xcode/iOS: support serial number collection via MDM on iOS

Fixes tailscale/corp#18366. This PR provides serial number collection on iOS, by allowing system administrators to pass a `DeviceSerialNumber` MDM key which can be read by the `posture` package in Go. Signed-off-by: Andrea Gottardo <andrea@gottardo.me>
2 months ago · fb6a33546b
parent da7c3d1753
commit fb6a33546b
4 changed files with 37 additions and 3 deletions
--- a/posture/serialnumber_ios.go
+++ b/posture/serialnumber_ios.go
@ -0,0 +1,31 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build ios
+
+package posture
+
+import (
+	"fmt"
+
+	"tailscale.com/types/logger"
+	"tailscale.com/util/syspolicy"
+)
+
+// GetSerialNumber returns the serial number of the iOS device as reported by an
+// MDM solution. Requires configuration via the DeviceSerialNumber system policy.
+// This is the only way to gather serial numbers on iOS and tvOS.
+func GetSerialNumbers(_ logger.Logf) ([]string, error) {
+	serials := []string{}
+
+	serialNumberFromMDM, err := syspolicy.GetString("DeviceSerialNumber", "")
+	if err != nil {
+		return nil, fmt.Errorf("failed to get serial number from MDM: %s", err)
+	}
+
+	if serialNumberFromMDM != "" {
+		serials = append(serials, serialNumberFromMDM)
+	}
+
+	return serials, nil
+}
--- a/posture/serialnumber_notmacos.go
+++ b/posture/serialnumber_notmacos.go
@ -3,7 +3,7 @@

 // Build on Windows, Linux and *BSD

-//go:build windows || (linux && !android) || freebsd || openbsd || dragonfly || netbsd
+//go:build (windows || (linux && !android) || freebsd || openbsd || dragonfly || netbsd) && !darwin

 package posture

--- a/posture/serialnumber_stub.go
+++ b/posture/serialnumber_stub.go
@ -1,14 +1,13 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-// ios: Apple does not allow getting serials on iOS
 // android: not implemented
 // js: not implemented
 // plan9: not implemented
 // solaris: currently unsupported by go-smbios:
 // https://github.com/digitalocean/go-smbios/pull/21

-//go:build ios || android || solaris || plan9 || js || wasm || (darwin && !cgo) || tamago
+//go:build android || solaris || plan9 || js || wasm || tamago

 package posture

--- a/util/syspolicy/policy_keys.go
+++ b/util/syspolicy/policy_keys.go
@ -73,6 +73,10 @@ const (
 	// Key is a string value that specifies an option: "always", "never", "user-decides".
 	// The default is "user-decides" unless otherwise stated.
 	PostureChecking Key = "PostureChecking"
+	// DeviceSerialNumber is the serial number of the device that is running Tailscale.
+	// This is used on iOS to allow IT administrators to manually give us a serial number via MDM.
+	// We are unable to programmatically get the serial number from IOKit due to sandboxing restrictions.
+	DeviceSerialNumber Key = "DeviceSerialNumber"

 	// ManagedByOrganizationName indicates the name of the organization managing the Tailscale
 	// install. It is displayed inside the client UI in a prominent location.