From a56e98422fdcfcb4d3a045ac8e6fb446b491a8b7 Mon Sep 17 00:00:00 2001 From: Robot Date: Thu, 18 Jun 2026 08:41:44 -0500 Subject: [PATCH] deploy(gx10): wire Apple MDM runtime secret keys --- apps-gx10/fc-apple-mdm/README.md | 6 ++ apps-gx10/fc-devicemgmt/README.md | 39 ++++++++ .../deployment-fc-devicemgmt-web.json | 92 +++++++++++++++++++ 3 files changed, 137 insertions(+) create mode 100644 apps-gx10/fc-devicemgmt/README.md diff --git a/apps-gx10/fc-apple-mdm/README.md b/apps-gx10/fc-apple-mdm/README.md index 85b83bd..f02baa9 100644 --- a/apps-gx10/fc-apple-mdm/README.md +++ b/apps-gx10/fc-apple-mdm/README.md @@ -29,6 +29,12 @@ NanoHUB APIs under `/api/v1/*` stay cluster-internal for MDM-N1. The DeviceManagement bridge can use the ClusterIP service directly once its NanoHUB client lane lands. +SCEP is intentionally not exposed here yet. NanoHUB/NanoMDM expects an external +SCEP service; the next runtime lane should either add a dedicated SCEP route +such as `https://mdm.iamworkin.lan/scep/...` backed by an Apple-MDM-specific CA, +or set `APPLE_MDM_SCEP_URL` in the DeviceManagement runtime secret to another +live SCEP endpoint. Do not point the profile at a placeholder URL. + ## Deployment Notes 1. Create or refresh the runtime Kubernetes Secret from the 1Password item diff --git a/apps-gx10/fc-devicemgmt/README.md b/apps-gx10/fc-devicemgmt/README.md new file mode 100644 index 0000000..ebcfe17 --- /dev/null +++ b/apps-gx10/fc-devicemgmt/README.md @@ -0,0 +1,39 @@ +# FlowerCore DeviceManagement on GX10 + +This adopted GX10 app hosts `FlowerCore.DeviceManagement.Web` at +`https://devices.iamworkin.lan`. + +## Apple MDM Runtime Contract + +Apple MDM is enabled in NanoHUB mode, but enrollment remains unavailable until +the runtime secret contains real Apple-side material. Do not use placeholder +values to clear readiness checks. + +`Secret/fc-devicemgmt-runtime` supports these Apple MDM keys: + +| Key | Purpose | +| --- | --- | +| `NANOHUB_API_KEY` | NanoHUB API password for HTTP Basic user `nanohub`. | +| `APPLE_MDM_APNS_TOPIC` | MDM APNs topic returned after uploading the Apple MDM push certificate to NanoHUB/NanoMDM. | +| `APPLE_MDM_SCEP_URL` | Live SCEP URL included in the enrollment profile. | +| `APPLE_MDM_SCEP_CHALLENGE` | SCEP challenge shared with the SCEP provisioner. | +| `APPLE_MDM_PROFILE_SIGNING_CERTIFICATE_PEM` | PEM certificate used to CMS-sign `.mobileconfig` profiles. | +| `APPLE_MDM_PROFILE_SIGNING_PRIVATE_KEY_PEM` | PEM private key matching the profile-signing certificate. | +| `APPLE_MDM_REQUIRE_MANAGED_WIFI_PAYLOAD` | Set to `true` only when Wi-Fi payload delivery should gate enrollment readiness. | +| `APPLE_MDM_MANAGED_WIFI_SSID` | Managed Wi-Fi SSID for the iPad profile. | +| `APPLE_MDM_MANAGED_WIFI_PASSWORD` | Managed Wi-Fi password when the network is not open. | + +Non-secret profile constants stay in GitOps: NanoHUB base URL, MDM server URL, +check-in URL, organization/display names, the HTTPS trust anchor certificate, +managed Wi-Fi encryption type, auto-join, and MAC-randomization disablement. + +## Readiness Check + +After changing the runtime secret and letting the pod roll, verify: + +```bash +curl -sk https://devices.iamworkin.lan/api/v1/apple-mdm/enrollment-profile/status +``` + +Configurator enrollment must wait until this status reports `available=true` +and an empty `missingRequirements` array. diff --git a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json index b35a594..1bbf298 100644 --- a/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json +++ b/apps-gx10/fc-devicemgmt/deployment-fc-devicemgmt-web.json @@ -161,6 +161,98 @@ "name": "fc-devicemgmt-runtime" } } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ApnsTopic", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_APNS_TOPIC", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ScepUrl", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_SCEP_URL", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ScepChallenge", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_SCEP_CHALLENGE", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ProfileSigningCertificatePem", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_PROFILE_SIGNING_CERTIFICATE_PEM", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ProfileSigningPrivateKeyPem", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_PROFILE_SIGNING_PRIVATE_KEY_PEM", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__RequireManagedWifiPayload", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_REQUIRE_MANAGED_WIFI_PAYLOAD", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiSsid", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_MANAGED_WIFI_SSID", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiPassword", + "valueFrom": { + "secretKeyRef": { + "key": "APPLE_MDM_MANAGED_WIFI_PASSWORD", + "name": "fc-devicemgmt-runtime", + "optional": true + } + } + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiEncryptionType", + "value": "WPA2" + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiAutoJoin", + "value": "true" + }, + { + "name": "FlowerCore__DeviceManagement__AppleMdm__ManagedWifiDisableAssociationMacRandomization", + "value": "true" } ], "image": "localhost/fc-devicemgmt-web:v20260618-mdmprofile-d0d2a56",