update ops guide

micromdm · Aug 28, 2023 · 5ea70a5 · 5ea70a5
1 parent 4913cb8
commit 5ea70a5
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/docs/operations-guide.md b/docs/operations-guide.md
@@ -163,6 +163,12 @@ Print version and exit.
 
 NanoMDM supports a MicroMDM-compatible [webhook callback](https://github.com/micromdm/micromdm/blob/main/docs/user-guide/api-and-webhooks.md) option. This switch turns on the webhook and specifies the URL.
 
+### -auth-proxy-url string
+
+* Reverse proxy URL target for MDM-authenticated HTTP requests
+
+Enables the authentication proxy and reverse proxies HTTP requests from the server's `/authproxy/` endpoint to this URL if the client provides the device's enrollment authentication. See below for more information.
+
 ## HTTP endpoints & APIs
 
 ### MDM
@@ -313,6 +319,14 @@ The migration endpoint (as talked about above under the `-migration` switch) is
 
 Returns a JSON response with the version of the running NanoMDM server.
 
+### Authentication Proxy
+
+* Endpoint: `/authproxy/`
+
+If the `-auth-proxy-url` flag is provided then URLs that begin with `/authproxy/` will be reverse-proxied to the given target URL. Importantly this endpoint will authenticate the incoming request in the same way as other MDM endpoints (i.e. Check-In or Command Report and Response) — including whether we're using TLS client configuration or not (the `-cert-header` flag). Put together this allow you to have MDM-authenticated content retrieval.
+
+This feature is ostensibly to support Declarative Device Management and in particular the ability for some "Asset" declarations to use "MDM" authentication for their content. For example the `com.apple.asset.data` declaration supports an [Authentication key](https://github.com/apple/device-management/blob/2bb1726786047949b5b1aa923be33b9ba0f83e37/declarative/declarations/assets/data.yaml#L40-L54) for configuring this ability.
+
 # Enrollment Migration (nano2nano)
 
 The `nano2nano` tool extracts migration enrollment data from a given storage backend and sends it to a NanoMDM migration endpoint. In this way you can effectively migrate between database backends. For example if you started with a `file` backend you could migrate to a `mysql` backend and vice versa. Note that MDM servers must have *exactly* the same server URL for migrations to operate.