Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Orchestration
Automate tasks across devices, from app installs to scripts.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Stripe + Fleet
Stripe consolidates multiple tools with Fleet.
Foursquare + Fleet
Foursquare quickly migrates to Fleet for device management.
What people are saying
Stories from the Fleet community.
More
Victor Lyuboslavsky
Victor Lyuboslavsky
Available in Fleet Premium
Fleet can help your end users connect to Wi-Fi or VPN by deploying certificates from your certificate authority (CA). Fleet currently supports DigiCert, Microsoft NDES, custom SCEP server, and Hydrant.
Fleet will automatically renew certificates 30 days before expiration. If an end user is on vacation (offline for more than 30 days), their certificate might expire, and they'll lose access to Wi-Fi or VPN. To reconnect them, ask your end users to temporarily connect to a different network so that Fleet can deliver a new certificate.
Currently, for NDES and custom SCEP CAs, Fleet requires that the
$FLEET_VAR_SCEP_RENEWAL_ID
variable is in the certificate's CN (Common Name) for automatic renewal to work. Since the CN has a maximum length of 64 characters, any characters beyond this limit get truncated, causing the renewal to fail.The
$FLEET_VAR_SCEP_RENEWAL_ID
is a 36 character UUID. Please make sure that any additional variables or content combined with it do not exceed the remaining 28 characters.If automatic renewal fails, you can resend the configuration profile manually on the host's Host details page, the end user's Fleet Desktop > My Device page, or via Fleet's API.
The following steps show how to connect end users to Wi-Fi or VPN with DigiCert certificates.
For further information, see DigiCert's instructions for creating a service user.
Password
, use $FLEET_VAR_DIGICERT_PASSWORD_<CA_NAME>
. Data
, use $FLEET_VAR_DIGICERT_DATA_<CA_NAME>
.Replace the <CA_NAME>
with the name you created in step 3. For example, if the name of the CA is "WIFI_AUTHENTICATION", the variables will look like $FLEET_VAR_DIGICERT_PASSWORD_WIFI_AUTHENTICATION
and $FLEET_VAR_DIGICERT_DATA_WIFI_AUTHENTICATION
.
In Fleet, head to Controls > OS settings > Custom settings and add the configuration profile to deploy certificates to your hosts.
When Fleet delivers the profile to your hosts, Fleet will replace the variables. If something goes wrong, errors will appear on each host's Host details > OS settings.
$FLEET_VAR_HOST_END_USER_IDP_USERNAME
for CN or seat ID, and the variable's value changes, Fleet will get a new certificate and create a new seat in DigiCert. This will add a new DigiCert license. If you want to revoke a license in DigiCert, head to Trust Lifcycle Manager > Account > Seats and remove the seat.<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Password</key>
<string>$FLEET_VAR_DIGICERT_PASSWORD_CA_NAME</string>
<key>PayloadContent</key>
<data>$FLEET_VAR_DIGICERT_DATA_CA_NAME</data>
<key>PayloadDisplayName</key>
<string>CertificatePKCS12</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.pkcs12</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>ee86cfcb-2409-42c2-9394-1f8113412e04</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>DigiCert profile</string>
<key>PayloadIdentifier</key>
<string>TopPayloadIdentifier</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>TopPayloadUUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The following steps show how to connect end users to Wi-Fi or VPN with Microsoft NDES certificates.
The example paths end with /certsrv/mscep/mscep.dll
and /certsrv/mscep_admin/
respectively. These path suffixes are the default paths for NDES on Windows Server 2022 and should only be changed if you have customized the paths on your server.
When saving the configuration, Fleet will attempt to connect to the SCEP server to verify the connection, including retrieving a one-time challenge password. This validation also occurs when adding a new SCEP configuration or updating an existing one via API and GitOps, including dry runs. Please ensure the NDES password cache size is large enough to accommodate this validation.
Challenge
, use$FLEET_VAR_NDES_SCEP_CHALLENGE
. URL
, use $FLEET_VAR_NDES_SCEP_PROXY_URL
, and make sure to add $FLEET_VAR_SCEP_RENEWAL_ID
to CN
.If your Wi-Fi or VPN requires certificates that are unique to each host, update the Subject
. For example, you can use $FLEET_VAR_HOST_END_USER_EMAIL_IDP
if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled. You can also use any of the Apple's built-in variables.
In Fleet, head to Controls > OS settings > Custom settings and add the configuration profile to deploy certificates to your hosts.
