OS Settings always enforcing (pending) and decryption key not working

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.01k stars 419 forks source link

OS Settings always enforcing (pending) and decryption key not working #18868

Closed aortmann closed 4 months ago

aortmann commented 5 months ago

Fleet version: 4.49.3

Web browser and operating system: Chrome 124.0.6367.119 running on macOS

💥 Actual behavior

I've updated fleet from 4.30.1 to 4.49.3, also updated the apple certificates (because it expired) and now all the devices are in this state, and also the disk encryption key cannot be viewed.

🧑‍💻 Steps to reproduce

Update fleet to 4.49.3
Update apple certificates.
Go to any host and see OS Settings or select "Show disk encryption key" in actions.

🕯️ More info (optional)

I've generated another MacOS Package to check if that fix the issue and reinstalled in the host and the situation is the same.

sharon-fdm commented 5 months ago

Thanks for filing this, Ariel. We will have a look soon.

sharon-fdm commented 4 months ago

@georgekarrv, I assigned Endpoint team by mistake. Can you please have a look?

roperzh commented 4 months ago

Hey @aortmann, thanks for reaching out.

Based on the screenshot, seems like your host is having trouble communicating via MDM with the server. When you say

also updated the apple certificates (because it expired)

Can you share more details about what certificates did you update and how? I'll double check the docs to make sure they clearly state this, but for renewing certs:

Server SCEP certificates expire every 10 years, you don't want to update these. The cert is used to:
- authenticate hosts
- encrypt the FileVault key in the database, so it's likely that this is the cause of your problems
APNs: you must always keep your APNs private key, and for renewals use https://identity.apple.com/pushcert/ and click on the "Renew" button, you don't want to generate a new keypair

Happy to help with more details once we have more details about the situation.

aortmann commented 4 months ago

About the server SCEP, I've reverted that change and now I can see the disk encryption keys again. Now, I've recovered the apple account (ex emplyee) used to generate the APN certificate, I renew it (it was expired) and changed the FLEET_MDM_APPLE_APNS_CERT_BYTES again and it fired the MDM off/on switch so all my employees need to do the enroll again, but everything is working now.

Later I'll work on a PR to show a disclaimer or send an alert about expiration times of the certificate, I think I'll be useful.

Thank you for everything.

fleet-release commented 4 months ago

In a city of glass, Keys unlock, settings take hold, Fleet sails smoother paths.

fleet-release commented 4 months ago

New Fleet version glows, Keys decrypt, systems in flow, Smooth as cloud shadows.

roperzh commented 4 months ago

@aortmann amazing, thank you for the update and your contribution will be very welcomed!!

we're about to start working on https://github.com/fleetdm/fleet/issues/10383 which will make things easier and prevent this issues 🎉