search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.69k stars 383 forks source link

Improve backend determination of `mdm.connected_to_fleet` to account for cases where Fleet doesn't receive the MDM "Checkout" message for Apple devices #20057

Open gillespi314 opened 2 weeks ago

gillespi314 commented 2 weeks ago

Bringing over some additional info from Slack and examining the API responses from Noah's "My device" page:

Sarah Gillespie: Have you done anything unusual with this device (maybe erased all content and settings) that could explain why MDM is turned off? Fleet still thinks that you’re connected_to_fleet, which means that there is still an active nanoMDM enrollment record for this device in the Dogfood DB. This can happen when Fleet/nano never receives the “Checkout” message from the device that the MDM protocol specifies as the MDM-unenrollment signal.

Noah Talerman: I turned MDM off manually (removed the enrollment profile)

Fleet still thinks that you’re connected_to_fleet

Oh interesting. Sounds like a bug?

Sarah Gillespie: We saw something related to this when QA’ing recent changes. My understanding from Roberto is currently an expected side-effect of how the connected_to_fleet was defined (it is connected if there is an entry for the device in nano) and the limitations of the MDM protocol checkout flow (we only know to delete nano entries when we receive a checkout message). To handle this case, we’ll need some additional product specification on what to do about stale/orphaned entries. But it is tricky to distinguish between different scenarios and to define the edges. I’ll move this convo to the GitHub issue.

Originally posted by @gillespi314 in https://github.com/fleetdm/fleet/issues/19951#issuecomment-2195183767

roperzh commented 2 weeks ago

I have been thinking about this. I think a compromise between https://github.com/fleetdm/fleet/pull/19906 and the current state would be to JOIN with host_mdm in the queries that determine connected_to_fleet and assume it's not connected if mdm is off

PezHub commented 4 days ago

QA Notes:

Ran thru several different scenarios (similar to QA steps for #19951) including removing the mdm profile while fleetd was still installed. Looking at various tables in the DB (nano_enrollments, host_mdm) things are looking good as well as in the UI. I noticed another bug that showed the host was never added to fleet after manually removing the profiles but that should be fixed with #20059