Massive Rollout Strategy

Hey All,

I'm wondering if there are any ways to automate or speed up the generation, enrollment, and installation of the Ziti Edge Client for Windows.

Let's say I want to zitify a large quantity of Company Users with Windows Notebooks:

  • ~2000 Employees/Windows Notebooks
  • All Notebooks are addressed to one single User (1:1)
  • All Notebooks are controlled and Software distributed by Microsoft Intune
  • There is a Roll-on and Roll-off process of employees leaving and joining the company (IAM and Hardware)

The Software distribution makes it simple to get the OpenZitiEdge Windows Client on the computers itself.

But I struggle with the creation of the Identities and the enrollment on this OpenZiti Edge Client. At this large amount of users, it would not be manageable to this by hand.

Does any of you hit such requirements, or is there already a way to accomplish this?

I know that X.509 Certificates are used for the strong identity. So I can automatically create one via Intune and a certificate connector to bring it to the cert-store at Windows level.

But How to move on from there? I took a look at some config files etc. but I do not get a clue how get the "Identity.json" or "user.jwt" config working.

Thanks in advance!

Best
Frederik

Auto-enrollment using 3rd party CA is the first thing that comes to mind (see Enrolling | OpenZiti). I don't know if this is fully supported in Ziti Desktop Edge for Windows yet (@TheLumberjack will know off the top of his head), but it looks like a possible good fit for your scenario

1 Like

I've not actually tested it for a while, but 3rd party CA/auto-enrollment using should be supported but there's no easy mechanism to "install" the identity into the proper location nor is there any mechanism yet to leverage something like windows certificate store. This request was entered a long time ago by our good friend gooselggs Support for Windows certificate store · Issue #550 · openziti/desktop-edge-win · GitHub which would probably be a good way to satisfy 3rd party CA like that.

Alternatively, the ziti-edge-tunnel binary ZDEW uses exposes a domain socket that an authenticated user can connect to. This github repo from @NicFragale demonstrates how to use the socket and pass the idenity into the running tunneler using that domain socket. https://github.com/NicFragale/NetFoundry/blob/main/Utilities/OpenZITI-ZDEW/NFZDEWHelper.ps1

It's not documented since it's still more of a "behind the scenes" sort of thing but it does work.

1 Like

Hey Clint,

Thanks for the explanation and hint to this GitHub repo!

So If I would need to summarize this kind of deployment, it would consist of 3 Steps:

  1. Create a userXY.jwt file on the controller side for every user who needs access to open Ziti. This can be done via Script or API Tool which connect the info from Azure AD to the Identity creation process (This would fit in the IAM process).
    1.1 if done by external CA, create them in 3rd party CA and use the method described in the link from @smilindave26
    1.2 If done by internal CA, create them like directly in the controller.

  2. Get somehow the userXY.jwt file to the client
    2.1 A little tricky to automate, but I'll have a check on that.

  3. Run the PS1 Script from @NicFragale admin privileges in the User Context via Intune

  4. If the .jwt is not deleted after enrollment, delete it afterwards. Clear also the PS1 Script (Done via Intune)

Am I right with these assumptions?

Without trying the steps to be certain, yes those all look correct to me. There's some more steps/nuance around the external CA where you'll need to craft the identity file, put a cert/key in an expected location, etc. but overall the process seems about right to me.

1 Like