mirror of
https://github.com/fleetdm/fleet
synced 2026-05-18 22:49:19 +00:00
e51561914b
This pull request updates the Okta Verify on Windows SCEP configuration documentation and profile to simplify deployment with Fleet and reduce manual steps. The changes make the process more reliable by standardizing variable usage, improving instructions, and automating certificate enrollment. **Key improvements and changes:** **Documentation and workflow simplification:** - The guide in `articles/enable-okta-verify-on-windows-using-a-scep-configuration-profile.md` was rewritten for clarity and to reflect the new automated approach. Manual editing of XML and scripts is no longer needed; Fleet-managed variables and secrets now handle all required values. Steps for gathering prerequisites, deploying, verifying, and renewing certificates are streamlined, and troubleshooting guidance is expanded. - The subject name in the certificate is now set to use the hardware serial (`$FLEET_VAR_HOST_HARDWARE_SERIAL`) instead of the host UUID, improving uniqueness and traceability. ([docs/solutions/windows/configuration-profiles/install Okta attestation certificate - [Bundle].xmlL77-R89](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L77-R89)) **Secret management and security:** - The configuration profile now references Fleet secrets (`$FLEET_SECRET_OKTA_SCEP_URL`, `$FLEET_SECRET_OKTA_SCEP_CHALLENGE`, `$FLEET_SECRET_OKTA_CA_THUMBPRINT`) directly, removing the need for manual substitution and reducing risk of misconfiguration. ([docs/solutions/windows/configuration-profiles/install Okta attestation certificate - [Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141)) **Automated certificate enrollment:** - An `<Exec>` command is added to the XML profile to automatically trigger SCEP enrollment upon deployment, further reducing manual intervention. ([docs/solutions/windows/configuration-profiles/install Okta attestation certificate - [Bundle].xmlL98-R141](diffhunk://#diff-d8fc2c8add5725599bdc41a7b417dc3978cfc34eb6fcb8950db513f2b5799aa5L98-R141)) These changes make the Okta Verify SCEP configuration for Windows much easier to deploy and maintain, with improved automation and clearer instructions. --------- Co-authored-by: Brock Walters <153771548+nonpunctual@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| all | ||
| android/configuration-profiles | ||
| api-scripts | ||
| docker-compose | ||
| ios-ipados | ||
| linux | ||
| macos | ||
| tines | ||
| windows | ||
| README.md | ||
Solutions
Best Practices
General
- Name the file what the profile does.
- For example, instead of
googlePlayProtectVerifyApps.json(the name of the Android policy for this control), describe what it does:enforce-google-play-protect.json.
- For example, instead of
- Use kebab case in file names, with all letters in lowercase.
- Instead of
passwordPolicy.json, usepassword-policy.json.
- Instead of
- Be sure to end files with an empty newline.
symlinks
If a solution is applicable to multiple platforms, keep the original in the main platform directory and symlink it to the other platforms. For example, if an Apple configuration profile can be used on both macOS and iOS, use macOS as the source, and create a symlink in the iOS directory.
cd docs/solutions/ios-ipados/configuration-profiles/- Note that this is the destination that we want the symlink to be in.
ln -s ../../macos/configuration-profiles/my-profile.mobileconfig .- The
.here at the end means the current directory, and will use the same file name as the original (which is what we want).
- The
git add profile.mobileconfiggit commit