From e8ac7598dece59ef319c539326dcfade047ce99d Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 17:11:37 -0700 Subject: [PATCH] spec(gururmm): SPEC-017 mobile device support + Apple cert memory - Update guru-rmm submodule pointer (SPEC-017 mobile device support) - Record Apple Developer + MDM Push certs (acquired 2026-05-29); MDM push cert renews annually on the same Apple ID or all enrolled iOS devices break Co-Authored-By: Claude Opus 4.8 (1M context) --- .claude/memory/MEMORY.md | 3 ++- .claude/memory/project_apple_mdm_certs.md | 23 +++++++++++++++++++++++ projects/msp-tools/guru-rmm | 2 +- 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 .claude/memory/project_apple_mdm_certs.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index fdb0592..78995cb 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -73,6 +73,7 @@ - [Mac gururmm setup pending](project_mac_gururmm_setup_pending.md) — ACTION REQUIRED: run `bash scripts/install-hooks.sh` in gururmm repo on Mikes-MacBook-Air before any RMM work ## Project +- [Apple MDM + Developer certs (GuruRMM mobile)](project_apple_mdm_certs.md) — ACG holds both Apple Developer+signing and Apple MDM Push certs (acquired 2026-05-29) for SPEC-017 mobile support. MDM push cert RENEWS ANNUALLY on the same Apple ID or all enrolled iOS devices break. Capture Apple ID + expiry. - [Only RMM & GC are versionable products](project_versionable_products.md) — GuruRMM + GuruConnect are the only products with own repos/submodules; everything else stays in the claudetools monorepo. Split only for independent pipeline OR versioned external consumer. - [Quantum GoDaddy M365 tenant](project_quantum_godaddy_m365_tenant.md) — quantumwms.com parked in a GoDaddy-provisioned M365 tenant (id ddf3d2c9-b76c-40d9-a216-9f11a1a26f97, netorg18235235.onmicrosoft.com); blocks Pax8 migration until GoDaddy removed. Managed = no DNS takeover; need GoDaddy/GA access. - [Cascades Migration Plan](project-cascades-migration-plan.md) — Active multi-day migration. Plan file: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`. Syncro ticket: #110680053. Resume: "resume the Cascades migration plan". @@ -88,4 +89,4 @@ - [Cascades CA phased rollout](project_cascades_ca_phased_rollout.md) — Caregiver CA policies scoped to SG-Caregivers-Pilot, expand by dept; PATCH excludeGroups, never delete the all-users-MFA policy. - [Cascades caregiver pilot cleanup](project_cascades_pilot_cleanup.md) — Remove pilot accounts (pilot.test@, howard.enos@) at the end of the caregiver bypass pilot. - [Proposal: centralize config in identity.json](proposal_identity_centralization.md) — Rationale for the identity.json machine-config centralization (claudetools_root, ollama/python); now implemented. -- [ACG MSP tool stack](reference_acg_msp_stack.md) — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active). +- [ACG MSP tool stack](reference_acg_msp_stack.md) — ScreenConnect/CW Control, Splashtop, Syncro, Datto RMM, Datto EDR/AV, GuruRMM are ACG's OWN tools; do not flag as foreign/threat on managed machines (Defender-off is expected when Datto AV is active). diff --git a/.claude/memory/project_apple_mdm_certs.md b/.claude/memory/project_apple_mdm_certs.md new file mode 100644 index 0000000..a0931cb --- /dev/null +++ b/.claude/memory/project_apple_mdm_certs.md @@ -0,0 +1,23 @@ +--- +name: project_apple_mdm_certs +description: ACG holds Apple Developer + MDM Push certificates (acquired 2026-05-29) for GuruRMM mobile/MDM; MDM push cert renews annually or all enrolled iOS devices break +metadata: + type: project +--- + +As of 2026-05-29, Arizona Computer Guru holds both Apple certificates needed for GuruRMM +mobile device support ([[SPEC-017]], `projects/msp-tools/guru-rmm/docs/specs/SPEC-017-mobile-device-support.md`): + +1. **Apple Developer Program enrollment + Distribution/code-signing cert + APNs (.p8) key** — unblocks + iOS app build, signing, TestFlight/App Store distribution, and silent push (iOS Phase 1). +2. **Apple MDM Push Certificate** (from Apple Push Certificates Portal, identity.apple.com) — unblocks + iOS true remote lock/wipe via an MDM enrollment profile (iOS Phase 2). + +**Why:** These were the iOS blockers in SPEC-017. Both iOS phases are now Apple-cert-unblocked; +remaining iOS work is engineering (MDM-protocol implementation), not credential acquisition. + +**How to apply:** The **MDM Push Certificate expires annually and must be RENEWED on the same Apple ID** +— regenerating a fresh cert, or losing the Apple ID it was issued under, silently invalidates the MDM +enrollment of EVERY iOS device and forces fleet-wide re-enrollment. Record the owning Apple ID and set +a renewal reminder ~30 days before expiry. TODO: capture the exact owning Apple ID + expiry date (not +yet recorded — ask Mike). diff --git a/projects/msp-tools/guru-rmm b/projects/msp-tools/guru-rmm index 9b34393..417856e 160000 --- a/projects/msp-tools/guru-rmm +++ b/projects/msp-tools/guru-rmm @@ -1 +1 @@ -Subproject commit 9b34393d37d9de5a8386adb8195e30fc0db6af3e +Subproject commit 417856e5fde5d7592fd8ed01b977e182bcf00566