ACME for MDM (protocol) certificates

[noahtalerman]

Goal

User story
As a Security Engineer,
I want Fleet to use ACME certificates for MDM protocol communication
so that I know Fleet is using the most secure method when communicating with hosts.

Changes

Product

Fleet will add support ACME for Apple MDM certificate generation for Apple Silicon macs that enroll via DEP. A setting will be added to only allow enrollments from devices that can pass a device attestation challenge and whose serials are already known to fleet(which for now means they were synced from DEP). When this setting is enabled, Fleet will serve an enrollment profile including an ACME hardware-bound device-attested certificate profile and require the device pass the device attestation challenge to enroll. Devices that qualify for enrollment using ACME certificates will receive ACME certificates for renewals(previously usually called SCEP renewals) if this setting is enabled(so even if the device enrolled with SCEP it will get ACME for renewal). Devices that fail the device attestation challenge will not be allowed to enroll

• UI changes: See below
  Add new "Require hardware attestation" advanced option. Linked to apple_require_hardware_attestation in the appconfig(see API changes). Managed Device Attestation at the end of the description should link to https://support.apple.com/en-my/guide/deployment/dep28afbde6a/web

Add "MDM attestation" "Yes" to host vitals page, only visible when it's yes(when host.mdm_enrollment_hardware_attested is true). Tooltip on "Yes" should say "Host provided a Managed Device Attestation signed by Apple at enrollment."

• CLI (fleetctl) usage changes: No changes
• YAML changes: [API/YAML] v4.84.0 docs for ACME hardware attested enrollments #40495
• REST API changes: [API/YAML] v4.84.0 docs for ACME hardware attested enrollments #40495
• Fleet's agent (fleetd) changes: No changes
• GitOps Mode UI changes: Above checkbox is disabled when Gitops Mode is enabled
• GitOps generation changes: [API/YAML] v4.84.0 docs for ACME hardware attested enrollments #40495
• Activity changes: No changes
• Permissions changes: No changes
• Changes to paid features or tiers: Fleet Premium(since it only affects ABM hosts)
• My device and fleetdm.com/better changes: No changes
• Other reference documentation changes: No changes
• First draft of test plan added
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Contributor API changes: Add ACME contributor endpoints #41273
• Feature guide changes: None
• Database schema migrations: Specified in subtasks below
• Load testing: None
• Load testing/osquery-perf improvements: None

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Risk level: High
• Risk description: High in the sense that there is a nonzero chance of breaking Apple MDM enrollments with this feature and it needs to be tested very carefully with the feature on and off.

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

1. Verify that with the Require Hardware Attestation setting disabled, Apple Silicon and Intel macs, iPhones and iPads from DEP and using manual enrollment(profile) can enroll in fleet and if you check Device Management->Profiles, "Fleet Enrollment" shows a SCEP enrollment
2. Verify that with Require Hardware Attestation setting enabled, Apple Silicon and Intel macs, iPhones and iPads from DEP and using manual enrollment(profile) can enroll in fleet and if you check Device Management->Profiles, "Fleet Enrollment" shows ACME enrollment for macOS Apple Silicon hosts, others show SCEP enrollment
3. Test SCEP renewal(Enrollment profile renewal?) by updating the nano_cert_auth_associations table(UPDATE nano_cert_auth_associations SET cert_not_valid_after='[a date only a few days in the future in YYYY-MM-DD format]' WHERE id = '[your host UUID]') with devices from steps 1 and 2. Validate that after SCEP renewal devices show ACME enrollments if they qualify for ACME enrollments(Apple Silicon macs from DEP, step 2), and SCEP enrollments otherwise.
4. Test enrollment of an Apple Silicon DEP mac with "Require Hardware Attestation" enabled and with Apple attestation broken. Verify that its enrollment fails. You can break managed device attestation by adding the following entries to your /etc/hosts file on a mac:

0.0.0.0 appattest.apple.com
0.0.0.0 register.appattest.apple.com
0.0.0.0 data.appattest.apple.com

5. Verify that in the testcases above when a device enrolls with ACME or renews with ACME it shows "MDM Attested: Yes", otherwise this does not appear on the host page
6. Verify that on Fleet Free the new Require Hardware attestation checkbox does not exist and the setting cannot be set via gitops/API
7. Verify that ACME enrollments on supported devices function as expected with End User Authentication enabled or disabled
8. Verify that the setting can be turned on/off independent of Apple MDM and all MDMs turned on/off(it just won't do anything if Apple MDM is off)
9. Verify that if gitiops mode is enabled, the new Require Hardware Attesation checkbox is disabled/not interactive

Testing notes

Confirmation

1. Engineer: Added comment to user story confirming successful completion of test plan.
2. QA: Added comment to user story confirming successful completion of test plan.