№ A · 02 / Device delivery & enrollment
Any laptop, any OS,
your YubiKey.
Fleet laptops ship from an EU OEM straight to the customer, never via our office. Mesh customers bring their own hardware, any OS already installed, and enrol it with the per-role YubiKeys we sent them. Same architecture, two starting points.
№ D1 / Two arrival patterns
OEM-direct,
or YubiKey-enrolled.
Fleet tier laptops are ordered from an EU OEM with a generic KiwiStack image baked in; they ship direct to the customer's address and self-claim into the right tenant on first boot. Mesh tier customers buy their own laptops, with whatever OS already on them, and enrol via the YubiKey. The end-state (managed, certified, on the tunnel) is identical.
Fleet
№ 01
OEM-direct
Laptop ships from an EU OEM straight to the customer. We never touch it.
- 01 Customer orders Fleet with N laptops. We place the order with an EU OEM partner (Tuxedo, Slimbook, Star Labs, Framework). Ship-to is the customer's address.
- 02 OEM bakes a generic kiwistack-base image at manufacture: Ubuntu LTS + cloud-init + a serial-bound bootstrap token tied to the customer slug in our registry.
- 03 Box arrives at the customer. They power on, connect Wi-Fi or plug in ethernet. No installer, no USB stick, no tech-support call.
- 04 First-boot daemon claims the laptop into the customer's tenant via the bootstrap endpoint, configures WG, joins Fleet, requests the smallstep device cert, sets up SSSD against Nubus. Ready in ~5 minutes from network-up.
- 05 User logs in with their existing OpenDesk credential. Disk encryption is keyed; recovery key escrowed in customer's smallstep CA.
Pricing
Hardware billed at OEM cost + provisioning fee. Per-user-month tier on top.
Mesh · also for Fleet expansions
№ 02
BYOL via YubiKey
Customer brings any laptop, any OS already installed. The YubiKey we sent them does the rest.
- 01 Customer has a laptop already running Windows, macOS, or Linux. Whatever was on it stays; no reformat, no reinstall.
- 02 They download the kiwistack-enroll installer for their OS from the customer portal (signed binary, verified at install).
- 03 Insert the YubiKey, enter PIN, touch the key, run the installer with admin rights. It installs the Fleet agent, the WireGuard client, and the smallstep cert helper.
- 04 The YubiKey's PIV slot signs an enrollment attestation. Fleet validates it, smallstep issues a device cert, WG comes up, the laptop appears in Fleet within ~3 minutes.
- 05 The user keeps using their existing OS account; OpenDesk SSO is via the browser against Keycloak (no domain join required on Win / macOS).
Pricing
Per-role YubiKey 5 Series. Mesh includes 2 (founder + sysadmin), Fleet up to 5. €70–95 each at cost for additional or replacement. FIPS variant available as a premium SKU.
PKI / authentication
The YubiKey isn't only a device-enrolment token; it's the customer's physical authorization root for every high-trust operation against their tenant. Hardware (5 Series, FIPS option), per-role distribution, cryptographic two-person rule on Critical ops, and the BYOC alternative all live on /architecture/authorization →.
№ D2 / OS support
Three OSes,
one enrollment.
The YubiKey enrolment, Fleet, WireGuard and smallstep work the same way on every supported OS. The deeper the OS-side integration goes, the more we lean on Linux conventions. but BYOL on macOS or Windows is fully supported, with the same management surface.
OS
OS login
Fleet
WireGuard
Device cert
Policy
Ubuntu LTS
Recommended · the baseline we ship
SSSD against Nubus over WG · Kerberos auto-SSO into web apps
Native agent
NetworkManager / wg-quick
step daemon · /etc/step/
Fleet profiles + scripts
macOS 14+
Supported · BYOL only
Local user account · browser-based SSO into web apps via Keycloak
Native MDM (DDM) agent
WireGuard.app via mobileconfig
step + system Keychain
Fleet config profiles (.mobileconfig)
Windows 11
Supported · BYOL only
Local user account · browser-based SSO into web apps via Keycloak
Native MDM agent
WireGuard for Windows via profile
step + LocalMachine cert store
Fleet policies + PowerShell scripts
The Linux baseline is the only OS where the OS login itself is bound to Nubus (via SSSD over WireGuard, with Kerberos auto-SSO into web apps). On macOS / Windows the local OS account is independent of Nubus; app SSO happens in the browser against Keycloak. This is the same model AzureAD-joined Macs use.
