
commit e466b569d4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 0 additions and 387 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

205
tools/mdm/apple/demo.md
View file

@ -1,205 +0,0 @@
# Apple MDM Fleet Demo
## 0. Architecture
```mermaid
flowchart LR
subgraph Fleet [Fleet Server]
direction TB;
subgraph apiEndpoints ["Admin API endpoints"]
api["/api/_version_/fleet/mdm/apple/enrollmentprofiles
/api/_version_/fleet/mdm/apple/enqueue
/api/_version_/fleet/mdm/apple/commandresults
/api/_version_/fleet/mdm/apple/installers
/api/_version_/fleet/mdm/apple/devices
/api/_version_/fleet/mdm/apple/dep/devices"];
end
subgraph deviceEndpoints ["Apple Device Endpoints"];
enroll[".mobileconfig<br>/api/mdm/apple/enroll"];
installer[".mobileconfig<br>/api/mdm/apple/installer"];
end
subgraph nanoMDMModules ["nanoMDM modules"]
direction TB;
nanoSCEP["nanoSCEP<br>/mdm/apple/scep"];
nanoMDM["nanoMDM<br>/mdm/apple/mdm"];
nanoDEP["nanoDEP"];
end
fleetDB[(Fleet DB)];
end
ApplePush[https://api.push.apple.com];
AppleDEP[https://mdmenrollment.apple.com];
nanoDEP -- Apple MDM DEP API ----> AppleDEP;
nanoMDM --> ApplePush;
nanoSCEP --> fleetDB
nanoDEP --> fleetDB;
nanoMDM --> fleetDB;
```
## New Fleet Endpoints
1. API endpoints
- Path: `/api/_version_/fleet/mdm/apple/*`
- Authentication: Fleet admin authenticated
2. MDM protocol endpoints
- Path: `/mdm/apple/scep` and `/mdm/apple/mdm`.
- Authentication: MDM authentication.
3. Enroll endpoint
- Path: `/api/mdm/apple/enroll?token=`
- Authentication: A token is provided via a query parameter. SSO may be added later.
4. Installers URL (on manifest)
- Path: `/api/mdm/apple/installer?token=`
- Authentication: Secret token is provided via a query parameter.
## 1. Setup APNS Push Certificate and Key
From https://developer.apple.com/account, download push certificate and private key to:
- ~/mdm-apple-test/mdmcert.download.push.pem
- ~/mdm-apple-test/mdmcert.download.push.key
What we did for this test is:
- Zach has an account in https://mdmcert.download/
- Generate CSR with `mdmctl mdmcert.download -new -email=zach@fleetdm.com` (this step generates a private key too, place it in `~/mdm-apple-test/mdmcert.download.push.key`)
- Zach received a certificate `mdm_signed_request.20220712_121945_1267.plist.b64.p7`
- Decrypt the received CSR with `mdmctl mdmcert.download -decrypt=~/Downloads/mdm_signed_request.20220712_121945_1267.plist.b64.p7`
- Zach uploads the decrypted CSR to identity.apple.com and downloads the final certificate.
- Place certificate in `~/mdm-apple-test/mdmcert.download.push.pem`
## 2. SCEP setup
```sh
fleetctl apple-mdm setup scep \
--validity-years=1 \
--cn "Acme" \
--organization "Acme Inc." \
--organizational-unit "Acme Inc. IT" \
--country US
Successfully generated SCEP CA: fleet-mdm-apple-scep.crt, fleet-mdm-apple-scep.key.
Set FLEET_MDM_APPLE_SCEP_CA_CERT_PEM=$(cat fleet-mdm-apple-scep.crt) FLEET_MDM_APPLE_SCEP_CA_KEY_PEM=$(cat fleet-mdm-apple-scep.key) when running Fleet.
