Exposed endpoints for MDM features

[noahtalerman]

Goal

User story
As a CPE trying to use Fleet's macOS MDM features,
I want to know which Fleet API endpoints I need to expose via standard HTTPS and which can use mTLS
so that I can bring this list to my infrastructure and security team.

Currently, this "Which API endpoints to expose to the public internet?" article lists these endpoints:

@rfairburn mentioned that these endpoints also need to be exposed:

• /api/*/fleet/device/*/migrate_mdm
• /api/*/fleet/device/*
• /api/*/fleet/device/*/rotate_encryption_key
• /api/*/fleet/device/*/debug/errors
• /api/*/fleet/device/*/desktop
• /api/*/fleet/device/*/refetch
• /api/*/fleet/device/*/transparency

Changes

Product

• Outdated documentation changes: Update the "Using Fleet's MDM features" section in the ["Which API endpoints to expose to the public internet?"](Which API endpoints to expose to the public internet?) article to include the following:
  • The up-to-date list of endpoints that need to be exposed for migrating macOS hosts and all other MDM features (adding profiles, running scripts, etc.)
    • Does this list change after all hosts are migrated? (only new hosts are enrolling)
  • Which endpoints need to be exposed via HTTPS and which can use mTLS
  • A note about how setting ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST affects these endpoints if at all

Context

• The customer wants to expose as few endpoints as possible
• They're setting ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST to a value that's different from the URLs that osquery uses

[noahtalerman]

cc @pauldittmer2 @dherder

[rfairburn]

Note: This list also includes everything around fleet desktop as well:

/api/*/fleet/device/*/migrate_mdm
/api/*/fleet/device/*
/api/*/fleet/device/*/rotate_encryption_key
/api/*/fleet/device/*/debug/errors
/api/*/fleet/device/*/desktop
/api/*/fleet/device/*/refetch
/api/*/fleet/device/*/transparency

Since fleet desktop is already otherwise solved for the customer, I'll make sure to limit this down to only the mdm-specific ones needed as a final answer for this. Some overlap will likely exist in order to obtain the rotating UUID, but I'll confirm the specifics.

[rfairburn]

I spent some time going over the existing mTLS vs non-mTLS configuration/ingresses with the mdm team and how that would interact with existing mdm features, and this is how things would need to be configured currently in order to work:

• As expected the following routes would need to be excluded from the mTLS requirement:

/mdm/apple/scep
/mdm/apple/mdm
/mdm/apple/enroll

• The URL used for all mdm stuff is the primary fleet domain name configured in the settings. Other domain names including ORBIT_FLEET_DESKTOP_ALTERNATIVE_BROWSER_HOST are not currently supported.
• Any other routes (including ones like /api/*/fleet/device/*/mdm/apple/manual_enrollment_profile) will use orbit's existing mTLS capability assuming the fleetctl package command used to generate it included the mTLS certificates.

Please let me know if there are further questions or clarifications needed. @noahtalerman

[noahtalerman]

Closing this issue out because the docs PR is merged.

@Patagonia121 please let us know if there are any further questions from the customer. Thanks!

[fleet-release]

Endpoints clear and bright,
Adding security, pure light.
Fleet's power in sight.