Skip to content

discentem/nanomdmsandbox

Repository files navigation

Nanomdmsandbox

Summary

Nanomdmsandbox is a project that tries to make it easier for folks to spin up a sandbox environment for nanomdm. See our MacDevOpsYVR22 talk Open Source MDM in a (Sand)Box for more info and background about this project!

Architecture Diagram

diagram

⚠️ micro2nano and mdmdirector services are not functional yet.

Prerequisites

  1. Buy a domain. There are many registrars you can choose from but we are partial to namecheap.com.

  2. Create an AWS account.

  3. Generate IAM credentials with access to manage ECS, RDS, and the other services in this project.

    ⚠️ You can alternatively give the IAM credentials AdministratorAccess but this is not recommended.

Generate APNS Certificate

  1. Generate an APNS Certificate. Checkout https://github.com/micromdm/micromdm/blob/main/docs/user-guide/quickstart.md#configure-an-apns-certificate and https://micromdm.io/blog/certificates/ for info about this step.

Getting started

  1. brew install tfenv

  2. Generate SCEP default CA files which outputs to a depot folder. This is required for the SCEP and NanoMDM containers

    sh scripts/depot.sh
  3. Install Terraform 1.1.9

    tfenv install 1.1.9

  4. Create terraform variable files

    cp terraform/example_tfvars/config.auto.tfvars.json terraform/config.auto.tfvars.json
    cp terraform/example_tfvars/example-secrets.auto.tfvar.json terraform/secrets.auto.tfvars.json
    cp terraform/example_tfvars/_backend.tf terraform/backend.tf
    
  5. Fill in the secrets:

    1. public_inbound_cidr_blocks_ipv4
    2. domain_name, which should be acme.co (replace with your real domain name). Later, when you do make tf-apply a mdm-infra subdomain will be automatically created: mdm-infra.acme.co.
    3. public_key <-- used for sshing to the ec2 instance which is pre-configured with access to the mysql rds instance where you need to later upload the mysql schema.
  6. Activate Terraform 1.1.9 within tfenv

    tfenv use 1.1.9
  7. Configure AWS cli with the previously created IAM credentials.

  8. Export all the vars!

    export AWS_PROFILE={INSERT AWS_PROFILE_NAME HERE}
    export AWS_ACCOUNT_ID={INSERT ACCOUNT ID HERE}

    Okay finally! Time to run Terraform...

  9. Create the TF remote state. You don't have to use S3 backend and can use whatever you want but this project recommends an S3 bucket for ease of collaboration while working on Terraform.

    make tf-remote-state-init
  10. Copy outputted bucket_name to the corresponding filed in terraform/backend.tf.

  11. Copy your mdm_push_cert.pem into place. See Generate APNS Certificate for more info.

cp /path/to/mdm_push_cert.pem docker/config/certs/mdm_push_cert.pem
  1. Now the "first run" stuff can be launched. Among other things, this creates proper Route53 NS associations that can be used to manage all sub-domain or root domain operations for any of the required Route53 records within the module.
    make tf-first-run
  2. Make note of the nameservers that were just created. Navigate to https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones# and then click on your domain name.
  3. Point domain at these nameservers that you just noted. This process is external to AWS and will be specific to your registrar.
  4. WAIT FOR DNS PROPAGATION. This will take a while... go grab yourself a nice dinner.
  5. Confirm that the DNS has propagated by digging against various DNS providers like Google and CloudFlare.
dig @8.8.8.8 +short NS INSERT_YOUR_DOMAIN_HERE
dig @1.1.1.1 +short NS INSERT_YOUR_DOMAIN_HERE
  1. Run the plan
    make tf-plan
    
  2. If the plan looks good...
    make tf-apply
    

Prepare the Mysql Database

⚠️ This needs to be done before nanomdm will function properly.

  1. Run the schema file. You can use the provided EC2 instance or any other way to upload the base SQL schema to the newly created RDS or your own RDS instance. You can grab the schema file at https://github.com/micromdm/nanomdm/blob/main/storage/mysql/schema.sql

  2. Optional: ssh to the provided ec2 box

    ssh -i ~/.ssh/ec2.pub [email protected]
  3. Obtain the schema file.

    curl https://raw.githubusercontent.com/micromdm/nanomdm/main/storage/mysql/schema.sql -o schema.sql
  4. Run the schema file.

    mysql -h ${RDS_HOST} -P 3306 -u ${USER_NAME} -p nanomdm < schema.sql
  5. Force the ECS service to re-deploy:

    make ecs-update-service CLUSTER=production-nanomdm-cluster SERVICE=nanomdm
    

    Adjust CLUSTER and SERVICE to match what you specified in Terraform app_variables

Upload APNS Certificate

cat /path/to/mdm_push_cert.pem /path/to/mdmcert.download.push.key | curl -T - -u nanomdm:nanomdm 'https://mdm-infra.acme.co/v1/pushcert'

Send a push notification

Set a wallpaper

python3 ~/nanomdm/tools/cmdr.py InstallProfile config_profiles/desktop-setting.mobileconfig | curl -T - -u nanomdm:nanomdm 'https://mdm-infra.acme.co/v1/enqueue/UUID_GOES_HERE'

Adding new containers

If you want to add additional services to the cluster, take a look at:

Example PR: #14

Destroying Terraform Infra

make tf-destroy

⚠️ You may have to manually delete some components of an RDS after running terraform destroy. See this github issue for more info.

Docker tips

Mac m1 hardware

You must enable these experimental docker features in your docker_config if building from m1 mac.

{
  "experimental": true,
  "features": {
    "buildkit": true
  }
}