Deploy Configuration Profiles that automatically inject host-specific attributes into the profile payload

[Patagonia121]

• customer-sarahwu Gong snippet: https://us-65885.app.gong.io/call?id=2524895556204152068&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A309%2C%22to%22%3A1215%7D%5D
• customer-reedtimmer: Gong snippet: https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1259%2C%22to%22%3A2500%7D%5D
• customer-pingali: Gong snippet TODO
• customer-deebradel: Gong snippet TODO
• @noahtalerman: User requested this because they want to help their end users connect to W-Fi w/ a SCEP certificate that's unique for each device. This SCEP certificate is deployed with a profile. The profile is where the unique information used for SCEP certificate is specified by the IT admin as variables. The variables are a challenge, serial number, hostname, and username. Which variables are used is different for each org. Some use serial number and others use username, etc. Whatever team is managing the certificates decides which variables their organization uses. This decision is based on the easiest way to map users to devices in all my tools (ex. SIEM)
  • @noahtalerman: I think there's a SmallStep API to create a unique challenge. That's why the customer is using the webhook feature in their MDM to reach out to SmallStep whenever a SCEP certificate needs a challenge.
    • @allenhouchins: Most third-party PKIs (ex. DigiCert) have these APIs. So we a webhook feature in Fleet would make it so that this challenge flow works with many PKIs.
  • @noahtalerman: In the interim TODO
  • @noahtalerman: Eventually TODO
• @allenhouchins: User requested this because they want to automatically populate the Slack username on first launch. IT admin can deploy a profile that configures Slack such that on first launch, a Slack account is setup w/ the same email they use to log in to their IdP.
  • @noahtalerman: In the interim TODO
  • @noahtalerman: Eventually TODO
    • @allenhouchins: Build in variables in Jamf: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Computer_Configuration_Profiles.html
• @noahtalerman : User requested this because they want to customize the settings for specific apps (ex. CyberHaven) TODO
  • @noahtalerman: It seems like iMazing has built-in profiles for some apps (ex. Brave) but not other apps (ex. CyberHaven).
  • @username: In the interim TODO
  • @username: Eventually TODO

---

[noahtalerman]

We proved we could use %SerialNumber% (and other values) in a payload per https://support.apple.com/guide/deployment/variables-settings-for-mdm-payloads-dep04666af94/1/web/1.0 that would be substituted on host. FYI to Fleet for documentation updates.

Hey @Patagonia121 and @ambrusps assuming this is about connecting a host to Okta Verify (or a similar tool) I think this request already works but we don't have a guide for it.

Here's the issue tracking the guide here:

• #21294

I'm fairly confident we already cover customer-reedtimmer's use case. They use Okta Verify.

I'm not sure about customer-pingali

@ambrusps and @Patagonia121 can you please help me confirm this?

Closing this issue for now in favor of the guide. We can always reopen.

[fleet-release]

Profiles auto-fill, Host data in cloud weave. Admins find relief.

[Patagonia121]

@noahtalerman we heard from customer-reedtimmer today that unfortunately this doesn't solve their use case. They do not use Okta Verify and they have flows outside that specific use case where they still need to inject custom attributes from the host into configuration profiles. They mentioned that this https://github.com/fleetdm/fleet/issues/21294 starts to cover it, but the use case is not only Okta Verify.

As an example, they use Cyberhaven and need to send a profile for a specific domain where mdm_username must be mapped to the assigned user. In Fleet, they'd associate the custom human device-mapping to an email and need to inject its value to a profile.

I'm reopening this issue given their feedback today and we can decide how to move forward from here. Thanks!

[noahtalerman]

Thanks for following up @Patagonia121!

need to inject custom attributes from the host into configuration profiles. They mentioned that this https://github.com/fleetdm/fleet/issues/21294 starts to cover it, but the use case is not only Okta Verify.

Makes sense 👍

they use Cyberhaven and need to send a profile for a specific domain where mdm_username must be mapped to the assigned user. In Fleet, they'd associate the custom human device-mapping to an email and need to inject its value to a profile.

Great example!

I think we want to track a separate request for this: "Deploy configuration profiles w/ end user's email as a variable"

Can you please help track that and confirm that that would solve their use case?

[JoStableford]

Linked to Unthread ticket:

Conversation #3129)

[noahtalerman]

Moved the original issue here for safekeeping:

User story: As an admin, I want to deploy Configuration Profiles that automatically inject host-specific attributes into the profile payload, facilitating the delivery of host-specific configurations so that Munki can read this information and deploy different apps based on user's group membership in IdP.

• Example: a profile includes the host’s assigned user’s email address

Customer feedback:

Added as a blocker due to Smallstep certification deployment requiring including host’s serial in generated SCEP payload. We proved we could use %SerialNumber% (and other values) in a payload per https://support.apple.com/guide/deployment/variables-settings-for-mdm-payloads-dep04666af94/1/web/1.0 that would be substituted on host. FYI to Fleet for documentation updates.

[noahtalerman]

@Patagonia121 @pintomi1989 when you get the chance, can you please add Gong snippets for pingali and deebradel? Thanks!

[Patagonia121]

@ambrusps since you added the tag for customer-pingali, can you grab the gong snippet and add to the issue description above?

[noahtalerman]

Hey @ambrusps and @pintomi1989 just giving you another ping! Can you please add the Gong snippets for pingali and deebradel?

[pintomi1989]

Hey @ddribeiro,

Tagging you here since you added the tag for customer-deebradel here a few weeks ago. I looked around and I'm not turning up any recordings or notes around this ask

[noahtalerman]

Hey @ambrusps just giving you another ping! Can you please add the Gong snippet for pingali?

[allenhouchins]

@Patagonia121 - Can you help add the snippet from today's call with customer-sarahwu? Specifically the segment where the conversation starts talking about Okta and ends with SCEP would be great.

@noahtalerman This is a blocker for customer-sarahwu to adopt Fleet MDM. The snippet that @Patagonia121 will help get added will be very insightful as to why.

[Patagonia121]

I dropped customer-sarahwu's snippet into the issue @allenhouchins @noahtalerman. Let me know if you need anything else!

[noahtalerman]

Hey @ambrusps and @ddribeiro can you please add the Gong snippet for pingali and deebradel?

[ambrusps]

@noahtalerman sorry for the long wait on this, it wasn't a direct request from customer-pingali but more so a feature that will help their overall objective of human to device mapping. I added a snippet above that most closely mentions this for now. Let me know if further clarification is needed

[noahtalerman]

@ambrusps I don't see the pingali clip in the issue description. Can you please share it again?

[noahtalerman]

Hey @ambrusps, just following up w/ another ping! I can't find the pingali clip you mentioned in your comment here.

[ambrusps]

@noahtalerman added above

[getvictor]

@noahtalerman: Fleet could improve the workflow in which an end user's email changes. Today, in Fleet, the IT admin could build an automation (via Tines or Okta workflows) to catch an Okta webhook and then resend a configuration profile in Fleet. Fleet could resend the profile for the IT admin so they don't have to maintain this workflow.

Resending of profiles when IdP data updates is part of this story, shipping in 4.68.0 https://github.com/fleetdm/fleet/issues/23900

[noahtalerman]

Resending of profiles when IdP data updates is part of this story, shipping in 4.68.0 https://github.com/fleetdm/fleet/issues/23900

🔥 @mna do you know if we added this to a guide? If not, I'm happy to help add that.

FYI @allenhouchins @ddribeiro @harrisonravazzolo @nonpunctual

[mna]

@noahtalerman

🔥 @mna do you know if we added this to a guide? If not, I'm happy to help add that.

Doesn't look like a guide update was planned for the story (there was no guide sub-task and it mentions "Feature guide changes: N/A").

[noahtalerman]

Doesn't look like a guide update was planned for the story (there was no guide sub-task and it mentions "Feature guide changes: N/A").

No prob! I'm on it. I tracked it in the story here so I don't forget.

[noahtalerman]

• customer-reedtimmer promise. Order form here.

FYI @zayhanlon added this reedtimmer promise to the "Customer requests" board.

[noahtalerman]

Moving the old user stories list out of the issue description to below. User stories that contribute to this request now live in the "Sub-issues" section.

User stories

• #23236
• #23900

[noahtalerman]

• UPDATE: @noahtalerman: Missing variables for reedtimmer: Full name & department
  • Story for full name: #30888
  • Story for department: #29609

@Patagonia121 as of Fleet 4.74, we think Fleet includes the built-in variables for configuration profiles that meets reedtimmer's needs:

• $FLEET_VAR_HOST_END_USER_IDP_FULL_NAME
• $FLEET_VAR_HOST_END_USER_IDP_DEPARTMENT

Can you please let reedtimmer know. Please ask them if Fleet is missing any variables?

If Fleet isn't missing any variables for reedtimmer, please leave this request open. I want to review Gong records from other customers before we close this.

[Patagonia121]

@noahtalerman - I got some feedback from customer-reedtimmer - see their feedback:

"We have to be able to use the feature to SET the IDP data since we’re not requiring login during enrollment to otherwise capture it."

Let me know how we should proceed here please. Also reassigning you. Thanks.

[noahtalerman]

"We have to be able to use the feature to SET the IDP data since we’re not requiring login during enrollment to otherwise capture it."

Let me know how we should proceed here please. Also reassigning you. Thanks.

Addressed by a separate request here: https://github.com/fleetdm/fleet/issues/32855

[noahtalerman]

• customer-reedtimmer: Gong snippet: https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1259%2C%22to%22%3A2500%7D%5D
  • customer-reedtimmer promise. Order form here
    • UPDATE: @noahtalerman: Closed this request in favor of this request: https://github.com/fleetdm/fleet/issues/21028

@Patagonia121 to clean things up, is it ok if we close this request (#20690) in favor of this request? https://github.com/fleetdm/fleet/issues/21028

They're duplicates.

I moved customer-reedtimmer promise details to #21028

[Patagonia121]

@noahtalerman sounds good, I didn't realize we had dupes for this. Closing now.

[fleet-release]

In Fleet's cloud city bright, Profiles auto-filled at night. Ease in each device's flight.