mirror of
https://github.com/fleetdm/fleet
synced 2026-05-15 13:08:42 +00:00
7c9c5b9a2e
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #34542 - Added SCEP endpoint for issuing certs for conditional access for Okta. Functionally similar to host identity and Apple MDM SCEP endpoints. - Changes file will be added later (this is a sub-task of the feature). - A standard SCEP payload can be used to get a cert to an Apple device: ``` <!-- SCEP Configuration --> <dict> <key>PayloadContent</key> <dict> <key>URL</key> <string>https://myfleet.example.com/api/fleet/conditional_access/scep</string> <key>Challenge</key> <string>ENROLLMENT_SECRET</string> <key>Keysize</key> <integer>2048</integer> <key>Key Type</key> <string>RSA</string> <key>Key Usage</key> <integer>5</integer> <key>ExtendedKeyUsage</key> <array> <string>1.3.6.1.5.5.7.3.2</string> </array> <key>Subject</key> <array> <array> <array> <string>CN</string> <string>Fleet conditional access for Okta</string> </array> </array> </array> <key>SubjectAltName</key> <dict> <key>uniformResourceIdentifier</key> <array> <string>urn:device:apple:uuid:%HardwareUUID%</string> </array> </dict> <key>Retries</key> <integer>3</integer> <key>RetryDelay</key> <integer>10</integer> <!-- ACL for browser access --> <key>AllowAllAppsAccess</key> <true/> <!-- Set true for Safari access. Set false if Safari support not needed. --> <key>KeyIsExtractable</key> <false/> </dict> <key>PayloadDescription</key> <string>Configures SCEP for Fleet conditional access for Okta certificate</string> <key>PayloadDisplayName</key> <string>Fleet conditional access SCEP</string> <key>PayloadIdentifier</key> <string>com.fleetdm.conditional-access-scep</string> <key>PayloadType</key> <string>com.apple.security.scep</string> <key>PayloadUUID</key> <string>B2C3D4E5-F6A7-4B6C-9D8E-0F1A2B3C4D5E</string> <key>PayloadVersion</key> <integer>1</integer> </dict> ``` # Checklist for submitter ## Testing - [x] Added/updated automated tests - [x] QA'd all new/changed functionality manually ## Database migrations - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## New Features * Adds Conditional Access SCEP certificate enrollment support, enabling hosts to obtain device identity certificates through secure certificate enrollment protocol endpoints. * Implements rate limiting for certificate enrollment requests to prevent abuse. ## Tests * Adds comprehensive integration tests for Conditional Access SCEP functionality, including certificate operations, rate limiting validation, and edge cases. <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| bulk-operations-dashboard | ||
| cis | ||
| fleetctl | ||
| fleetd-chrome | ||
| maintained-apps | ||
| orbit/pkg | ||
| server | ||
| tools | ||
| vulnerability-dashboard | ||
| LICENSE | ||
| README.md | ||
Welcome to the "source available" section of the Fleet codebase. Please note files and functionality under this directory are covered by the Fleet EE License, and require a valid Fleet subscription for production use. See the full license for details.