When the profile is delivered to your hosts, Fleet will replace the variables. If something fails, errors will appear on each host's Host details > OS settings.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_NDES_SCEP_CHALLENGE</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%SerialNumber% WIFI $FLEET_VAR_SCEP_RENEWAL_ID</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>FLEET DEVICE MANAGEMENT</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_NDES_SCEP_PROXY_URL</string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP proxy cert</string>
<key>PayloadIdentifier</key>
<string>Fleet.WiFi</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CD1BD65-1D2C-4E9E-9E18-9BCD400CDEDC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The following steps show how to connect end users to Wi-Fi or VPN with a custom SCEP server.
Challenge
, use$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_<CA_NAME>
. URL
, use $FLEET_VAR_CUSTOM_SCEP_PROXY_URL_<CA_NAME>
, and make sure to add $FLEET_VAR_SCEP_RENEWAL_ID
to CN
.Replace the <CA_NAME>
with the name you created in step 3. For example, if the name of the CA is "WIFI_AUTHENTICATION", the variables will look like this: $FLEET_VAR_CUSTOM_SCEP_PASSWORD_WIFI_AUTHENTICATION
and FLEET_VAR_CUSTOM_SCEP_DIGICERT_DATA_WIFI_AUTHENTICATION
.
If your Wi-Fi or VPN requires certificates that are unique to each host, update the Subject
. You can use $FLEET_VAR_HOST_END_USER_EMAIL_IDP
if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled. You can also use any of Apple's built-in variables.
In Fleet, head to Controls > OS settings > Custom settings and add the configuration profile to deploy certificates to your hosts.
When the profile is delivered to your hosts, Fleet will replace the variables. If something goes wrong, errors will appear on each host's Host details > OS settings.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_CUSTOM_SCEP_CHALLENGE_CA_NAME</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%SerialNumber% WIFI $FLEET_VAR_SCEP_RENEWAL_ID</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>FLEET DEVICE MANAGEMENT</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_CUSTOM_SCEP_PROXY_URL_CA_NAME</string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP proxy cert</string>
<key>PayloadIdentifier</key>
<string>Fleet.WiFi</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CD1BD65-1D2C-4E9E-9E18-9BCD400CDEDC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The following steps show how to connect end users to Wi-Fi or VPN with Smallstep certificates.
We're currently working with Smallstep to develop a specific Smallstep-Fleet connector. In the meantime, Smallstep can be configured to work with Fleet by using the Smallstep-Jamf connector.
In Smallstep, go to Settings > Device Management.
Under Available Providers, find Jamf and click Connect.
In the Smallstepform, enter your Fleet server URL (the API Client ID and API Client Secret fields are not required), then click Connect MDM.
After connecting, note the following details from Smallstep (these values are required in the next step):
In Fleet, go to Settings > Integrations > Certificates and click Add CA.
In the modal, select Smallstep from the dropdown and enter a name for your certificate authority (CA). Best practice is all caps snake case (for example, "WIFI_AUTHENTICATION"). This name is used later as a variable name in a configuration profile.
For the Challenge URL, Username, and Password, enter the values noted in step 1. For the SCEP URL, you'll need to modify the URL provided by Smallstep to use the public proxy route instead. For example, https://agents.SMALLSTEP_TEAM_NAME.ca.smallstep.com/scep/INTEGRATION_ID
becomes https://<SMALLSTEP_TEAM_NAME>.scep.smallstep.com/p/agents/<INTEGRATION_ID>
Challenge
, use$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_<CA_NAME>
. URL
, use $FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_<CA_NAME>
, and make sure to add $FLEET_VAR_SCEP_RENEWAL_ID
to CN
.Replace the <CA_NAME>
with the name you created in step 2. For example, if the name of the CA is "WIFI_AUTHENTICATION", the variables will look like this: $FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_WIFI_AUTHENTICATION
and FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_WIFI_AUTHENTICATION
.
If your Wi-Fi or VPN requires certificates that are unique to each host, update the Subject
. You can use $FLEET_VAR_HOST_END_USER_EMAIL_IDP
if your hosts automatically enrolled (via ADE) to Fleet with end user authentication enabled. You can also use any of the Apple's built-in variables.
In Fleet, head to Controls > OS settings > Custom settings and add the configuration profile to deploy certificates to your hosts.
When the profile is delivered to your hosts, Fleet will replace the variables. If something goes wrong, errors will appear on each host's Host details > OS settings.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>$FLEET_VAR_SMALLSTEP_SCEP_CHALLENGE_CA_NAME</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%SerialNumber% WIFI $FLEET_VAR_SCEP_RENEWAL_ID</string>
</array>
</array>
<array>
<array>
<string>OU</string>
<string>FLEET DEVICE MANAGEMENT</string>
</array>
</array>
</array>
<key>URL</key>
<string>$FLEET_VAR_SMALLSTEP_SCEP_PROXY_URL_CA_NAME</string>
</dict>
<key>PayloadDisplayName</key>
<string>WIFI SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>9DCC35A5-72F9-42B7-9A98-7AD9A9CCA3AC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SCEP proxy cert</string>
<key>PayloadIdentifier</key>
<string>Fleet.WiFi</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>4CD1BD65-1D2C-4E9E-9E18-9BCD400CDEDC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
The following steps show how to connect end users to Wi-Fi or VPN with Hydrant.
