Skip to content

docs(fleet): document Windows enrollment via WS1 NDES bridge#517

Open
tashian wants to merge 2 commits into
mainfrom
carl/fleet-windows-ndes-bridge
Open

docs(fleet): document Windows enrollment via WS1 NDES bridge#517
tashian wants to merge 2 commits into
mainfrom
carl/fleet-windows-ndes-bridge

Conversation

@tashian
Copy link
Copy Markdown
Contributor

@tashian tashian commented May 21, 2026

Summary

  • Fleet's native Smallstep CA type doesn't yet support Windows (fleetdm/fleet#28488). The previous Windows SyncML profile in this doc used `$FLEET_VAR_SMALLSTEP_SCEP_*_SMALLSTEP_AGENT` variables that are not wired up for Windows, so it wouldn't actually enroll.
  • Replaces the broken Windows section with a dedicated "Windows: bridge via the Workspace ONE connector" flow: spin up a Smallstep WS1 connector (placeholder OAuth credentials are accepted by the form — verified on the Voyager test tenant), add the resulting NDES endpoints to Fleet as a Dynamic SCEP - Okta CA or Microsoft NDES CA, and deploy the SyncML SCEP + Root CA profiles using `$FLEET_VAR_NDES_SCEP_PROXY_URL` / `$FLEET_VAR_NDES_SCEP_CHALLENGE`.
  • Documents the SHA-1 / SHA-256 fingerprint selector in the Smallstep connector UI and uses the SHA-1 value for Windows `CAThumbprint`.
  • Flags the Fleet 1-hour dynamic-challenge TTL expectation as a confirm-with-Smallstep-support item before testing.

This is meant as proper server-side setup instructions for a Smallstep teammate to test against a Windows endpoint before the workflow gets handed to a customer.

Test plan

  • Following Step W1–W5 in the rewritten doc on the Voyager test tenant + smallstep-nfr.cloud.fleetdm.com, get a Windows host to receive a Smallstep-issued certificate via Fleet
  • Confirm Smallstep support has set the WS1-connector dynamic-challenge TTL to 1 hour (per Integrate with Smallstep via SCEP w/ dynamic challenge fleetdm/fleet#28488 comment)
  • Verify the SHA-1 `CAThumbprint` path installs cleanly (vs. the previous SHA-256 value)
  • Confirm preview renders correctly with `pnpm dev` from the smallstep.com repo

🤖 Generated with Claude Code

@tashian @claude
docs(fleet): document Windows enrollment via Workspace ONE NDES bridge
949da81 
Fleet's native Smallstep CA type doesn't yet support Windows
(fleetdm/fleet#28488), so Windows SCEP enrollment has to go through
Fleet's Dynamic SCEP (Okta/NDES) CA type pointed at Smallstep's
NDES-emulating endpoints. Those endpoints are exposed by the Smallstep
Workspace ONE connector, which can be created with placeholder OAuth
credentials when the customer doesn't operate a real WS1 tenant.

Remove the previously documented Windows SyncML profile that used the
SMALLSTEP_* Fleet variables (those aren't wired up for Windows) and
replace it with a dedicated "Windows: bridge via the Workspace ONE
connector" section covering: WS1 connector creation with placeholders,
Fleet NDES CA setup, SyncML SCEP and Root CA profiles using
NDES_SCEP_PROXY_URL and NDES_SCEP_CHALLENGE, GitOps stanza, and a
Windows verification recipe. Also flag the Fleet 1-hour challenge TTL
expectation as a setup item to confirm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tashian tashian requested a review from a team as a code owner May 21, 2026 23:01
@tashian tashian enabled auto-merge May 21, 2026 23:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tashian