Fix MDM setup API endpoints permissions

[lukeheath]

Context from Luke on Slack:

The bug was #10105

Only a global admin was able to load the "controls" page. That's because we had the API permissions set such that /mdm/apple was only accessible by global admins, but that is required to render the controls page.
Sarah found that endpoint's permissions were lumped together with two others, so for the quick fix we had to make these endpoints accessible to all global and team admins and maintainers:
/mdm/apple, /mdm/apple_bm and /mdm/apple/request_csr

So, we need to ensure permissions are set to the following:

• GET /mdm/apple: accessible by any global or team admin or maintainer.
• GET /mdm/apple_bm and POST /mdm/apple/request_csr: accessible to global admins only.

[roperzh]

@lukeheath I think changing the permissions might not be what we really want here.

GET /mdm/apple returns information about the certificates used to send push notifications (APNs), example:

{
  "common_name": "APSP:E252BB69-E592-49A6-A9CD-26704EF79897",
  "serial_number": "123456789",
  "issuer": "Apple Application Integration 2 Certification Authority",
  "renew_date": "2024-01-24T22:12:08Z"
}

Seems like the UI is calling this endpoint in the "Controls" page to figure out if MDM is configured or not, but instead it should be using: config.mdm.enabled_and_configured (the current logic probably predates the current config response)

With that in mind, I think we want to revert back the permissions and use the config instead. Does this sounds good to you?

[lukeheath]

With that in mind, I think we want to revert back the permissions and use the config instead. Does this sounds good to you?

Yes, you are correct, great find. Thank you!

[fleet-release]

In glass city's clouds,
MDM endpoints align,
Admins' paths unbound.