-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renew SCEP certificate for hosts w/ old (non-Fleet) enrollment profile #19800
Comments
@roperzh do we know what the SCEP certificate lifespan is for the customer devices? I do know that some MDM systems will set this to a long lived value like 2099, so in those cases it would not be an issue. If the lifespan of the certificate is short lived, I would say that this would be a P2 blocker issue. |
@dherder good point! we should check with them, I know that micromdm/scep uses 1 year by default ( |
@lukeheath @noahtalerman per the process, letting you know that we have this as workflow/migration blocking and added the p2 label. let me know if anything else needs to be done to escalate |
@zayhanlon P2 makes sense to me. Our response for P2 is:
We'll prioritize this for next sprint, which is scheduled to ship 7/15. Is that soon enough? |
@lukeheath @georgekarrv @noahtalerman - there's a thread going in #g-customer-success https://fleetdm.slack.com/archives/C062D0THVV1/p1718733547340419?thread_ts=1718384351.332159&cid=C062D0THVV1 This new issue was surfaced by Roberto this week but is also migration blocking. I don't think 7/15 will work - any way to get it faster or patched sooner? |
I made it a story so it gets product feedback is that I personally only see three ways to accomplish this:
|
Thanks @roperzh! I threw some time on your calendar to dig into the options. |
we met with @noahtalerman and decided to do option 3 as a fist baby step:
I think this requires 3 action items:
cc: @zayhanlon |
Thanks @roperzh!
I think we decided to go with fleetdm.com instead of standing up a separate service. Why? So we can reduce surface area and understandability for Fleet contributors. If this doesn't work please let me know. I think this means that the enrollment profile (XML) will live as an environment variable in Heroku. We'll probably need @eashaw's help to add that variable. I updated the issue description to reflect this. |
I have several questions:
|
Does this mean we would be putting customer SCEP cert/keys into fleetdm.com? That sounds pretty risky to me as I'm not aware that fleetdm.com has been designed/audited for storage of customer data (let alone important customer secrets). Or maybe we are just talking about using fleetdm.com to trigger script execution for the hosts that are expiring? That seems potentially less risky but still something that would need to be well-understood. Would it require API keys for customer Fleet servers? |
@zwass I don't think so. The enrollment profile would be an environment variable in Heroku. Once the enrollment profile is delivered the host will get the new SCEP cert from the Fleet server
I think so yes. We need the API key to deliver the enrollment profile via the Fleet API. This can be stored an as environment variable in Heroku. @roperzh please correct me if I'm wrong. |
who's the right person to answer this? don't want it to get lost in the convo
some process needs to run at an interval and send commands, we were thinking this separate server (let's say fleetdm.com) do it the challenge of building the functionality directly into Fleet is related to crafting the right enrollment profile, we thought that having a separate service gives us freedom to hardcode the profile to the customer's needs. @noahtalerman maybe the profile could be provided to Fleet itself as a hidden config? @zwass another option I just thought of: what if the proxy enqueues the command (using Fleet's API) to renew the SCEP certificate the first time it redirects a host to Fleet? this gives us 1 year to properly solve this problem. |
It's on the drafting board w/ the Since this it sounds like the next release (2024-07-15) isn't fast enough I started a thread in
@roperzh good idea. But is this because of a limitation of Heroku? If not, in order to move quickly, I think let's move forward with the current plan in the issue description. If folks disagree, please bring jump in tomorrow's MDM design review to discuss. Once we know what the enrollment profile will look like, we can get @eashaw's help to test. If we learn that using fleetdm.com won't work due to a Heroku limitation then I think we come back to other options. |
@noahtalerman sounds good! yeah, not a limitation with Heroku, but it might be simpler to run the cron in Fleet because:
|
This seems possible. Currently there is no state maintained within the migration proxy, but state could be added. |
Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @roperzh |
Please add your planning poker estimate with Zenhub @jahzielv |
As part of the research for this ticket I:
I verified that:
Action items and stuff to coordinate on:
|
@roperzh are you saying you got the enrollment profile replaced without user intervention? I'm not sure I understand how this experiment is connected with the touchless migration experience we are working on with customers. |
@zwass sorry for not being clear. This is to renew SCEP certificates for migrated devices (which is done by re-delivering the enrollment profile) The enrollment profile was almost replaced, but three things need to be kept in our particular case:
|
Ah, so enrollment profiles can be redelivered without user intervention as long as the |
@zwass exactly! in my notes I have this as the full list of things that can't change:
I think the really important findings for us are:
|
@roperzh how are we doing on target ETA to get this in a patch next week? thanks :D |
@zayhanlon thanks for checking, still on track! but please note that the issue w/profiles is probably a bigger blocker. This is majorly a blocker for the prod deploy, the profiles is limiting their testing in staging prior to any production changes. |
@roperzh yup! i'm on it - discussing with Noah today |
for #19800 the motivation behind these changes is to support certificate renewals for hosts that were migrated by inserting enrollment records via a database migration. those hosts still have their old enrollment profile installed, so SCEP renewals need to be handled carefully. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Added/updated tests - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Manual QA for all new/changed functionality
Paired w/ Roberto to test on his locally setup mircomdm server to ensure the workflow succeeded. |
Hey @zayhanlon, this No docs needed. Customer expect the MDM solution to handle SCEP renewal behind the scenes. |
Old profiles renew, |
Goal
Context
To renew SCEP certificates, we send an
InstallProfile
command with Fleet's enrollment profile to the devices.Hosts that migrated using "Process for self-hosted macOS MDM migration to Fleet" (#19387), will have a different enrollment profile (one from the old MDM solution), so the
InstallProfile
command will fail and the SCEP certificate won't be renewed.Changes
Product
Engineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation
The text was updated successfully, but these errors were encountered: