Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The knapsack should look for the enrollment secret in multiple locations #1987

Open
RebeccaMahany opened this issue Dec 11, 2024 · 3 comments
Labels
features-improvements Features and Improvements

Comments

@RebeccaMahany
Copy link
Contributor

RebeccaMahany commented Dec 11, 2024

The knapsack's ReadEnrollSecret function currently expects the enroll secret to be set in one of two places: 1) via the launcher options (i.e. on the command line or in the config file); 2) in a file at the EnrollSecretPath (i.e. /etc/<identifier>/secret).

As we plan for secretless launcher installations, we will want to make it possible for tenants who want to silently enroll their end users to roll out the enrollment secret via MDM. We should define supported locations for the enrollment secret, and update ReadEnrollSecret to look in those locations.

This issue requires further research re: reasonable locations for the enrollment secret. We know right now that we want to support:

  1. A well-known registry key (Windows only)
  2. App preferences (macOS only)

We should make it easy to add new locations in the future, too.

Please also update the enroll secret checkup to look in these alternate locations, and to note where the secret was found.

@RebeccaMahany RebeccaMahany added the features-improvements Features and Improvements label Dec 11, 2024
@directionless
Copy link
Contributor

note where the secret was found

This is going to matter. One of the things we need to grapple with is when a secret changes or is removed. Probably means we delete the registration?

@RebeccaMahany
Copy link
Contributor Author

@directionless discussed this further with product, and concluded that we don't need to take action if the secret is removed

@directionless
Copy link
Contributor

Some interesting thoughts.... How does device deletion work?

  • If a secret is on disk/registry/preferences
  • And the enrollment is remote deleted,
  • How do we keep launcher from re-registering?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
features-improvements Features and Improvements
Projects
None yet
Development

No branches or pull requests

2 participants