search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.93k stars 409 forks source link

Profiles are stuck in "Pending" due to missing "ack" #15678

Closed roperzh closed 8 months ago

roperzh commented 9 months ago

Fleet version: 4.41.1

Web browser and operating system:

💥  Actual behavior

Fleet sets a profile as verifying when it gets the ack from the InstallProfile command.

However we might miss the ack, or the host might fail to send it for a variety of reasons, causing profiles to be stuck inpending forever, even though:

  1. The profile is installed in the device
  2. We know the profile is installed (via osquery)

[!NOTE] The same logic can be applied for failed profiles as well, but we're tracking that as a feature request, this is only about profiles going from pending to verified

🧑‍💻  Steps to reproduce

  1. Add a macOS configuration profile
  2. Run the following MySQL query: UPDATE host_mdm_configuration_profiles SET status = 'pending'
  3. Verify that the host has the profile but Fleet shows the profile as pending
  4. Refreshing host vitals should move the profile to "verified"

🛠️ To fix

https://github.com/fleetdm/fleet/blob/e3c037cac3bb36948a3fb0714574da1fbf44ddc0/server/datastore/mysql/mdm.go#L485

sabrinabuckets commented 8 months ago

Following Roberto's instructions above (with the caveat that host_mdm_configuration_profiles needs to be host_mdm_apple_profiles or host_mdm_windows_profiles) I was able to force a newly uploaded profile into Pending status, and then on refetch observe the status change to Verified.

nonpunctual commented 8 months ago

This has been a long-standing problem in Jamf that most admins (including myself) wrote custom extension attributes for, i.e., not relying on  MDM to validate if profiles are nstalled, but, doing something like calling system_profiler SPConfigurationProfileDataType & parsing the output to verify profiles are on the computer. So, even if you have reproduced it & watched it flip from pending to verified I doubt that you will see this 100% of the time.

One major cause of this in customer environments is not having good communication with all of  recommended Enterprise Network URLs / services. https://support.apple.com/en-us/HT210060

2 ways of testing this are 1) https://twocanoes.com/products/mac/push-diagnostics/ 2) 's Mac Evaluation Utility which is available for customers enrolled in AppleSeed For IT. I have a recent version of MEU which I will upload to this ticket in case anyone wants to see what it does.

fleet-release commented 8 months ago

Profiles stuck, pending, A fix brings clarity, peace, Fleet sails smoothly now.