search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.69k stars 383 forks source link

hosts might fail to renew enrollment profiles if they're moved to a team with SSO off #19185

Open spokanemac opened 1 month ago

spokanemac commented 1 month ago

Fleet version: 4.493

Web browser and operating system: macOS 14.2.1-14.4.1

💥  Actual behavior

Hosts that enrolled with an enroll_reference in the URL and are moved to a team with SSO off (or vice-versa) get an error when they run sudo profiles renew --type enrollment

sudo profiles show --type enrollment
sudo profiles renew --type enrollment

image

🧑‍💻  Steps to reproduce

  1. Setup MDM SSO for a team, Team SSO on
  2. Assign a host to Team SSO on
  3. Turn on MDM features for that host using ADE
  4. Move the host to a team that doesn't have SSO on
  5. Run sudo profiles renew --type enrollment

🕯️ More info

This happens because for re-enrollments the server URL in the enrollment profile that's being sent needs be an exact match with the URL in the installed enrollment profile.

spokanemac commented 1 month ago

Additional reference threads:

https://fleetdm.slack.com/archives/C071NNMSP2R/p1716299716503059

https://fleetdm.slack.com/archives/C019WG4GH0A/p1715977775515389?thread_ts=1715974223.249539&cid=C019WG4GH0A

PezHub commented 1 hour ago

QA Notes: worked with @gillespi314 and found additional edge cases that weren’t anticipated that would lead to regressions if we move forward with the proposed changes. The root of the problems we are now seeing seems to be that we don’t have a solid specification for the expected UX when end user auth changes for a device and related questions around when to delete old MDM IdP accounts that are associated with a host UUID