Full support of secret variables in Apple configuration profiles

[getvictor]

For secrets subtask #24548

Fixed secret variables support in Apple configuration profiles.

Checklist for submitter

• Added/updated tests
• If database migrations are included, checked table schema to confirm autoupdate
• For database migrations:
  • Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).
• Manual QA for all new/changed functionality

[codecov]

Codecov Report

Attention: Patch coverage is 77.55102% with 44 lines in your changes missing coverage. Please review.

Project coverage is 63.58%. Comparing base (6979fc1) to head (ca8cbf6).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
server/mdm/nanomdm/service/nanomdm/service.go	70.58%	7 Missing and 3 partials ⚠️
.../tables/20241220100000_AddSubtypeToNanoCommands.go	57.89%	6 Missing and 2 partials ⚠️
server/service/apple_mdm.go	75.00%	4 Missing and 2 partials ⚠️
server/mdm/apple/commander.go	81.81%	3 Missing and 1 partial ⚠️
server/mdm/nanomdm/storage/file/queue.go	66.66%	3 Missing and 1 partial ⚠️
server/service/mdm.go	92.15%	2 Missing and 2 partials ⚠️
...ver/datastore/mysql/migrations/tables/migration.go	76.92%	2 Missing and 1 partial ⚠️
server/mdm/nanomdm/storage/allmulti/queue.go	0.00%	3 Missing ⚠️
cmd/fleet/serve.go	0.00%	1 Missing ⚠️
server/service/handler.go	66.66%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #24925    +/-   ##
========================================
  Coverage   63.57%   63.58%            
========================================
  Files        1605     1606     +1     
  Lines      152110   152219   +109     
  Branches     3914     3914            
========================================
+ Hits        96706    96785    +79     
- Misses      47706    47728    +22     
- Partials     7698     7706     +8     

Flag	Coverage Δ
backend	64.39% <77.55%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gillespi314]

One small nit and a more general question about encryption of payloads being sent to the device (not a blocker to merge but something we should clarify with product before we release, I think).

[gillespi314]

Have we looked into encrypting the profile content here? Otherwise, I'm assuming we are ok for this iteration that unencrypted secrets might be accessible in transit or at rest on the device, for example, by a user running profiles in the terminal or via osquery macos_profiles table.

[getvictor]

Yes, I brought up a similar issue with product.

Are you suggesting there is a way to prevent the device user from viewing profile contents. For example, from viewing the EnrollSecret in our Fleetd configuration profile?

[gillespi314]

Yes, it is possible to encrypt profiles. Here are the Apple docs.

[gillespi314]

Should this log be removed?

[getvictor]

Yes, will remove in next PR.