Securing Munki

79 views
Skip to first unread message

Jeff

unread,
Jan 5, 2024, 8:53:37 PMJan 5
to munki-discuss
Hello Everyone,

I am using microMDM to push a Munki profile that includes an HTTP header for authorization. Is this the best way to secure the HTTP server? The HTTP header information in viewable in plain text in the profile on the Mac once installed. 

Mike Solin

unread,
Jan 6, 2024, 2:14:05 PMJan 6
to munki-...@googlegroups.com
Yep. I used to block access to the Profiles preference pane for this reason, before Apple redesigned System Preferences to System Settings and made that impossible.

I haven't used this method, but client certificates is another option:




On Fri, Jan 5, 2024 at 8:53 PM Jeff <elmi...@gmail.com> wrote:
Hello Everyone,

I am using microMDM to push a Munki profile that includes an HTTP header for authorization. Is this the best way to secure the HTTP server? The HTTP header information in viewable in plain text in the profile on the Mac once installed. 

--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/82a46aff-0f09-4f8b-9cbf-a1aed2fc7239n%40googlegroups.com.

Nick McSpadden

unread,
Jan 6, 2024, 2:47:56 PMJan 6
to munki-...@googlegroups.com
I think it also depends what threat model you are defending against. If you are using HTTP Basic Authorization, the clients have to have access to that secret in order to talk to the Munki server. Is your concern that this secret could be leaked to unmanaged devices?

What would happen if a non-managed device got access to download things from your Munki server? Do you have anything hosted in your repo that you need to keep internal only for security, trade secret, or other reasons? If so, basic auth may not be the right choice for you, and as Mike Solin suggested, client certificates are a better way of ensuring only managed devices are able to access the repo.



To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/CAN1%2Bh_Zczz8Bkrzsh-zPtKqC9q23SuaENGqNCDJhmKgCPq-YmQ%40mail.gmail.com.


--
--
Nick McSpadden
nmcsp...@gmail.com
Reply all
Reply to author
Forward
0 new messages