For a specific host, indicate when MDM features broken

marko-lisica commented 4 months ago

Goal

User story
As an IT admin,
I want to know when MDM features are broken for a specific host (for ex. SCEP cert expired, APNs cert removed from Fleet, or not communicating via MDM protocol for some other reason)
so that I can troubleshoot w/ the end user.

Context

Product designer: @marko-lisica

Changes

Product

[ ] UI changes: TODO
[ ] CLI usage changes: TODO
[ ] REST API changes: TODO
[ ] Fleet's agent (fleetd) changes: TODO
[ ] Permissions changes: TODO
[ ] Outdated documentation changes: TODO
[ ] Changes to paid features or tiers: TODO

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

marko-lisica commented 3 months ago

We wasn't able to estimate this one in the current sprint. Moving it back to feature fest.

marko-lisica commented 3 months ago

From discussion with Roberto:

If MDM is turned off, we don't show many MDM related stuff in the UI, we should consider this when MDM is broken (if we want to hide actions, profiles, etc.)
We have SCEP expiration date in the DB but need to send that to the UI (API)

noahtalerman commented 2 months ago

Zach: Another case is that the device just isn't checking in for some reason.

Noah: Sounds like we'd need some kind of heuristic to decide what "not checking in" means.

Zach: Maybe something like if host is online and it has pending MDM work and it's not checking in.

Zach: First step would be adding timestamps to API so we can debug and users can answer themselves.

Roberto: Check in time is in the DB already. Last push time doesn't exist yet.

dherder commented 2 months ago

Additional to server side logging, it might be nice to have mdmclient logs as well. Maybe we can stuff the mdmclient logs into an osquery table, similar to how we collect fleetd logs? https://micromdm.io/blog/troubleshoot-dep/

noahtalerman commented 2 months ago

Brock: There's some utility that you can ask for MDM health. @nonpunctual can you please share a link to that utility?

Noah: Maybe we can write a script or run a query to get that info.

nonpunctual commented 2 months ago

@noahtalerman @marko-lisica It would better if we didn't re-invent this wheel. :) https://9to5mac.com/2023/11/04/mac-evaluation-utility/

I have access to AppleSeed For IT & I have the most recent MEU version.

UPDATE: Noah: Here's the latest MEU in drive (internal): https://drive.google.com/drive/folders/1sKYJLlZrZ85Xd2TBl_uPcCsTpJOl4IJ9

noahtalerman commented 2 months ago

Hey @zwass and @nonpunctual heads up that this request didn't make the 3 week drafting => estimation timeline so we're deprioritizing it.

Please add it to feature fest if you think we should consider prioritizing. Is it blocking us (dogfooding) or a customer?

fleetdm / fleet