```
## 3. DEP setup
1. Init:
```sh
fleetctl apple-mdm setup dep init
Successfully generated DEP public and private key: fleet-mdm-apple-dep.crt, fleet-mdm-apple-dep.key
Upload fleet-mdm-apple-dep.crt to your Apple Business MDM server. (Don't forget to click "Save" after uploading it.)%
```
2. Copy file to ~/Downloads for easy access when uploading to Apple:
```sh
cp fleet-mdm-apple-dep.crt ~/Downloads/
```
3. In https://business.apple.com:
1. Under "Preferences" (which can be accessed via the upper-right dropdown menu), select your MDM server in "Your MDM Servers".
2. Click "Edit" and upload the generated `fleet-mdm-apple-dep.crt`.
3. Then download DEP token to a file named `./dep_encrypted_token.p7m`:
```sh
cp ~/Downloads/YourMDMServer_Token_2022-09-02T17-13-49Z_smime.p7m ./dep_encrypted_token.p7m
```
4. Finalize:
```sh
fleetctl apple-mdm setup dep finalize \
--certificate ./fleet-mdm-apple-dep.crt \
--private-key ./fleet-mdm-apple-dep.key \
--encrypted-token ./dep_encrypted_token.p7m
Successfully generated token file: fleet-mdm-apple-dep.token.
Set FLEET_MDM_APPLE_DEP_TOKEN=$(cat fleet-mdm-apple-dep.token) when running Fleet.
```
## 4. Run Fleet behind ngrok
Fleet needs to run behind TLS with a valid certificate (otherwise Apple devices won't trust it).
```sh
ngrok http https://localhost:8080
```
## 5. Run Fleet
```sh
FLEET_MDM_APPLE_SCEP_CHALLENGE=scepchallenge \
FLEET_MDM_APPLE_SCEP_CA_CERT_PEM=$(cat fleet-mdm-apple-scep.crt) \
FLEET_MDM_APPLE_SCEP_CA_KEY_PEM=$(cat fleet-mdm-apple-scep.key) \
FLEET_MDM_APPLE_DEP_TOKEN=$(cat fleet-mdm-apple-dep.token) \
FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM=$(cat ~/mdm-apple-test/mdmcert.download.push.pem) \
FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM=$(cat ~/mdm-apple-test/mdmcert.download.push.key) \
./build/fleet serve --dev --dev_license
```
Run the setup as usual (you will need a user for administrative commands below):
```sh
fleetctl setup \
--email foo@example.com \
--name Gandalf \
--password p4ssw0rd.123 \
--org-name "Fleet Device Management Inc."
```
Note, you will need to update the `server_settings.server_url` after setup and whenever you restart `ngrok`. This can be done with `fleetctl apply`.
```sh
cat <<EOF > config.yaml
apiVersion: v1
kind: config
spec:
server_settings:
server_url: "{{ngrok url}}"
EOF
fleetctl apply -f config.yaml
```
## 6. Create manual enrollment
```sh
fleetctl apple-mdm enrollment-profiles create-manual
Manual enrollment created, URL: https://{{ngrog url}}/api/mdm/apple/enroll?token={{token}}.
```
## 7. Create automatic (DEP) enrollment profile
There is a sample dep profile available at `tools/mdm/apple/dep_sample_profile.json` which can be used to create an automatic (DEP) enrollment profile.
```sh
fleetctl apple-mdm enrollment-profiles create-automatic --dep-profile ./tools/mdm/apple/dep_sample_profile.json
Automatic enrollment profile created, ID: 2
```
## 8. DEP Enroll
0. You need an uninitialized macOS VM with a specific configuration to allow for DEP testing.
Carefully follow https://travellingtechguy.blog/macos-big-sur-on-vmware-fusion-12/ to create a VMWare macOS VM with a serial number that Fleet's ABM manages (@lucasmrod has successfully created a "test DEP VM" following the above guide).
1. Assign the device to our "MDM server" in https://business.apple.com
2. Fleet should pick it up and assign an DEP enroll profile that points to itself (must wait for one minute after executing the `create-automatic` command).
