Make software (launch daemons, binaries, etc.) & scripts tamperproof

[ddribeiro]

customer-fairbank: Gong snippet: https://us-65885.app.gong.io/call?id=8993394306701431307&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A2087%2C%22to%22%3A2169%7D%5D
prospect-nishiyama: Gong snippet: TODO

• @noahtalerman: fairbank requested this because they want to use Apple's new DDM protocol to deploy software (ex. Munki & CrowdStrike) such that the user, who has local admin access, can't manipulate the file or it's process. Before DDM, if the end user does these things they can stop/break the software. This means their workstation becomes non-compliant with organizational policies.
• @allenhouchins: prospect-nishiyama wants to use the DDM protocol to deploy are scripts to enforce OS settings based on their Mac Security & Compliance Project.
  • @noahtalerman: This prospect wants to run scripts offline so they need to live on the device.
  • @noahtalerman: Eventually Fleet could allow the IT admin to upload the launch agent/binary/script and use the DDM protocol under the hood. Fleet could also let the end user upload the asset profile and host the launch agent/binary/script themselves.

---

[noahtalerman]

Problem

I was doing some exploring around using the Services Background Tasks declaration for customer-fairbank and discovered that Fleet does not support DDM declarations that require asset references. This means Services Background Task declarations are not supported in Fleet.

This prevents Fleet users from using the new "Background task management declarative configuration for Apple devices" introduced in macOS 15. According to Apple:

In macOS 15 or later, executables, scripts, and launchd configuration files can be installed using MDM and are stored in a secure and tamper-resistant location (similar to service configuration files introduced last year), providing an easy way for organizations to deploy and control managed services.

customer-fairbank was interested in using this feature to deploy Munki in a tamperproof location on their hosts, so their end user with admin permissions would not be able to remove or modify the binary.

What have you tried?

I was researching using this declaration with Fleet when I came across this line in the code, which shows that declarations that require asset references are not supported. I have not attempted to build and upload a declaration that requires an asset reference yet.

Potential solutions

Fleet should allow declarations that require asset references, so admins can use Fleet to deploy Services Background Tasks declarations to their hosts.

What is the expected workflow as a result of your proposal?

Fleet admin identifies binary (Munki) they want to deploy in a tamper-resistant location on their hosts > the admin creates an Asset Data declaration that contains the binary and uploads it to Fleet > the admin creates a Services Background Tasks declaration that uses the asset created in the previous step and uploads it to Fleet > Fleet deploys both declarations to hosts > the desired binary is installed in tamper-resistant location on the host.