2018 PSU MicroMDM - MacAdmins Conference
1y ago
22 Views
1 Downloads
3.14 MB
45 Pages
Report/dmca
Download PDF

Transcription

Jesse PetersonCPE @ FacebookSlack: @jessepetersonTwitter: @jessecpetersonGETTING MICROMDM WORKING ANDWORKING WITH MICROMDM

AGENDAGOAL OF TALK: GET FAMILIAR WITH HOW MICROMDM IS SETUP AND ADMINISTERED A bit of history About MicroMDM Getting MicroMDM working Working with MicroMDM

A BIT OF HISTORY

A BIT OF HISTORYGET THE SOFTWAREv1.3.1 eleasesor:https://goo.gl/N7znPz

A BIT OF HISTORY2014-2015: INDUSTRY MOVEMENTS 2014: everything MDM on macOS could do, fill in the blank could do better. Most MDMs heavily GUI-based 2014: Apple announces DEP Capabilities only possible with MDM October 2015: IBM JNUC presentation Highlighted DEP-based zero-image workflow Required MDM vendor proprietary agent

A BIT OF HISTORY2015-2016: OPEN SOURCE INITIATIVES Lots of R&D and explorations by folks: @ygini, @bruienne, @groob, myself, etc. One of the first meet-ups was right here at PSU MacAdmins Commandment & MicroMDM released InstallApplication R&D begins DEP integration developed in cmdmnt & µmdm In-depth history of Open Source MDM:https://goo.gl/ujA5PC

ABOUT MICROMDM

ABOUT MICROMDMDEVOPS FRIENDLY MDM Interface is command-line & API based Encourages scriptability, extensibility, integrations, etc. Expose as much text-based config as possible Designed as a "platform" tool On top of which you build your organization's MDM system Higher-level functionality is an anti-pattern for the project Keeps project small and focused{ REST }#!

ABOUT MICROMDMMACOS FOCUSED DEP bootstrap workflows Most tested & developed platform iOS supported, but macOS focused

ABOUT MICROMDMCOMMAND LINE & API DRIVEN micromdm server daemon mdmctl interactive tool HTTP REST JSON API interface HTTP webhook (callback) API{ REST }

ABOUT MICROMDMARCHITECTURE Micro- for Microservice PubSub messaging queue Written in Golang Abstracted database design On-disk database is BoltDB

ABOUT MICROMDMMDM IS DIFFERENT IN THESE PARTS No support for profile editing. Provide your own profiles Generate enrollment profile only Outside of Blueprints you send MDM commands — i.e. with the API Roll your own Push Certificate request; you're the vendor Very limited device info available

ABOUT MICROMDMADOPTION Used by many organizations With fleets ranging from 10's to the 10's of 1000's macOS enrollments The backend for several commercial offerings Some iOS adoption 480 Slack members — join us in #micromdm — the water's fine! 15 GitHub contributors, 450 issues (open closed)

ABOUT MICROMDMNEW FEATURES Support for all MDM commands & payloads, including 10.14 DEP profile auto-assignment MDM un-enrollment (server-initiated) DEP account configuration & User level payloads Improved certificate setup/management workflow Webhook support

ABOUT MICROMDMWHY NOT MICROMDM You are the support for an Open Source project Setup & configuration commitment Running your own infrastructure Meant as a platform Some of the 'standard' MDM features one might expect aren't here.

GETTING MICROMDMWORKING

GETTING MICROMDM WORKINGDEPENDENCIES The software! https://github.com/micromdm/micromdm/releases Push Certificate Server URL / domain name Service (Web) SSL certificate — trusted by enrolling devices Options: Let's Encrypt, CA signed, Self-Signed mdmctl configuration (Optional) DEP/ABM account

GETTING MICROMDM WORKINGTESTING VS. PRODUCTION ngrok development Locally-hosted server, with real, externally accessible HTTPS URL & certificate Have scripts & support in tools/ directory! Self-signed certs Internal-only MDM is possible but . just why? Demo setup: Local server, local enrollment, self-signed certs, with MDM CSR push option

GETTING MICROMDM WORKINGPUSH CERT 3 options — https://micromdm.io/blog/certificates/ MDM CSR (from Enterprise Developer Account — US 300/year) A.k.a. Be your own MDM vendor! Recommended option Export Server.app's Profile Manager Push Cert ( 20) http://mdmcert.download/ (Free for organizations only)

GETTING MICROMDM WORKINGMDM CSR METHOD1.Sign up for an Enterprise Account — https://micromdm.io/blog/accounts/2.Make sure MDM CSR option in account and your role is Admin3.2-step MDM CSR & Push Certificate process1.Create & sign MDM CSR2.Create & sign Push Cert Request4.Upload Push Certificate to MicroMDM