№ D3 / Enrollment, traced
Plug in,
PIN, touch, done.
The same seven steps on Windows, macOS and Linux. Total time: ~3 minutes on a wired connection, ~5 on hotel Wi-Fi.
01
Insert YubiKey
USB-A or USB-C, into the laptop. The OS recognizes it as a smartcard + FIDO device automatically (no driver install on modern Windows / macOS / Linux).
02
Run kiwistack-enroll
Signed installer (Win), pkg (macOS), or .deb (Linux). Customer downloaded it from their portal. Asks for admin / sudo once.
03
Enter PIN, touch
The enrolment program prompts for the YubiKey PIN; the user enters it and touches the key. The PIV slot unlocks for one signing operation.
04
Sign attestation
The enrollment program asks the YubiKey to sign an attestation: { hardware fingerprint of this laptop, customer slug, timestamp, YubiKey serial }. The customer's intermediate signs.
05
Fleet validates
Customer's Fleet endpoint accepts the attestation if: (a) signature chains to their intermediate, (b) YubiKey serial is in their registry, (c) hardware fingerprint is new (or being re-enrolled with prior consent).
06
smallstep issues cert
Customer's smallstep issues a 24h device cert. Dropped into the OS-appropriate trust store.
07
Tunnel up, agent up
WG tunnel comes up using a key derived from the device cert. Fleet agent registers and starts reporting. Done: laptop is green in Fleet within minutes.
№ D4 / When something goes wrong
Lost keys,
stolen laptops.
Every single-thing compromise is contained, recoverable, and never silent. Below: the three scenarios we plan for. None of them require touching another customer's slice or rotating shared MSP material.
Scenario 01
YubiKey lost or stolen
Operator revokes the key's enrollment cert at the customer's smallstep, marks the YubiKey serial as burned in the registry. New key issued with a new enrollment cert from the same intermediate. Existing enrolled devices keep working, since their device certs renew on their own and don't depend on the lost key.
Scenario 02
Laptop lost or stolen
Fleet remote-wipe (LUKS slot zeroed on Linux, BitLocker / FileVault flag on Win / macOS → unbootable without recovery). Revoke the device's smallstep cert. Disable the user / device in Nubus. Within 24h the device cert expires and the laptop is fully locked out of the tenant.
Scenario 03
Customer's smallstep intermediate compromised
Offline MSP root revokes the intermediate, signs a new one. New device certs issued via re-enrollment. Old certs become untrusted within hours. Other customers unaffected, since intermediates are independent.
№ D5 / Per-tier delivery
Same architecture,
three different first miles.
Tier
We ship
YubiKeys
Fleet
OS
Core
·
·
Not in scope
·
Mesh
Customer brings their own laptops
2 YubiKey 5 Series included (founder + sysadmin)
Enabled · all OS-side managed
Win · macOS · Linux
Fleet
EU OEM partner ships direct to customer
Up to 5 YubiKey 5 Series included · FIPS SKU optional
Enabled · plus baseline + audit
Ubuntu LTS by default · others on request
Core customers who later want device management upgrade to Mesh. Fleet defaults to Ubuntu LTS on the OEM image; macOS or Windows can be requested but require a different OEM partner and longer lead time. FIPS-validated YubiKey 5 FIPS Series available as a premium SKU for compliance-driven customers.
№ D6 / On the desktop
Mail, Files, Calendar, Chat. One icon each.
Once the laptop is enrolled, the OpenDesk apps show up as individual desktop applications, with the same UX as Outlook or Word in the Start menu, except they wrap the same web stack you'd otherwise reach in a browser tab. SSO inherits from the OS Kerberos session on Linux, from a persisted Keycloak cookie on macOS / Windows. Chat is Element Desktop (real native app); Files also gets Nextcloud Sync alongside for the filesystem layer. Mechanics, SSO trace, and the two native exceptions on /architecture/desktop-apps →.