3. Start the VM created in step (0).
### Examples
Get a list of enrolled devices:
```sh
fleetctl apple-mdm devices list
+--------------------------------------+---------------+----------+
| DEVICE ID | SERIAL NUMBER | ENROLLED |
+--------------------------------------+---------------+----------+
| D2F1D7F9-8EA9-4420-AF09-4C4EC4275D8A | CMXXXXXXXX | true |
+--------------------------------------+---------------+----------+
```
```
Install a profile to allow for enabling debug mode of MDM on a device (useful when developing/testing MDM features):
```sh
fleetctl apple-mdm enqueue-command InstallProfile --device-ids=D2F1D7F9-8EA9-4420-AF09-4C4EC4275D8A --mobileconfig ./tools/mdm/apple/turn_on_debug_mdm_logging.mobileconfig
```
Install 1Password on a macOS device:
```sh
fleetctl apple-mdm installers upload --path ~/Downloads/1Password-7.9.6.pkg
fleetctl apple-mdm enqueue-command InstallEnterpriseApplication --device-ids=D2F1D7F9-8EA9-4420-AF09-4C4EC4275D8A --installer-id=1
```

63
tools/mdm/apple/dogfood.md
View file

@ -1,63 +0,0 @@
# Guide for Infrastructure Team
## Memory requirements
Fleet and MySQL servers will need +500 MB extra of memory.
## MySQL
MySQL must be run with `--max_allowed_packet=536870912` // 512 MB
## Configuration
Apple MDM is enabled with the following configuration:
```sh
FLEET_MDM_APPLE_ENABLE=1
```
Additional configuration is generated using `fleetctl`. These credentials are highly sensitive and should be stored securely (e.g. on AWS secretsmanager) and provided to Fleet via environment variables.
Also, ensure that `server_settings.server_url` is set to the public URL of the Fleet deployment. This should already be the case.
### SCEP
Generate SCEP CA certificate and key:
```sh
fleetctl apple-mdm setup scep \
--validity-years=5 \
--cn "FleetDM" \
--organization "Fleet Device Management Inc." \
--organizational-unit "Fleet Device Management Inc." \
--country US
```
The content of such generated files must be stored securely and then fed to Fleet via the following environment variables:
```sh
FLEET_MDM_APPLE_SCEP_CA_CERT_PEM=<contents of SCEP CA certificate>
FLEET_MDM_APPLE_SCEP_CA_KEY_PEM=<contents of SCEP CA certificate key>
```
We also need to generate a random passphrase and store it somewhere (it's less sensitive than the other credentials defined herein, but for consistency it could be stored securely).
```
FLEET_MDM_APPLE_SCEP_CHALLENGE=<some random text>
```
For example, the challenge can be generated using `openssl`
```sh
openssl rand -base64 24
```
### APN
Zach Wasserman will provide the Apple Push Notification service (APNs) certificate and key. The contents must be stored securely and be provided to Fleet via the following environment variables:
```sh
FLEET_MDM_APPLE_MDM_PUSH_CERT_PEM=<contents of APNs certificate>
FLEET_MDM_APPLE_MDM_PUSH_KEY_PEM=<contents of APNs certificate key>
```
### DEP
Follow the instructions in [DEP setup](https://github.com/fleetdm/fleet/blob/apple-mdm/tools/mdm/apple/demo.md#4-dep-setup).
The output is a `fleet-mdm-apple-dep.token` file which contents must be stored securely and then provided to Fleet via an environment variable:
```sh
FLEET_MDM_APPLE_DEP_TOKEN=<contents of DEP token>
```

119
tools/mdm/apple/setup-test-munki.sh
View file

@ -1,119 +0,0 @@
#!/bin/bash
#
# Test script to setup a local Munki repository for demo/testing purposes.
# Sets latest Firefox dmg on a client manifest.
#
if [[ -z "$REPO_DIR" ]]; then
echo "Set REPO_DIR to an absolute file path."
exit 1
fi
if [[ $REPO_DIR != /* ]]; then
echo "REPO_DIR must be an absolute file path."
