diff --git a/docs/operations-guide.md b/docs/operations-guide.md index a82bd0c..0558460 100644 --- a/docs/operations-guide.md +++ b/docs/operations-guide.md @@ -163,6 +163,12 @@ Print version and exit. NanoMDM supports a MicroMDM-compatible [webhook callback](https://github.com/micromdm/micromdm/blob/main/docs/user-guide/api-and-webhooks.md) option. This switch turns on the webhook and specifies the URL. +### -auth-proxy-url string + +* Reverse proxy URL target for MDM-authenticated HTTP requests + +Enables the authentication proxy and reverse proxies HTTP requests from the server's `/authproxy/` endpoint to this URL if the client provides the device's enrollment authentication. See below for more information. + ## HTTP endpoints & APIs ### MDM @@ -313,6 +319,14 @@ The migration endpoint (as talked about above under the `-migration` switch) is Returns a JSON response with the version of the running NanoMDM server. +### Authentication Proxy + +* Endpoint: `/authproxy/` + +If the `-auth-proxy-url` flag is provided then URLs that begin with `/authproxy/` will be reverse-proxied to the given target URL. Importantly this endpoint will authenticate the incoming request in the same way as other MDM endpoints (i.e. Check-In or Command Report and Response) — including whether we're using TLS client configuration or not (the `-cert-header` flag). Put together this allow you to have MDM-authenticated content retrieval. + +This feature is ostensibly to support Declarative Device Management and in particular the ability for some "Asset" declarations to use "MDM" authentication for their content. For example the `com.apple.asset.data` declaration supports an [Authentication key](https://github.com/apple/device-management/blob/2bb1726786047949b5b1aa923be33b9ba0f83e37/declarative/declarations/assets/data.yaml#L40-L54) for configuring this ability. + # Enrollment Migration (nano2nano) The `nano2nano` tool extracts migration enrollment data from a given storage backend and sends it to a NanoMDM migration endpoint. In this way you can effectively migrate between database backends. For example if you started with a `file` backend you could migrate to a `mysql` backend and vice versa. Note that MDM servers must have *exactly* the same server URL for migrations to operate.