Enterprise Install for a TLS Inspection proxy

Question

Created 5h

Replies 5

Boosts 0

Participants 2

I’m working on a product that includes TLS inspection capability. TLS inspection using a local MitM requires installing a trusted root certificate which is then used to create masquerade certificates to intercept and forward TLS traffic through the proxy.

For manual installation the end user is required to authenticate as an administrator to modify the trust settings on our internal CA’s root certificate. My question concerns the options for enterprise deployment using an MDM. We want the generated root certificate to be unique to each endpoint so that if a private key is compromised it can’t be used to intercept traffic anywhere else. We can install a “certificate trust” configuration profile from the MDM but this requires a base64 encoded string of the root certificate.

In effect the MDM needs to obtain the certificate from the endpoint and then send it back in the form of a configuration profile. I’m not aware that MDMs like Jamf can be configured to do this directly so we’re looking for any other mechanism to have macOS trust a locally generated certificate via MDM based on some non endpoint-unique criteria?

One option might be to use an external CA with a trusted certificate to sign an intermediate endpoint certificate but this creates a significant risk if the external trusted certificate were ever compromised. Is this a common industry practice?

So my question remains is there a better way to trust our per endpoint root certificate via MDM without needing to install a unique per endpoint configuration profile?

Boost

Answer 1

DTS Engineer OP

Apple

5h

Thanks for the question, a little confused on what is the main goal. I think clarification on your goals will help developers jump into this thread and provide you their ideas?

I presume you are targeting macOS? macOS has inherent security. Is the objective of silently trusting a locally generated root certificate without user interaction is explicitly prohibited by the security model by design?

In my opinion, an MDM Configuration Profile is the sole method to silently establish root certificate trust on macOS. Since MDM profiles needs the base64-encoded certificate at the time of profile creation, you cannot natively use an MDM to trust the certificate generated by this specific endpoint.

You are correct that if the Root CA is compromised, the attacker can intercept traffic at any point.

My question to you is what is the intended outcome of your solution? There are numerous alternative approaches to achieve your desired outcome without configuring devices with security vulnerabilities.

There is no concealed macOS or MDM mechanism that dynamically trusts locally generated root certificates based on non-unique criteria.

I’m sure if you proposed an idea many developer can provide you ideas how to get that working on a macOS app.

Albert Pascual   Worldwide Developer Relations.

0

Answer 2

Peter_Si OP

4h

Thanks for the quick response. The bigger picture is we provide a lightweight forwarder that runs on every endpoint to collect information on user activity (anonymized to protect user privacy) which it then sends to a cloud based analytics service.

The problem is how to simplify deploying the macOS forwarder to thousands of endpoints in an MDM managed enterprise. Expecting every endpoint user to authenticate as an administrator is not a great user experience.

Having our analytics server get the needed configuration profile from each endpoint and somehow forward it to the MDM to download is a difficult problem so I'm looking for any creative suggestions.

0

Answer 3

DTS Engineer OP

Apple

4h

@Peter_Si

This reply is to me a private issue:

The bigger picture is we provide a lightweight forwarder that runs on every endpoint to collect information on user activity

User activity in the mac? This goes against the privacy policies I think. https://www.apple.com/legal/privacy/en-ww/

Albert Pascual   Worldwide Developer Relations.

0

Answer 4

Peter_Si OP

4h

This is of course for enterprise or government customers who need some ability to audit how their systems are being used while at the same time protecting user privacy by anonymizing user data unless there is evidence of anomalous high risk activity.

I understand there may not be an easy solution for Macs.

0

Answer 5

DTS Engineer OP

Apple

3h

Wish you luck @Peter_Si

Albert Pascual   Worldwide Developer Relations.

0