diff --git a/posture/serialnumber_ios.go b/posture/serialnumber_ios.go new file mode 100644 index 000000000..9b6fd1f70 --- /dev/null +++ b/posture/serialnumber_ios.go @@ -0,0 +1,31 @@ +// Copyright (c) Tailscale Inc & AUTHORS +// SPDX-License-Identifier: BSD-3-Clause + +//go:build ios + +package posture + +import ( + "fmt" + + "tailscale.com/types/logger" + "tailscale.com/util/syspolicy" +) + +// GetSerialNumber returns the serial number of the iOS device as reported by an +// MDM solution. Requires configuration via the DeviceSerialNumber system policy. +// This is the only way to gather serial numbers on iOS and tvOS. +func GetSerialNumbers(_ logger.Logf) ([]string, error) { + serials := []string{} + + serialNumberFromMDM, err := syspolicy.GetString("DeviceSerialNumber", "") + if err != nil { + return nil, fmt.Errorf("failed to get serial number from MDM: %s", err) + } + + if serialNumberFromMDM != "" { + serials = append(serials, serialNumberFromMDM) + } + + return serials, nil +} diff --git a/posture/serialnumber_notmacos.go b/posture/serialnumber_notmacos.go index 69ad904b8..92d9c6ebb 100644 --- a/posture/serialnumber_notmacos.go +++ b/posture/serialnumber_notmacos.go @@ -3,7 +3,7 @@ // Build on Windows, Linux and *BSD -//go:build windows || (linux && !android) || freebsd || openbsd || dragonfly || netbsd +//go:build (windows || (linux && !android) || freebsd || openbsd || dragonfly || netbsd) && !darwin package posture diff --git a/posture/serialnumber_stub.go b/posture/serialnumber_stub.go index 1389177fe..551607a69 100644 --- a/posture/serialnumber_stub.go +++ b/posture/serialnumber_stub.go @@ -1,14 +1,13 @@ // Copyright (c) Tailscale Inc & AUTHORS // SPDX-License-Identifier: BSD-3-Clause -// ios: Apple does not allow getting serials on iOS // android: not implemented // js: not implemented // plan9: not implemented // solaris: currently unsupported by go-smbios: // https://github.com/digitalocean/go-smbios/pull/21 -//go:build ios || android || solaris || plan9 || js || wasm || (darwin && !cgo) || tamago +//go:build android || solaris || plan9 || js || wasm || tamago package posture diff --git a/util/syspolicy/policy_keys.go b/util/syspolicy/policy_keys.go index 166bbe601..6f74585d3 100644 --- a/util/syspolicy/policy_keys.go +++ b/util/syspolicy/policy_keys.go @@ -73,6 +73,10 @@ const ( // Key is a string value that specifies an option: "always", "never", "user-decides". // The default is "user-decides" unless otherwise stated. PostureChecking Key = "PostureChecking" + // DeviceSerialNumber is the serial number of the device that is running Tailscale. + // This is used on iOS to allow IT administrators to manually give us a serial number via MDM. + // We are unable to programmatically get the serial number from IOKit due to sandboxing restrictions. + DeviceSerialNumber Key = "DeviceSerialNumber" // ManagedByOrganizationName indicates the name of the organization managing the Tailscale // install. It is displayed inside the client UI in a prominent location.