fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Generate WSTEP cert/key

Open rfairburn opened this issue 1 year ago • 9 comments

UPDATE: My understanding is that we can make it so the user doesn't have to plug anything into the UI/API nor env variables: Fleet generates and stores the WSTEP cert/key for the user.

(noahtalerman 2024-05-28)

Problem

I am happy to see that in https://github.com/fleetdm/fleet/issues/19014 we are adding the ability to manage APNS/SCEP for Apple MDM, but I would like to see the same level of support for Windows/WSTEP.

One of our goals was to simplify the process of supporting mdm via our terraform example. If a customer/prospect wishes to use windows MDM without this, no simplification is possible.

The existing render template would also not be Windows MDM friendly as well.

Potential solutions

  1. Use the same method used in SCEP on https://github.com/fleetdm/fleet/issues/19014 for WSTEP

rfairburn avatar May 24 '24 15:05 rfairburn

From @rfairburn (his current workflow)

  • Copy SCEP automatic code
  • Rename it WSTEP for any API names
  • Paste

In the MDM module I use now the same cert is used for SCEP/WSTEP and it is passed it to both env vars for Mac & Win.

nonpunctual avatar May 24 '24 17:05 nonpunctual

My understanding is that we can make it so the user doesn't have to plug anything into the UI/API nor env variables: Fleet generates and stores the WSTEP cert/key for the user.

Updating the title of the issue to reflect this.

@roperzh please correct me if I'm wrong.

cc @rfairburn

noahtalerman avatar May 28 '24 13:05 noahtalerman

@noahtalerman that's correct 👍 this can be supported with minimal changes, it just wasn't part of the Figma/issue so I assumed there are other UX changes we want to do? (maybe when turning on Windows MDM?)

roperzh avatar May 28 '24 13:05 roperzh

it just wasn't part of the Figma/issue so I assumed there are other UX changes we want to do? (maybe when turning on Windows MDM?)

I think we forgot about it and unintentionally cut scope.

We were focused on macOS MDM.

noahtalerman avatar May 28 '24 20:05 noahtalerman

Another thing that I remember we discussed but it wasn't specified is generating SCEP challenges automatically

roperzh avatar May 30 '24 14:05 roperzh

@noahtalerman did you intend this to me assigned to me as opposed to the mdm team?

@roperzh for v4.51.0 this means that the SCEP challenge still needs to be an env var, correct?

rfairburn avatar May 30 '24 20:05 rfairburn

@rfairburn that is correct 👍

roperzh avatar May 30 '24 20:05 roperzh

Hey @rfairburn you can ignore your assignment!

As part of preparing for feature fest, I assign the requestor to all feature requests.

This way, I can keep track of who the requestor is during the feature fest call.

Sorry for the confusion :)

noahtalerman avatar May 30 '24 22:05 noahtalerman

@rfairburn heads-up that the scope of the feature for Apple certificates changed and we're going to generate a SCEP challenge if one is not present too https://github.com/fleetdm/fleet/issues/10383#issuecomment-2145681769

It'll work the same way as it does for certificates (if one is set, we'll ingest that value into the db)

roperzh avatar Jun 03 '24 16:06 roperzh