search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.15k stars 431 forks source link

Unable to apply config after disabling mdm #12997

Closed ksatter closed 1 year ago

ksatter commented 1 year ago

Fleet version: 4.34.1

🧑‍💻  Expected behavior

As a Fleet user, when changing Fleet app configuration, I expect to be able to pull the current configuration with fleetctl getconfig, make any necessary changes, and then apply the file withfleetctl apply`

💥  Actual behavior

After enabling and then disabling MDM, If all MDM options are not cleared, applying the config without editing fails with the following error:

Error: applying fleet config: PATCH /api/latest/fleet/config received status 422 Validation Failed: Couldn't update macos_settings because MDM features aren't turned on in Fleet. Use fleetctl generate mdm-apple and then fleet serve with mdm configuration to turn on MDM features.

Removing the MDM key in the configuration results in the same error.

I was able to resolve this by ensuring that all MDM settings in the configuration file were set to a blank or false value.

👣 Reproduction steps

  1. Configure MDM features in Fleet
  2. Remove MDM env variables and restart the Fleet server
  3. Pull current config with fleetctl get config -- MDM section will indicate that MDM is not configured and enabled, but contains residual options
  4. Apply config with fleetctl apply

More info

It looks as though there are validations for the mdm configuration that are running even if MDM is disabled. These checks could be valuable in instances where someone is attempting to apply settings without first enabling MDM, but could be used as warnings rather than causing the apply to fail completely.

sharon-fdm commented 1 year ago

@georgekarrv , should this be assigned to MDM team? Assigning to you but tell me what you think.

lukeheath commented 1 year ago

@georgekarrv Please triage.

ireedy commented 1 year ago

Bug has aged out. Moving back to drafting

roperzh commented 1 year ago

noticed that this also happens for teams after a fresh install:

  1. Setup up a fresh fleet instance
  2. Create a team in the UI
  3. Do:
~/fleet $ ./build/fleetctl get teams --yaml > teams.yaml
~/fleet $ ./build/fleetctl apply -f teams.yaml
Error: applying teams: POST /api/latest/fleet/spec/teams received status 422 Validation Failed: Couldn't update macos_setup because MDM features aren't turned on in Fleet. Use fleetctl generate mdm-apple and then fleet serve with mdm configuration to turn on MDM features.
sabrinabuckets commented 1 year ago

@gillespi314 @roperzh any thoughts on what I'm doing wrong if I follow these steps, verify that when I pull the config all of the MDM values are:

 mdm:
    apple_bm_default_team: ""
    apple_bm_enabled_and_configured: false
    apple_bm_terms_expired: false
    enable_disk_encryption: true
    enabled_and_configured: false
    end_user_authentication:
      entity_id: ""
      idp_name: ""
      issuer_uri: ""
      metadata: ""
      metadata_url: ""

and still get the same error when applying?

Error: applying fleet config: PATCH /api/latest/fleet/config received status 422 Validation Failed: Couldn't update macos_setup because MDM features aren't turned on in Fleet. Use fleetctl generate mdm-apple and then fleet serve with mdm configuration to turn on MDM features.

sabrinabuckets commented 1 year ago

Retested this morning with same results.

roperzh commented 1 year ago

@gillespi314 are you able to help Bri with this? we need to determine if we're missing an edge case? asking you because you worked on the fix

fleet-release commented 1 year ago

MDM off, still checked, Fleet's smooth path now circumspect. Cloud city reflects.

Config, a soft breeze, When unblocked flows with such ease, Nature's code finds peace.