Closed dherder closed 1 day ago
the unlock PIN is only available via API and UI when the device actually checks in and receives the lock device command (moved from Pending to Locked)
Hey @dherder I think one can get the unlock PIN right after they issue the lock command using the Unlock host API endpoint here.
My understanding is that endpoint returns the PIN for macOS hosts even before the host receives the lock command.
@rachaelshaw let me know if I'm wrong about the above.
@noahtalerman the PIN exists as soon as the lock command is sent, but the API may still throw an error. Looks like we didn't specify whether the error message applies to all platforms: https://www.figma.com/design/FCmmIh1y1DTzlRF5JsH3wh/%239949-%26-%239951-Remote-lock-and-remote-wipe-for-macOS%2C-Windows%2C-and-Linux?node-id=471-5125&t=lPOsipN6ncTb4gqu-1
@noahtalerman when I run a query to the unlock
endpoint with a host that has a pending lock, I get an empty response, not an error. If this is the case, based on what you've noted above, this appears to be a bug. Can you confirm please?
Hey @dherder can you please file a bug for it but add it to the drafting board (:product
) instead of the release board?
I think we want to bring this to design review to dig into the expected behavior.
cc @rachaelshaw
@noahtalerman I updated the title and added steps to repro. Are the labels correct?
@dherder looks good! Thanks.
@rachaelshaw passed this one to you. I think let's discuss during our next design review.
hey @noahtalerman is there any feedback on this yet?
it seems that the unlock PIN is only available via API and UI when the device actually checks in and receives the lock device command
Hey @zayhanlon it looks like we designed it to work this way but we got it wrong!
Because the feature was built as intended, I removed the bug
label and added story
. I pulled this story into the current design sprint which means we're targeting shipping the improvement in the next engineering sprint (target date 2024-07-15)
We can accelerate this as-needed if the target ship date will slow down the customer's migration. Let me know.
@noahtalerman i hate to use the 'escalate' button too frequently, but that won't work for migration timelines here. let me know if there's anything i can help with in terms of re-prioritizing customer asks in the current sprint but would be great to push this through faster
@dherder @alexmitchelliii FYI
The team will be building out their ITIL workflows that will involve capturing the lock code when an employee is offboarded. With the way the feature is designed today, they can't do that and will be forced down a manual road of checking when the device comes online to capture the code manually. This is a really bad experience, especially for crucial actions like an employee offboarding where you want things to go smoothly.
Hey @dherder heads up, I updated this issue to the user story format and moved your original issue description below for safekeeping.
customer-rosner wants to record the lock device PIN as soon as a lock device command is issued. The problem is, it seems that the unlock PIN is only available via API and UI when the device actually checks in and receives the lock device command (moved from Pending to Locked). Today, there does not seem to be a way to get that PIN at the time of the Lock device command is issued.
More context: recording the unlock PIN in a ticketing system is the background on why the PIN needs to be captured as soon as the command is executed. If the device is offline, they would still like to record the PIN at that time of issuance.
The only way I could find to get the command results payload is via this deprecated api, we should add this to the public api.
unlock
endpoint (https://fleetdm.com/docs/rest-api/rest-api#unlock-host)When making the GET request, the unlock PIN should be returned
Hey @dherder, instead of returning the PIN via the POST /hosts/:id/unlock
API endpoint (as discussed during today's product office hours), the updated plan it to return the PIN in the response for the POST /hosts/:id/lock
API endpoint.
Check out the API wireframes here: https://github.com/fleetdm/fleet/pull/19671/files
Why? This is the quickest iterative change we can make.
Do you know if this works for the requestors ticket creation workflow? Please feel free to tag them here in GitHub if they're cool with that :)
@noahtalerman yes, this approach works for the customer.
Hey @lukeheath, I think we want to pull it into the current sprint (target date 2024-06-24). I added the P2
label. See @zayhanlon's comment re next sprint being too slow here.
The story is settled but hasn't been estimated. I don't think it should be a huge lift (could be wrong). It's a change to one API endpoint (see issue description).
I think either the MDM or Endpoint Ops team is equipped to take it. Both teams have contributors who are familiar with the lock feature. Up to you and the EMs.
Est (just BE changes): BE 2 (bold est)
@noahtalerman @zayhanlon Since this blocks the existing migration timeline it justifies an escalation to P2. I've moved this to the release board and assigned @sharon-fdm.
@noahtalerman This seems like an MDM task but you re-labeled to EO. I'm assuming EO is assisting MDM on this, so I've added the appropriate label. Let me know if I'm mistaken.
@sharon-fdm Please make sure this merges before freeze next week. We will need to be more stringent about merging features after freeze as part of our effort to get release on the target release dates.
@zayhanlon @noahtalerman The fix is on main. We can put this into the upcoming 4.51.2 patch if needed.
Yes please! @getvictor
On main the Lock action is no longer present in the UI.
[13:38:48 gkarr@redbeast fleet] (main)$ ./build/fleetctl mdm lock --host A6D72F40-8BF3-51C0-9DD2-F7BDD1477EB2
Warning: Version mismatch.
Client Version: fleet-v4.51.0-128-gb01389ad3-dirty
Server Version: 0.0.0-SNAPSHOT-b01389a
The host will lock when it comes online.
Copy and run this command to see lock status:
fleetctl get host A6D72F40-8BF3-51C0-9DD2-F7BDD1477EB2
When you're ready to unlock the host, copy and run this command:
fleetctl mdm unlock --host=A6D72F40-8BF3-51C0-9DD2-F7BDD1477EB2
No unlock pin for fleetctl
[13:58:32 gkarr@redbeast fleet] (main)$ ./build/fleetctl api -X POST /api/v1/fleet/hosts/2/lock
Warning: Version mismatch.
Client Version: fleet-v4.51.0-128-gb01389ad3-dirty
Server Version: 0.0.0-SNAPSHOT-b01389a
{
"unlock_pin": "373403"
}
Raw api on an online host works as expected but there is currently no activity that I viewed the pin
[13:58:45 gkarr@redbeast fleet] (main)$ ./build/fleetctl api -X POST /api/v1/fleet/hosts/2/lock
Warning: Version mismatch.
Client Version: fleet-v4.51.0-128-gb01389ad3-dirty
Server Version: 0.0.0-SNAPSHOT-b01389a
{
"unlock_pin": "128604"
}
Raw api on an offline host works as expected but there is currently no activity that I viewed the pin.
So the main break that needs to be addressed is that this host w/ mdm On cannot use the mdm features from the UI anymore.
And address the missing activity that the user who locked the device viewed the pin
I tested Fleet with the changes as of now (commit e2ab9a2fe8c7f71598835ef90c851f0f13e09ecd)
Tests performed:
A) Locked+unlocked a macOS device via the UI successfully.
B) Locked+unloacked a macOS device using the API with view_pin=true
successfully.
You can see the activity for the first lock via the UI has view_pin: false
and the second activity for the second lock via the API has view_pin: true
.
C) Locked+unlocked a Windows 10 device through the UI successfully. D) Locked+unlocked a Windows 10 device through the API sucessfully.
@noahtalerman TODO: when you get the chance could you add new PR for the API changes and merge it.
✅ Docs merged
Unlock PIN at hand, Swiftly tracks the host through clouds, Fleet ensures safe land.
Goal
Context
Changes
Product
20123
Engineering
QA
Risk assessment
Manual testing steps
Original lock/unlock flow
New lock/unlock flow
Testing notes
Confirmation