mdm.enable_disk_encryption can only be turned on if macOS MDM is configured

roperzh commented 1 year ago

Fleet version: unreleased feature branch feat-bitlocker

💥 Actual behavior

mdm.enable_disk_encryption can only be turned on if macOS MDM is configured, however you might want to enable disk encryption if you have windows-only MDM configured.

🧑‍💻 Steps to reproduce

Enable and configure Windows MDM but not macOS MDM
Try to enable disk encryption via fleetctl apply -f using the YML below

Global disk encryption setting YML

kind: config
spec:
  mdm:
    enable_disk_encryption: true

This will cause fleetctl to return the followinge error

Error: applying fleet config: PATCH /api/latest/fleet/config received status 422 Validation Failed: Couldn't update macos_settit turned on in Fleet. Use fleetctl generate mdm-apple and then fleet serve with mdm configuration to turn on MDM features.

If both Windows and MacOS MDM are disabled and the YML above is applied, the following error appear. Notice that MacOS reference shouldn't be here

Error: applying fleet config: PATCH /api/latest/fleet/config received status 422 Validation Failed: Couldn't update macos_settings because MDM features aren't turned on in Fleet. Use fleetctl generate mdm-apple and then fleet serve with mdm configuration to turn on MDM features.

marcosd4h commented 1 year ago

I've just tried this, and it fails with the errors below

Test Procedure

Run the latest fleet and fleetctl from feat-bitlocker branch
New MSI should be generated to grab the latest orbit binary. Make sure to include --disable-updates functionality (you can copy over the orbit binary too - be sure to disable updates)
If you are using a VM to test this, make sure to have a TPM configured on the VM settings (TPM is required for Bitlocker encryption)
Windows MDM should be enabled
Run the testcases below on fleet server side

Test Files

test_disk_encryption_off.yml

kind: config
spec:
  mdm:
    enable_disk_encryption: false

test_disk_encryption_on.yml

kind: config
spec:
  mdm:
    enable_disk_encryption: true

Testcases with errors

fleetctl apply -f test_disk_encryption_off.yml

{"component":"http","err":"disable no-team filevault and escrow: disabling FileVault: : MDMAppleConfigProfile identifier: com.fleetdm.fleet.mdm.filevault, team_id: 824643003336 was not found in the datastore","level":"error","method":"PATCH","took":"3.740298ms","ts":"2023-10-03T21:11:36.202380222Z","uri":"/api/latest/fleet/config","user":"testadmin@example.com","uuid":"910158fc-5bf8-43cb-802e-18d61e064d71"}

fleetctl apply -f test_disk_encryption_on.yml

{"component":"http","err":"enable no-team filevault and escrow: enabling FileVault: Apple MDM SCEP configuration: no certificate provided","level":"error","method":"PATCH","took":"3.065636ms","ts":"2023-10-03T21:13:56.419927786Z","uri":"/api/latest/fleet/config","user":"testadmin@example.com"}

fleet-release commented 11 months ago

Windows, Mac both shine, In cloud city, encryption, Safeguards all design.

fleetdm / fleet