- Domain which you can configure DNS on
- Dedicated host with docker running on it (or one that doesn't use ports 443/80/8080)
- Valid APNS cert (See: https://github.com/micromdm/micromdm/blob/main/docs/user-guide/quickstart.md#configure-an-apns-certificate)
For this setup, it assumes it is running on a dedicated docker host with no other apps running on ports 443, 80 or 8080.
- Set up a DNS entries on your domain for the following name which point to the public IP address of your docker host:
- nanomdm.YOURDOMAIN.com
- ddm.YOURDOMAIN.com
- traefik.YOURDOMAIN.com
- scep.YOURDOMAIN.com
- files.YOURDOMAIN.com
or even better, if you can, use a wildcard:
- *.YOURDOMAIN.com
Confirm that these resolve to the IP address of your docker host before proceeding.
- SSH into your docker host
- Clone this repo on your docker host
git clone https://github.com/macadmins/ddm_infra.git
cd ddm_infra
- Create the traefik network
docker network create traefik
- Copy
set_envs.example
toset_envs
and set yourBASE_DOMAIN
cp set_envs.example set_envs
# Edit export BASE_DOMAIN="mydomain.com" in set_envs.sh
- Copy
set_secrets.example
toset_secrets
and follow the directions in the comment within the file
cp set_secrets.example set_secrets
# Generate your API keys and save them in set_secrets.sh
Also, make sure to edit traefik/traefik.toml
and replace all YOURDOMAIN entries with your actual. This will not work unless your domain is set correctly in traefik.toml
.
For this stack to work correctly, we must spin up the services in a specific order the first time we kick them off.
- Traefik
./compose.sh traefik up -d
# It is a good idea to check the logs and make sure nothing is erroring out before proceeding.
docker logs -f traefik
- Static Files Server
./compose.sh staticfiles up -d
# Make sure there are no critical/obvious errors
docker logs -f staticfiles
-
SCEP server Before running the scep server, we need to generate a new CA for it.
-
Download the scepserver binary: https://github.com/micromdm/scep/releases
-
Setup the CA:
# init the ca
scepserver ca -init
# copy the resulting files into the docker storage for our container
mkdir /srv/docker/storage/scep/depot/
cp depot/* /srv/docker/storage/scep/depot/
Stand up the scep server.
./compose.sh scep up -d
# Make sure it is running and happy
docker logs -f scep
Once the scep server is up, there will be a file in the following path which needs to be moved into the nanomdm's storage:
mkdir /srv/docker/storage/nanomdm/certs/
cp /srv/docker/storage/scep/depot/ca.pem /srv/docker/storage/nanomdm/certs/
- nanoMDM spinup
./compose.sh nanomdm up -d
# Make sure there are no critical/obvious errors
docker logs -f nanomdm
docker logs -f kmfddm
- Edit enroll.mobileconfig
- Set your actual domain instead of
YOURDOMAIN.COM
for both the SCEP and nanomdm URLs. Note: the nanomdm url MUST have the/mdm
after the domain - Set the Topic key to the actual topic of the APNS cert that was created as part of the prerequities:
- Set your actual domain instead of
<key>Topic</key>
<string>$YOUR_TOPIC_HERE</string>
After editing enroll.mobileconfig
to match your domain, run:
./bounce.sh nanomdm
And then try enrolling a test node and confirm the enrollment by looking at the log files for nanomdm.
Thanks to Digital Ocean for providing us with credits to build out this infrastucture!