Open noahtalerman opened 4 months ago
Pulling notes from the issue description into a comment here:
Check if the fleetd-base.msi package that gets installed for automatic enrollment was built with the --enable-scripts
flag. Is there another solution for this? What about customer-ufa
who uses the base fleetd but doesn't want scripts.
Enable for manual enrollment. We can't find any additional logic that would enable scripts post facto if you didn't build your installer with scripts enabled.
Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna
Hey @georgekarrv heads up, I pulled this story back onto the drafting board knowing we have 61 points in remaining capacity for the upcoming sprint.
Let's discuss during today's sprint planning call.
Hi,
I saw that this issue was relatd to the #18461. I'm afraid that enabling script only will not do the job since the script only locks out locals accounts.In some cases there is no local accounts but only remote accounts when using AzureAD
Is it possible to include remote account in the testing of the lock script ?
thanks ! (fyi @nonpunctual )
@noahtalerman ^ for QA / testing of workflows
Heads up @georgekarrv and @PezHub, testing request from Valentine here.
cc @zayhanlon
While that doesn't pertain to this ticket we can certainly investigate and create a corresponding ticket if that is the case
While that doesn't pertain to this ticket we can certainly investigate and create a corresponding ticket if that is the case
Hi @georgekarrv , this current issue (https://github.com/fleetdm/fleet/issues/17528) was created after this on "Windows lock script doesn't work in some scenarios #18461", after the comment made [here] .(https://github.com/fleetdm/fleet/issues/18461#issuecomment-2120593890) in my understanding, locking remote user that are managed buy AzureAD is a "scenario"
I thought this current issue was related to fix the AzureAD flow 🤔
Thankks !
@noahtalerman Looking for context on this issue. What do you mean by run scripts on hosts without --scripts-enabled
? I thought the purpose of the flag was so that hosts could choose to not enable scripts? Should all hosts enrolled in MDM have scripts enabled regardless of the flag? Thanks! 🙂
Hey @valentinpezon-primo! Thanks for follow up.
Let's move this conversation over to the "Windows lock script doesn't work..." issue here: #18461
This could be a side-car issue for https://github.com/fleetdm/fleet/issues/19219. Then we could add --scripts-enabled
to the msiexec auto enrollment.
What do you mean by run scripts on hosts without --scripts-enabled? I thought the purpose of the flag was so that hosts could choose to not enable scripts? Should all hosts enrolled in MDM have scripts enabled regardless of the flag? Thanks!
@dantecatalfamo and I hopped on a call and we updated this story. It now covers turning on scripts for Windows hosts that automatically enroll.
To turn on scripts for hosts that manually enroll, IT admins will install fleetd that was generated w/ the --scripts-enabled=true
flag or pass SCRIPTS_ENABLED=true
as a parameter in the install script (msiexec
).
pass
SCRIPTS_ENABLED=true
as a parameter in the install script (msiexec
).
Since the work to add the SCRIPTS_ENABLED
parameter is being done as part of this story, we can remove this requirement from the following story:
FYI @marko-lisica @dantecatalfamo
FYI @nonpunctual ^^
@georgekarrv @dantecatalfamo want to call out that having this fixed for the customer requires to coordinate two different releases:
fleetd-base.msi
, which generally gets updated only with fleetd
releasesfleetctl
+ fleet
release (which happens at our regular cadence)edit: and we can't release fleetd-base.msi
until we fix https://github.com/fleetdm/fleet/issues/19176 which is blocked by https://github.com/fleetdm/fleet/issues/19182
Since this requires the 2 blocked tickets complete for end users to see the effects we will hold this ticket from the 4.53
milestone and skip it and QA in the next release when those other tickets are already complete
This is not blocked anymore and should be ready to test. No special setup needed.
Hello @noahtalerman ! What's the situation on this ticket please ? We're about to launch Autopilot in beta, and this is the last blocking bit. Thank you very much 🙏
Hey @samleb! It looks like we're targeting shipping this in Fleet 4.54.
If it's helpful, you can tell by looking at the milestone in the issue here:
cc @zayhanlon @georgekarrv
@samleb you can check our meeting agenda as well :) i know you had a conflict on Monday's call, but all top priority issues are updated there
QA Notes:
Wiped my Surface Laptop and fresh enrolled via Azure AD and confirmed the run script
action was enabled. Successfully executed a powershell script.
QA Approved.
Goal
--scripts-enabled
flag.Context
Changes
Product
Engineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation