search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 418 forks source link

Transferring a host between teams produces unexpected macOS settings status #11221

Closed dherder closed 1 year ago

dherder commented 1 year ago

Fleet version: 4.30.1

Operating system: macOS 13.2.1

Web browser: Version 112.0.5615.121 (Official Build) (x86_64)

🧑‍💻  Expected behavior

When transferring a macOS host from a team (team A) with deployed profiles to a team with 0 deployed profiles, the macOS settings view for that host should only display the fleetd configuration and the mdm enrollment profile.

💥  Actual behavior

After transferring the device to a team that does not have any config profiles applied, 2 status rows are present in the macOS settings modal "Removing enforcement (pending)". On the macOS host> Profiles dialog itself, there is only the macOS mdm enrollment profile and the fleetd configuration profile present.

👣 Reproduction steps

  1. Enroll macOS device into MDM, ensuring that the host is assigned to team that has configuration profiles assigned and Disk encryption turned ON.
  2. In the above scenario, the host was assigned to a team and the config profile statuses are as follows: image Not sure if the Error regarding disk encryption Failing was a contributing factor in this bug.
  3. Transfer host from Step 1 to a team that does not have any config profiles and Disk Encryption is OFF
  4. After the host vitals are fetched, the macOS settings has incorrect status line items: image
xpkoala commented 1 year ago

@dherder Do you have any inkling as to which profiles might be stuck in that state? There might be some information in the host_mdm_apple_profiles table that could give us some insight.

I have swapped a host a few times between two teams that have 5 profiles enabled vs 0 profiles enabled, including disk encryption on/off on the appropriate team, and I haven't see this behavior just yet. I'll add another 15 or so profiles to see if I can reproduce. I'm also not entirely sure how you got the disk encryption profile into it's failing state, but that could have introduced some weird behavior when swapping teams.

xpkoala commented 1 year ago

I have tested this one pretty robustly and haven't encountered a broken state as above. I'm going to close this one out, but please reopen it if you see similar behavior.

fleet-release commented 1 year ago

Transferred hosts find Settings gently rearranged Mac's clouds align, clear