Deploy Configuration Profiles that automatically inject host-specific attributes into the profile payload

[Patagonia121]

• customer-sarahwu Gong snippet: https://us-65885.app.gong.io/call?id=2524895556204152068&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A309%2C%22to%22%3A1215%7D%5D
• customer-reedtimmer: Gong snippet: https://us-65885.app.gong.io/call?id=3274063432520612661&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1259%2C%22to%22%3A2500%7D%5D
• customer-pingali: Gong snippet: https://us-65885.app.gong.io/call?id=6614462928873447831&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A3444%2C%22to%22%3A3524%7D%5D
• customer-deebradel: Gong snippet TODO
• @noahtalerman: User requested this because they want to help their end users connect to W-Fi w/ a SCEP certificate that's unique for each device. This SCEP certificate is deployed with a profile. The profile is where the unique information used for SCEP certificate is specified by the IT admin as variables. The variables are a challenge, serial number, hostname, and username. Which variables are used is different for each org. Some use serial number and others use username, etc. Whatever team is managing the certificates decides which variables their organization uses. This decision is based on the easiest way to map users to devices in all my tools (ex. SIEM)
  • @noahtalerman: I think there's a SmallStep API to create a unique challenge. That's why the customer is using the webhook feature in their MDM to reach out to SmallStep whenever a SCEP certificate needs a challenge.
    • @allenhouchins: Most third-party PKIs (ex. DigiCert) have these APIs. So we a webhook feature in Fleet would make it so that this challenge flow works with many PKIs.
  • @noahtalerman: In the interim TODO
  • @noahtalerman: Eventually TODO
• @allenhouchins: User requested this because they want to automatically populate the Slack username on first launch. IT admin can deploy a profile that configures Slack such that on first launch, a Slack account is setup w/ the same email they use to log in to their IdP.
  • @noahtalerman: In the interim TODO
  • @noahtalerman: Eventually TODO
    • @allenhouchins: Build in variables in Jamf: https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Computer_Configuration_Profiles.html
• @noahtalerman : User requested this because they want to customize the settings for specific apps (ex. CyberHaven) TODO
  • @noahtalerman: It seems like iMazing has built-in profiles for some apps (ex. Brave) but not other apps (ex. CyberHaven).
  • @username: In the interim TODO
  • @username: Eventually TODO

---

User stories

• Add end user's IdP information to host vitals #23236

[noahtalerman]

We proved we could use %SerialNumber% (and other values) in a payload per https://support.apple.com/guide/deployment/variables-settings-for-mdm-payloads-dep04666af94/1/web/1.0 that would be substituted on host. FYI to Fleet for documentation updates.

Hey @Patagonia121 and @ambrusps assuming this is about connecting a host to Okta Verify (or a similar tool) I think this request already works but we don't have a guide for it.

Here's the issue tracking the guide here:

• Guide: Enable Okta Verify on my macOS hosts using variables in configuration profiles #21294

I'm fairly confident we already cover customer-reedtimmer's use case. They use Okta Verify.

I'm not sure about customer-pingali

@ambrusps and @Patagonia121 can you please help me confirm this?

Closing this issue for now in favor of the guide. We can always reopen.

[fleet-release]

Profiles auto-fill,
Host data in cloud weave.
Admins find relief.

[Patagonia121]

@noahtalerman we heard from customer-reedtimmer today that unfortunately this doesn't solve their use case. They do not use Okta Verify and they have flows outside that specific use case where they still need to inject custom attributes from the host into configuration profiles. They mentioned that this #21294 starts to cover it, but the use case is not only Okta Verify.

As an example, they use Cyberhaven and need to send a profile for a specific domain where mdm_username must be mapped to the assigned user. In Fleet, they'd associate the custom human device-mapping to an email and need to inject its value to a profile.

I'm reopening this issue given their feedback today and we can decide how to move forward from here. Thanks!

[noahtalerman]

Thanks for following up @Patagonia121!

need to inject custom attributes from the host into configuration profiles. They mentioned that this #21294 starts to cover it, but the use case is not only Okta Verify.

Makes sense 👍

they use Cyberhaven and need to send a profile for a specific domain where mdm_username must be mapped to the assigned user. In Fleet, they'd associate the custom human device-mapping to an email and need to inject its value to a profile.

Great example!

I think we want to track a separate request for this: "Deploy configuration profiles w/ end user's email as a variable"

Can you please help track that and confirm that that would solve their use case?

[JoStableford]

Linked to Unthread ticket:

Conversation #3129)

[noahtalerman]

Moved the original issue here for safekeeping:

User story: As an admin, I want to deploy Configuration Profiles that automatically inject host-specific attributes into the profile payload, facilitating the delivery of host-specific configurations so that Munki can read this information and deploy different apps based on user's group membership in IdP.

• Example: a profile includes the host’s assigned user’s email address

Customer feedback:

Added as a blocker due to Smallstep certification deployment requiring including host’s serial in generated SCEP payload. We proved we could use %SerialNumber% (and other values) in a payload per https://support.apple.com/guide/deployment/variables-settings-for-mdm-payloads-dep04666af94/1/web/1.0 that would be substituted on host. FYI to Fleet for documentation updates.

[noahtalerman]

@Patagonia121 @pintomi1989 when you get the chance, can you please add Gong snippets for pingali and deebradel? Thanks!

[Patagonia121]

@ambrusps since you added the tag for customer-pingali, can you grab the gong snippet and add to the issue description above?

[noahtalerman]

Hey @ambrusps and @pintomi1989 just giving you another ping! Can you please add the Gong snippets for pingali and deebradel?

[pintomi1989]

Hey @ddribeiro,

Tagging you here since you added the tag for customer-deebradel here a few weeks ago. I looked around and I'm not turning up any recordings or notes around this ask

[noahtalerman]

Hey @ambrusps just giving you another ping! Can you please add the Gong snippet for pingali?

[allenhouchins]

@Patagonia121 - Can you help add the snippet from today's call with customer-sarahwu? Specifically the segment where the conversation starts talking about Okta and ends with SCEP would be great.

@noahtalerman This is a blocker for customer-sarahwu to adopt Fleet MDM. The snippet that @Patagonia121 will help get added will be very insightful as to why.

[Patagonia121]

I dropped customer-sarahwu's snippet into the issue @allenhouchins @noahtalerman. Let me know if you need anything else!

[noahtalerman]

Hey @ambrusps and @ddribeiro can you please add the Gong snippet for pingali and deebradel?

[ambrusps]

@noahtalerman sorry for the long wait on this, it wasn't a direct request from customer-pingali but more so a feature that will help their overall objective of human to device mapping. I added a snippet above that most closely mentions this for now. Let me know if further clarification is needed

[noahtalerman]

@ambrusps I don't see the pingali clip in the issue description. Can you please share it again?

[noahtalerman]

Hey @ambrusps, just following up w/ another ping! I can't find the pingali clip you mentioned in your comment here.

[ambrusps]

@noahtalerman added above