Integrate with Smallstep via SCEP w/ dynamic challenge

[allenhouchins]

• customer-reedtimmer: https://us-65885.app.gong.io/call?id=3444438867398665141&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A3266%2C%22to%22%3A3363%7D%5D

  • reedtimmer customer promise.

• Gong snippet for call with Smallstep: https://docs.google.com/document/d/1CdxvU61kMqyH_B51kbGnn5HVDoUTZPxGYzftgsIrNpU/edit?tab=t.0#heading=h.7en766pueek4

  • @allenhouchins: Sounds like we could replicate what Smallstep is doing for automatic enrollment for Windows. This would require a partnership with OEMs (manufacturers). This means users don't have to pay for a Microsoft license AND a Fleet license to automatic enrollment.

• @noahtalerman: User requested this because they want to deploy a SCEP certificate from Smallstep with dynamic challenge to connect their end users to Wi-Fi or VPN.

  • @noahtalerman: In the interim users can configure Smallstep as a Microsoft NDES certificate authority (CA). This is because Smallstep built a layer on top of NDES. In the SCEP payload, inside of a configuration profile, the user will specify $FLEET_VAR_NDES_SCEP_CHALLENGE as the challenge so that Fleet uses a dynamic challenge (guide here).
  • @noahtalerman: Eventually Fleet could add a "Smallstep" option in the CA dropdown. This could use NDES under the hood. Even later, Fleet could add a "Smallstep (ACME)" option.

• @getvictor: Was able to get a cert onto macOS using our example NDES SCEP profile with the following addition:

                    <key>SubjectAltName</key>
                    <dict>
                        <key>uniformResourceIdentifier</key>
                        <array>
                            <string>deviceid://%HardwareUUID%</string>
                        </array>
                    </dict>

Note: Smallstep needs to change the challenge time from 1 minute to 1 hour to match our NDES behavior/expectations.

• UPDATE: @allenhouchins: This technically works today but the Smallstep user has to pick the Workspace ONE integration.
  • @noahtalerman: Sounds like some UX improvements can be made in both Fleet and Smallstep. Fleet could add a new "Smallstep" option and Smallstep could add a new "Fleet" option.

---

[noahtalerman]

Problem

Admins want to integrate with Smallstep via SCEP using a dynamic challenge as their certificate authority.

What have you tried?

Fleet currently supports creating a configuration profile with the appropriate variables. However, we need an interface for sending a webhook to Smallstep to process that handles the dynamic challenge portion of the profile.

Potential solutions

Partner with Smallstep to build webhook endpoints for our mutual customers to use that makes this work similar to other MDM vendors.

What is the expected workflow as a result of your proposal?

Admins will be able to deploy a configuration profile for SCEP to their devices using a dynamic password challenge.