List certificates on macOS, iOS, iPadOS hosts

[harrisonravazzolo]

customer-pingali: Gong snippet: https://us-65885.app.gong.io/call?id=2699116120479648557&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A370%2C%22to%22%3A458%7D%5D

• @noahtalerman: User requested this because they can see a list the certificates on macOS, iOS, iPadOS hosts in their current MDM solution. They want to see the same list in Fleet.
  • @noahtalerman: In the interim the user can write an osquery query the ___ table to list certificates on macOS. For iOS/iPadOS, the user can use the run MDM command Fleet API w/ the List the Certificates as the custom command.
  • @noahtalerman: Eventually Fleet might add certificates to host vitals so that the IT admin can see them on the Host details page.

---

User stories

• Add certificates to host vitals for macOS, iOS, iPadOS #23235

[harrisonravazzolo]

Similar to #20717

[noahtalerman]

Problem

customer-pingali would like the ability to surface this information about a device directly from MDM and not rely on osquery.

Use case: an employee with a BYOD leaves the organization and CorpIT wants to know which certs the device has and revoke them. While this is possible through osquery on Mac/Windows, it's not possible to use this method on iOS. The security queries will return the value they are looking for, certificates, but also data that would be useful for other customers to be able to query and unlock some GitOps lifecylces - i.e. Find My, Management status, Hardware encryption type

All available values: https://support.apple.com/en-gb/guide/deployment/dep5872f7b3c/1/web/1.0

What have you tried?

Not possible through Fleet.

Potential solutions

Could use osquery on supported platforms or use a custom MDM command, like what this customer is trying to do with certs - https://developer.apple.com/documentation/devicemanagement/list_the_certificates

What is the expected workflow as a result of your proposal?

Being able to hit an API, similar to the List MDM Command https://fleetdm.com/docs/rest-api/rest-api#list-mdm-commands and parse the data returned.

[noahtalerman]

• @noahtalerman: User requested this because they want to be able to list the certificates on macOS, iOS, iPadOS hosts. What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?

@harrisonravazzolo can you please ask the above on your next call w/ pingali? Thanks!

Also check out the "in the interim" below:

• @noahtalerman: In the interim the user can write an osquery query the ___ table to list certificates on macOS. For iOS/iPadOS, the user can use the run MDM command Fleet API w/ the List the Certificates as the custom command.

[noahtalerman]

• @noahtalerman: User requested this because they want to be able to list the certificates on macOS, iOS, iPadOS hosts. What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?

@harrisonravazzolo just following up to say that I don't think we can move this request forward to drafting/design until we understand the above.

Can you please ask the above on your next call w/ pingali? Thanks!

[harrisonravazzolo]

https://us-65885.app.gong.io/call?id=4502089861812328304&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1366%2C%22to%22%3A1418%7D%5D

The downstream use case for the data returned is not clear on this snippet but they have potentially turned this into a requirement.

[noahtalerman]

@harrisonravazzolo it's still unclear what the desired workflow is.

Do they want to see a list of certificates on the Host details page? You can imagine we'd show a list like the list of users:

[harrisonravazzolo]

Hey @noahtalerman - I can ask Pingali but yeah, I would imagine something like that, but that it's also included in the api.

Don't know how helpful this screenshot is but this is me running the command on my iPhone and getting the certs.

[harrisonravazzolo]

Access to a lot of resources are through certs - so knowing if a device has a particular cert might mean the end user has access to the dev test wifi network, or, they have a kerberos identity for the iOS app test services, or something like that.

[noahtalerman]

@harrisonravazzolo heads up, we peeled this user story off this request and brought it into the current design sprint.

Keep in mind that the user story might not address the entire request. It may just be a small, iterative piece of it.

[rachaelshaw]

@harrisonravazzolo @noahtalerman wondering if we ever got the answer to this question in the issue description:

What are they doing w/ this list? Building some automation? Just looking to confirm that a certificate is there?

[noahtalerman]

@rachaelshaw I don't think we know for sure if pingali is building an automation.

That said, I chatted w/ Allen (subject matter expert), and other MDM solutions present a list of certificates on their equivalent of the Host details page. This way, the IT admin can confirm they're present on the device. So, I think it's safe to assume that pingali is at least looking for this.

In the user story we're working on now, I think we start w/ adding certificates to the Host details page (host vitals API too).

Later, we might add a view that shows all certificates across hosts or fire webhooks when a certificate fails to install (to aid automations if they exist).

[allenhouchins]

I was able to look into this a little more.

When you run a query like SELECT * FROM certificates; it is pulling all certificates, even system root certificates that are the default, built-in certificates provided by the operating system. Admins likely don't want these listed on a host record since every host will have them and know they can dig them up through osquery if needed.

What admins are likely asking for is a UI that shows the results of SELECT * FROM certificates where path = '/Library/Keychains/System.keychain'; attached to a host since these are certificates installed on top of the defaults.

Here is what other MDMs show:

Here is the osquery result of the command I suggested -- the discrepancy in results is because certificates that were installed by Jamf have been removed from the device:

Here is the list of System certificates on the device:

Here is the list of System Roots installed on the device which come up when running SELECT * FROM certificates; in addition to the ones in the previous screenshot:

Summary: The UI should not show all certificates, only the results of SELECT * FROM certificates where path = '/Library/Keychains/System.keychain'; since these are certificates that had to be installed through some process.