The flow for Hydrant differs from the other certificate authorities (CA's). While other CAs in Fleet use a configuration profile to request a certificate, Hydrant uses:
POST /request_certificate
API endpoint. To automatically deploy certificates to Linux hosts when they ernoll, we'll create a custom script to write a certificate to a location. This script will be triggered by a policy that checks for the existence of a certificate.
This custom script will create a certificate signing request (CSR) and make a request to Fleet's "Request certificate" API endpoint.
GET /certificate_authorities
API endpoint to get the id
for your Hydrant CA. You'll use this id
in your script.Example script:
#!/bin/bash
set -e
# Load the end user information, IdP token and IdP client ID.
. /opt/company/userinfo
URL="<IdP-introspection-URL>"
# Generate the password-protected private key
openssl genpkey -algorithm RSA -out /opt/company/CustomerUserNetworkAccess.key -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:${PASSWORD}
# Generate CSR signed with that private key. The CN can be changed and DNS attribute omitted if your Hydrant configuration allows it.
openssl req -new -sha256 -key /opt/company/CustomerUserNetworkAccess.key -out CustomerUserNetworkAccess.csr -subj /CN=CustomerUserNetworkAccess:${USERNAME} -addext "subjectAltName=DNS:example.com, email:$USERNAME, otherName:msUPN;UTF8:$USERNAME" -passin pass:${PASSWORD}
# Escape CSR for request
CSR=$(sed 's/$/\\n/' CustomerUserNetworkAccess.csr | tr -d '\n')
REQUEST='{ "csr": "'"${CSR}"'", "idp_oauth_url":"'"${URL}"'", "idp_token": "'"${TOKEN}"'", "idp_client_id": "'"${CLIENT_ID}"'" }'
curl 'https://<Fleet-server-URL>/api/latest/fleet/certificate_authorities/<Hydrant-CA-ID>/request_certificate' \
-X 'POST' \
-H 'accept: application/json, text/plain, */*' \
-H 'authorization: Bearer '"$FLEET_SECRET_REQUEST_CERTIFICATE_API_TOKEN" \
-H 'content-type: application/json' \
--data-raw "${REQUEST}" -o response.json
jq -r .certificate response.json > /opt/company/certificate.pem
This script assumes that your company installs a custom Company Portal app or something similar at /opt/company
, gathers the user's IdP session information, uses username and a password to protect the private key from /opt/company/userinfo
, and installs that the certificate in /opt/company
. You will want to modify it to match your company's requirements.
The userinfo
file in the scripts looks like the below. However, the variables could be loaded from the output of a command or even a separate network request depending on your requirements:
PASSWORD="<Password-for-the-certificate-private-key>"
USERNAME="<End-user-email>"
TOKEN="<End-user-OAuth-IdP-token>"
CLIENT_ID="<OAuth-IdP-client-ID>"
Enforcing IdP validation using idp_oauth_url
and idp_token
is optional. If enforced, the CSR must include exactly 1 email which matches the IdP username and must include a UPN attribute which is either a prefix of the IdP username or the username itself (i.e. if the IdP username is "bob@example.com", the UPN may be "bob" or "bob@example.com")
SELECT 1 FROM certificates WHERE path = '/opt/company/certificate.pem' AND not_valid_after > (CAST(strftime('%s', 'now') AS INTEGER) + 2592000);
/opt/company/certificate.pem
or has a certificate that expires in the next 30 days will fail the policy. When the policy fails, Fleet will run the script to deploy a new certificate!Fleet acts as a middleman between the host and the NDES or custom SCEP server. When a host requests a certificate from Fleet, Fleet requests a certificate from the NDES or custom SCEP server, retrieves the certificate, and sends it back to the host.
Certificates will appear in the System Keychain on macOS. During the profile installation, the OS generates several temporary certificates needed for the SCEP protocol. These certificates may be briefly visible in the Keychain Access app on macOS. The CA certificate must also be installed and marked as trusted on the device for the issued certificate to appear as trusted. The IT admin can send the CA certificate in a separate CertificateRoot profile
In addition, Fleet does the following:
NDES SCEP proxy:
Custom SCEP proxy:
You can also upload a certificate to be installed in the login keychain of the managed user on a macOS host using a user-scoped configuration profile.
.mobileconfig
generator) to create a configuration profile that includes your certificate.PayloadScope
to User
. This tells macOS to install the certificate in the user’s login keychain instead of the system keychain..mobileconfig
profile you created.