MDM CSR Certificate“Vendor” WorkflowPush Certificate“Customer” WorkflowAppleDeveloperProgramCerts & IDshttp://identity.apple.comSubmit forsigningCSRSubmit forsigningSignsMDM CSR CSRIncludedinsideCERMDM CSRPrivate KeyB64HEXDownloadMDM CSRCertificatePush Cert.“Request” fileDownloadCSRPush Cert.CSRMDM CSR X.509 KeypairCERPush Cert.Private KeyMDM PushCertificatePush Certificate X.509 Keypair

MDM CSR Certificate“Vendor” WorkflowPush Certificate“Customer” WorkflowAppleDeveloperProgramCerts & IDshttp://identity.apple.comSubmit forsigningCSR1.mdmctl mdmcert vendorSubmit forsigningSignsMDM CSR CSRIncludedinsideCERMDM CSRPrivate KeyB64HEXDownloadMDM CSRCertificatePush Cert.“Request” file2.mdmctl mdmcert pushDownloadCSRPush Cert.CSRMDM CSR X.509 KeypairCERPush Cert.Private KeyMDM PushCertificatePush Certificate X.509 Keypair3.mdmctl mdmcert vendor \-sign

LET'S GO

DEMO SHOWING:mdmctl mdmcert vendor \-password secret -country US \-email admin@acme.co

Contact Appleif you do not havethis option in yourEnterprise Developeraccount

Generate private key and CSR byexecuting:mdmctl mdmcert vendor \-password secret -country US \-email admin@acme.coUpload the output CSR at thisscreen. The name of the filewill be:./mdm-certificates/VendorCertificateRequest.csr

DEMO SHOWING:mdmctl mdmcert push \-password secret -country US-email admin@acme.co

DEMO SHOWING:mdmctl mdmcert vendor \-sign -cert ./mdm-certificates/mdm.cer \-password secret

https://identity.apple.com

Upload the output PLISTat this screen. The name ofthe file will be:./mdm-certificates/PushCertificateRequest.plist

DEMO SHOWING:Hosts file andSelf-Signed Cert Trust

DEMO SHOWING:micromdm serve

DEMO SHOWING:mdmctl config

DEMO SHOWING:mdmctl mdmcert upload

DEMO SHOWING:mdmctl get devices

WORKING WITHMICROMDM

WORKING WITH MICROMDMREST APIS MDM by bash shell?! What in the? tools/api/ project directory Requires jq & curl (brew installed)

DEMO SHOWING:bash MDM!

WORKING WITH MICROMDMWEBHOOKS (CALLBACKS) HTTP callback URL Specify on micromdm serve CLI Delivers JSON event data Also delivers Raw command-response Plist data in JSON Out example is a tiny Flask app (Python web framework)

DEMO SHOWING:Webhooks

THANK YOU!Q&ASession Feedback: https://bit.ly/psumac2018-291Jesse PetersonCPE @ FacebookSlack: @jessepetersonTwitter: @jessecpeterson

2014: everything MDM on macOS could do, fill in the blank could do better. Most MDMs heavily GUI-based 2014: Apple announces DEP Capabilities only possible with MDM October 2015: IBM JNUC presentation Highlighted DEP-based zero-image workflow Required MDM vendor proprietary agent

Related Books

Calculating Trade-offs in Data Center Design - Schneider Electric

Calculating Trade-offs in Data Center Design - Schneider Electric

FALL 2019/ SPRING 2020 - Pennsylvania State University

FALL 2019/ SPRING 2020 - Pennsylvania State University

Transfer Credit: What's New? - cal.psu.edu

Transfer Credit: What's New? - cal.psu.edu

Reliance ETF PSU Bank BeES - mf.nipponindiaim

Reliance ETF PSU Bank BeES - mf.nipponindiaim

APW3-12-1600 PSU Series User Guide

APW3-12-1600 PSU Series User Guide

Office 365 Migration Checklist - it.la.psu.edu

Office 365 Migration Checklist - it.la.psu.edu

The Justice Center for Research is a Partnership of the College of the .

The Justice Center for Research is a Partnership of the College of the .

PSU 3rd Strategic Plan - Prince Sultan University

PSU 3rd Strategic Plan - Prince Sultan University

TargetFinder: Privacy Preserving Target Search through IoT Cameras

TargetFinder: Privacy Preserving Target Search through IoT Cameras

DX32 Getting Started Guide - Allen & Heath

DX32 Getting Started Guide - Allen & Heath

UCM Conference Guide - voipinfo

UCM Conference Guide - voipinfo

PopularTags

Recent Views