[PRE-91] Use downloadable config profile for Jamf/Fleet

[JoeWagstaff]

Describe your changes:

Jamf: Replace the manual "Configure an agent enrollment profile" steps (hand-built Managed Login Items / Certificate / SCEP / External Applications payloads) with downloading the pre-built profile from the dashboard (Device Management → connection → Settings → Configuration Profile (macOS only)) and uploading it to Jamf; scope it to the agent install policy.
Fleet: Replace the hand-authored smallstep-agent.mobileconfig (Step 4 XML template + base64 CA paste) with the downloaded fleet-.mobileconfig; update the upload step and the GitOps section to reference it.
Fleet: Tighten Step 3 to require naming the CA SMALLSTEP_AGENT (the generated profile hardcodes that suffix); drop the stray $FLEET_VAR_HOST_END_USER_EMAIL_IDP variable (not used by the profile).
Add notes clarifying the profiles rely on Fleet/Jamf substituting their dynamic SCEP values at deploy time, and that the macOS-only profile's SCEP payload still serves iOS/iPadOS.
Keep the API-client/connection/webhook setup steps (the download depends on them).

Related links/other PRs/issues:

Thank you!

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ tashian
❌ JoeWagstaff
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[tashian]

Suggested change

	Fleet deploys certificates to devices using a configuration profile. Smallstep generates this profile for your Fleet connection, so you can download it from the Smallstep dashboard and upload it to Fleet. There's no need to build the payloads or paste certificate data by hand.
	Fleet deploys certificates to devices using a configuration profile. You can download this from the Smallstep dashboard and upload it to Fleet. No need to build the payloads or paste certificate data by hand.

[tashian]

Suggested change

The downloaded profile bundles everything required to enroll a device: the SCEP payload, the root and intermediate CA trust certificates (pre-filled), the agent's managed settings (including your Smallstep team slug), and the Managed Login Items entry for the agent. Its SCEP URL and challenge are embedded as Fleet's `$FLEET_VAR_*` placeholders; Fleet substitutes them per host at deploy time using the certificate authority you added in Step 3, so that CA must be in place and named `SMALLSTEP_AGENT`.

The downloaded profile bundles everything required to enroll a device: the SCEP payload, your root and intermediate CA certificates, the Smallstep agent settings, and the Login Items entry for the agent. Its SCEP URL and challenge are embedded as Fleet's `$FLEET_VAR_*` placeholders; Fleet substitutes them per host at deploy time using the certificate authority you added in Step 3. That CA must be in place and named `SMALLSTEP_AGENT`.

[tashian]

Because the agent doesn't run on iOS or iPadOS, SCEP certificates don't make sense there for most use cases. I'd remove this entire alert block.

[tashian]

Suggested change

The downloaded profile bundles everything required to enroll a device: the SCEP payload (with your provisioner URL pre-filled), the root and intermediate CA certificates, the agent’s managed settings (including your Team Slug), and the Managed Login Items entry for the agent. The SCEP payload relies on the dynamic challenge served by the SCEP enrollment webhook you configured earlier, so that webhook must be in place for enrollment to succeed.

The downloaded profile bundles everything required to enroll a device: the SCEP payload, your root and intermediate CA certificates, the Smallstep agent settings, and the Login Items entry for the agent. The SCEP payload relies on the dynamic challenge served by the SCEP enrollment webhook you configured earlier, so that webhook must be in place for enrollment to succeed.