Migrate Windows hosts - Githubissues

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.16k stars 432 forks source link

Migrate Windows hosts #13667

Open noahtalerman opened 1 year ago

noahtalerman commented 1 year ago

@noahtalerman: An "on" button in Fleet so you have control over when Windows workstations switch.
Edge cases
- What about offline hosts?
- What happens in between toggling?
- What about the folks that have ‘Windows MDM turned on’
- What happens to those fleetd enrolled Windows hosts?
- What does the reporting look like? (status of hosts that have not transitioned yet, and which have. What if some never check in? How will I know which have and which haven't?)

User stories

22075

noahtalerman commented 1 year ago

Hey @zhumo taking this off the drafting board because we won't get to it in the next sprint. I added it to FF because I think we want to bring it back.

noahtalerman commented 1 year ago

Marcos: We can do this programmatically. fleetd will do the unenroll from the old MDM and turn on MDM again to talk to Fleet.

zhumo commented 1 year ago

If that’s the case, does this need to be done at all?

On Thu, Sep 14, 2023 at 12:19 PM Noah Talerman @.***> wrote:

Marcos: We can do this programmatically. fleetd will do the unenroll from the old MDM and turn on MDM again to talk to Fleet.

— Reply to this email directly, view it on GitHub https://github.com/fleetdm/fleet/issues/13667#issuecomment-1720009920, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABI4PYRQABT7CZZ7OFDHO6LX2NKCPANCNFSM6AAAAAA4IBL3LU . You are receiving this because you were mentioned.Message ID: @.***>

noahtalerman commented 1 year ago

Marcos: 2 scenarios: 1) device is not connected to Azure and 2) device is connected to Azure

1) Easier: Programmatically unenroll via Windows API => programmatically enroll via API (already do this)

2) Is it possible to do the migrate w/o logging the user out of the device? @marcosd4h can you please leave a comment w/ the Windows APIs we should use to test this?

Noah: This is what we want to support

marcosd4h commented 1 year ago

The MDM programmatic APIS exposed by Windows SDK are detailed here.

We can use UnregisterDeviceWithManagement with an empty argument to unenroll the device from ongoing MDM server.

Then RegisterDeviceWithManagement, RegisterDeviceWithManagementUsingAADCredentials, and RegisterDeviceWithManagementUsingAADDeviceCredentials could be used to enroll the device to a different MDM server.

noahtalerman commented 2 months ago

Hey @dherder adn @pintomi1989 , we filed a separate user story for this request.

I removed this request from the feature fest board.

cc @rachaelshaw

fleetdm / fleet

Migrate Windows hosts #13667

User stories

22075