exit 1
fi
if [[ -d "$REPO_DIR" ]]; then
echo -n "REPO_DIR=$REPO_DIR already exists, press any key to delete and continue... "
read
rm -rf $REPO_DIR
fi
mkdir -p $REPO_DIR/catalogs
mkdir $REPO_DIR/icons
mkdir $REPO_DIR/manifests
mkdir $REPO_DIR/pkgs
mkdir $REPO_DIR/pkgsinfo
curl -L "https://download.mozilla.org/?product=firefox-latest-ssl&os=osx&lang=en-US" --output firefox.dmg
curl -L "https://app-updates.agilebits.com/download/OPM7" --output 1password7.pkg
curl -L "https://github.com/macadmins/nudge/releases/download/v1.1.8.81422/Nudge-1.1.8.81422.pkg" --output nudge.pkg
curl -L "https://iterm2.com/downloads/stable/iTerm2-3_4_16.zip" --output iterm2.zip
unzip iterm2.zip
rm iterm2.zip
curl -L "https://central.github.com/deployments/desktop/desktop/latest/darwin" --output github.zip
unzip github.zip
rm github.zip
# No other (non-interactive) way to set the repo url for manifestutil.
defaults write ~/Library/Preferences/com.googlecode.munki.munkiimport.plist "repo_url" "file://$REPO_DIR"
defaults write ~/Library/Preferences/com.googlecode.munki.munkiimport.plist "default_catalog" "testing"
# Add Firefox with "--unattended_install" (dmg).
/usr/local/munki/munkiimport \
--nointeractive \
--subdirectory=apps/mozilla \
--displayname="Mozilla Firefox" \
--description="Fox on fire" \
--category=Internet \
--developer=Mozilla \
--catalog=testing \
--extract_icon \
--unattended_install \
firefox.dmg
# Add 1Password (pkg).
/usr/local/munki/munkiimport \
--nointeractive \
--subdirectory=apps/agilebits \
--displayname="1Password 7" \
--description="P4ssw0rd M4n4g3r" \
--category=Internet \
--developer=AgileBits \
--catalog=testing \
--extract_icon \
1password7.pkg
# Add Nudge with "--unattended_install" (pkg).
/usr/local/munki/munkiimport \
--nointeractive \
--subdirectory=apps/macadmins \
--displayname="Nudge" \
--description="Annoying but effective" \
--category=Internet \
--developer=MacAdmins \
--catalog=testing \
--extract_icon \
--unattended_install \
nudge.pkg
# Add iTerm2 app.
/usr/local/munki/munkiimport \
--nointeractive \
--subdirectory=apps/iterm2 \
--displayname="iTerm2" \
--description="Best terminal in town" \
--category=Console \
--developer=iTerm2 \
--catalog=testing \
--extract_icon \
iTerm.app
# Add Github app.
/usr/local/munki/munkiimport \
--nointeractive \
--subdirectory=apps/github \
--displayname="Github Desktop" \
--description="Github 4 Desktop" \
--category=Development \
--developer=Github \
--catalog=testing \
--extract_icon \
"Github Desktop.app"
/usr/local/munki/makecatalogs
/usr/local/munki/manifestutil new-manifest site_default
/usr/local/munki/manifestutil add-catalog testing --manifest site_default
/usr/local/munki/manifestutil add-pkg Firefox --manifest site_default
/usr/local/munki/manifestutil add-pkg 1password --manifest site_default
/usr/local/munki/manifestutil add-pkg nudge --manifest site_default
/usr/local/munki/manifestutil add-pkg iTerm2 --manifest site_default --section optional_installs
/usr/local/munki/manifestutil add-pkg "GitHub Desktop" --manifest site_default --section featured_items
/usr/local/munki/manifestutil add-pkg "GitHub Desktop" --manifest site_default --section optional_installs
rm -r firefox.dmg nudge.pkg 1password7.pkg iTerm.app "Github Desktop.app"