search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.66k stars 379 forks source link

Surface DEP (ADE) enrollment profile validation errors #17558

Open roperzh opened 3 months ago

roperzh commented 3 months ago

Goal

User story
As a IT admin,
I want to know at upload time if my ADE (DEP) enrollment profile is valid,
so that I can make sure that my hosts will enroll automatically.

Context

In #15461 we implemented a solution to surface errors when we make API calls to assign a JSON profile to a host.

This issue is about API/validation errors we might get when we upload the JSON profile to Apple's server, before it's even assigned to a host.

The current behavior if the validation fails is:

  1. Profile assignment fails for all the hosts in the team with the invalid profile
  2. New hosts assigned in ABM to that team don't appear in Fleet
  3. The error message can only be spotted in the Fleet server logs.

All possible errors are described here.

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
noahtalerman commented 3 months ago

@roperzh thanks for tracking this!

Generating easy to understand error messages is core to Fleet.

Do you think we should hit Apple API at ADE (DEP) profile at upload time? So we can reject an invalid profile and surface the error to the admin.

Something else?

roperzh commented 3 months ago

@noahtalerman thanks for quickly looking into this!

Do you think we should hit Apple API at ADE (DEP) profile at upload time? So we can reject an invalid profile and surface the error to the admin.

Something else?

I was thinking the same, it's the only point in time where have the chance to surface errors cleanly, so it makes sense to me 👍

doing the validations ourselves without submitting to apple is error prone and I think will end up being even more work.

noahtalerman commented 3 months ago

Hey @roperzh, heads up, we brought this into the upcoming design sprint (4.49).

georgekarrv commented 2 months ago

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna @roperzh