fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Support profile variables for Windows configuration profiles

Open allenhouchins opened this issue 1 year ago • 4 comments

  • @noahtalerman: User requested this because they need to deploy Okta as a CA with a static SCEP challenge on Windows devices, similar to macOS. Currently, Fleet does not support profile variables for Windows configuration profiles, requiring a unique profile for each device.
    • @noahtalerman: In the interim users must manually create and assign individual profiles per device or explore alternative deployment methods outside Fleet.
    • @noahtalerman: Eventually Add support for profile variables in Windows configuration profiles, enabling admins to deploy a single profile dynamically populated per device.

allenhouchins avatar Jan 07 '25 15:01 allenhouchins

Hey @allenhouchins is this a customer/prospect request? Did it come up during dogfooding?

noahtalerman avatar Jan 15 '25 19:01 noahtalerman

@noahtalerman I just added the prospect label. This came up in an email thread with them. This was their specifics:

We'd love to keep you guys as a card to play if this is something in the future roadmap. The main reason for SCEP is to keep our windows machines within Device Trust compliance (https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-static-scep-win-ws1.htm).

allenhouchins avatar Jan 28 '25 02:01 allenhouchins

Problem

As an admin, I need to be able to deploy certificates and other types of profiles that contain variables.

For this specific request, I need to be able to deploy Okta as a CA with a static SCEP challenge on my Windows devices the same way I am able to for my macOS devices.

Deploying Okta as a CA with static SCEP on Windows and WS1 - https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/okta-ca-static-scep-win-ws1.htm

What have you tried?

N/A

Potential solutions

Support profile variables for Windows configuration profiles: https://fleetdm.com/guides/ndes-scep-proxy#3-create-a-scep-configuration-profile

What is the expected workflow as a result of your proposal?

I won't need to create a unique profile for each of my Windows devices. I will be able to create and deploy a single Windows configuration profile that contains variables.

noahtalerman avatar Feb 07 '25 19:02 noahtalerman

Hey @noahtalerman, I added the product tag back to this request because customer-calabria asked for it today in this Slack thread.

customer-calabria needs this to use Okta Authentication Policies for their Fleet-enrolled Windows hosts.

They want to configure Okta to "only allow managed devices", which means devices that have Okta Verify and a SCEP-challenge deployed to them. In order to do that with Fleet, we would need to support variables for Windows profiles.

The end goal is to ensure only Calabria-approved Windows installations (which have antivirus and Fleet installed) are able to access apps gated by Okta authentication.

ddribeiro avatar Apr 10 '25 15:04 ddribeiro

@ddribeiro is customer-calabria using GitOps? Or, are they managing configuration profiles via the UI?

noahtalerman avatar Apr 17 '25 18:04 noahtalerman

@noahtalerman I just reached out to confirm they are using GitOps

ddribeiro avatar Apr 17 '25 18:04 ddribeiro

convo with prospect-juliana

should be fine for the short-term, [cert without serial, hostname in CN] but only as a workaround. The fact that the S/N (or any other unique identifier for a user) isn't present blocks our correlation capabilities from a user action perspective.

harrisonravazzolo avatar Jun 02 '25 03:06 harrisonravazzolo

@noahtalerman What about the use case of just naming computers, e.g., with this device profile?

https://github.com/harrisonravazzolo/Bluth-Company-GitOps/blob/main/lib/windows/configuration-profiles/windows-update-computer-name.xml

To do this, we would need a way to populate the computer name field dynamically, i.e., with a variable.

nonpunctual avatar Aug 07 '25 19:08 nonpunctual

  • @nonpunctual: What about the use case of just naming computers, e.g., with this device profile? https://github.com/harrisonravazzolo/Bluth-Company-GitOps/blob/main/lib/windows/configuration-profiles/windows-update-computer-name.xml
    • To do this, we would need a way to populate the computer name field dynamically, i.e., with a variable.

Thanks @nonpunctual! Pulled this up to the issue description to we don't lose it.

noahtalerman avatar Aug 08 '25 00:08 noahtalerman

@bettapizza We shipped the following story in 4.73:

  • https://github.com/fleetdm/fleet/issues/30879

We think that adding the $FLEET_VAR_HOST_UUID variable fulfills customer-juliana's request, since it allows them to identify which host has which Okta verify certificate when looking at Okta logs

rachaelshaw avatar Sep 11 '25 21:09 rachaelshaw

customer-juliana should have feedback within the next few weeks.

10-09-2025 - @rachaelshaw here is the feedback from customer-juliana

Feedback

bettapizza avatar Sep 25 '25 21:09 bettapizza

10-09-2025 - @rachaelshaw here is the feedback from customer-juliana

Feedback

@bettapizza I think we want some help from the Custom Solutions Architect (CSA) for juliana. What's Fleet missing? It's not clear from that recording.

Can you please ask the CSA to please join the next product office hours with their findings?

noahtalerman avatar Oct 10 '25 20:10 noahtalerman

Just chatted with @harrisonravazzolo and here's the plan:

  • Fleet ships the ability to deploy SCEP certificates on Windows. User story here: https://github.com/fleetdm/fleet/issues/26912
  • Fleet ships guide updates w/ best practice instructions on how to deploy Okta Verify SCEP cert on Windows: https://fleetdm.com/guides/enable-okta-verify-on-macos-with-configuration-profile
    • In the best practice profile, include the new $FLEET_VAR_HOST_UUID in the Common Name (CN)
      • This way, IT admins can associate Okta logs w/ a specific host in Fleet.
    • Guide update request: https://github.com/fleetdm/confidential/issues/12614
  • When Fleet ships the above, CSA for juliana hops on a call w/ juliana to walk them through the instructions. Get juliana feedback.

FYI @bettapizza

noahtalerman avatar Oct 14 '25 15:10 noahtalerman

tagging @AdamBaali since he is the CSA.

bettapizza avatar Oct 14 '25 19:10 bettapizza

Just chatted with @harrisonravazzolo and here's the plan:

  • Fleet ships the ability to deploy SCEP certificates on Windows. User story here: https://github.com/fleetdm/fleet/issues/26912
  • Fleet ships guide updates w/ best practice instructions on how to deploy Okta Verify SCEP cert on Windows: https://fleetdm.com/guides/enable-okta-verify-on-macos-with-configuration-profile
    • In the best practice profile, include the new $FLEET_VAR_HOST_UUID in the Common Name (CN)
      • This way, IT admins can associate Okta logs w/ a specific host in Fleet.
    • Guide update request: https://github.com/fleetdm/confidential/issues/12614
  • When Fleet ships the above, CSA for juliana hops on a call w/ juliana to walk them through the instructions. Get juliana feedback.

On second thought, let's get juliana @harrisonravazzolo's interim solution to unblock them ASAP.

Harry, @AdamBaali, @zayhanlon, @bettapizza, and @marko-lisica I scheduled a call w/ y'all next Tues to decide what we need to do and who's going to do it.

noahtalerman avatar Oct 16 '25 18:10 noahtalerman

customer juliana is satisfied with the interim solution.

bettapizza avatar Oct 27 '25 17:10 bettapizza

have an article in draft that's nearly ready that will allow anyone to walk through the steps independently

https://github.com/fleetdm/fleet/issues/34913

AdamBaali avatar Oct 30 '25 11:10 AdamBaali