search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 418 forks source link

Apple Business Manager connection is broken/uneditable after ABM user is deleted #20090

Closed pacamaster closed 3 months ago

pacamaster commented 3 months ago

Fleet version: <!-- Copy this from the "My account" page in the Fleet UI, or run fleetctl --version --> Fleet 4.52.0 Web browser and operating system: Current Browser and OS

💥  Actual behavior

image image

🧑‍💻  Steps to reproduce

  1. Setup ABM on Fleet UI
  2. Revoke Apple ID that downloaded the token from the business manager
  3. go back to Fleet UI and try to edit ABM

🕯️ More info (optional)

Related Log error

{"component":"nanodep-syncer","cron":"apple_mdm_dep_profile_assigner","cursor":"MTAwMDowOjE3MTk0MDkzNTUxMREDACTED","err":"Post \"https://mdmenrollment.apple.com/server/devices\": DEP auth error: 403 Forbidden: FORBIDDEN","level":"info","msg":"error syncing","name":"fleet","phase":"fetch","ts":"2024-06-28T16:13:11.002633489Z"}
{
  "message": "Bad request",
  "errors": [
    {
      "name": "base",
      "reason": "Get \"https://mdmenrollment.apple.com/account\": DEP auth error: 403 Forbidden: FORBIDDEN"
    }
  ],
  "uuid": "b52e50af-c339-REDACTED"
}
noahtalerman commented 3 months ago

George: Wrong token (token/key mismatch). This will happen for MSP users.

George: Delete the ABM user that created the token. This happened to the customer.

Copy: Invalid token. Please renew your token.

George: We're showing the banner when we get a 400.

noahtalerman commented 3 months ago

Hey @gillespi314! I'm working on some wireframes to update the UI/error message.

UPDATE: Here's the Figma: https://www.figma.com/design/HcEkSUyyqAtUuJ0lbKohOF/%F0%9F%AA%B2-%2320090-Apple-Business-Manager-connection-is-broken%2Funeditable-after-ABM-user-is-deleted?node-id=2-130&t=7bQUlB2o52APs0sa-1

noahtalerman commented 3 months ago

Hey @gillespi314 heads up, I moved this bug to the release board and assigned you (I forgot to on Friday).

I moved the bug to the awaiting QA column because it looks like your PR was merged.

cc @georgekarrv @PezHub

JoStableford commented 3 months ago

Related to a Slack conversation

PezHub commented 3 months ago

Went thru a couple different scenarios (as did the rest of the mdm team) to repro the broken state and was able to successfully renew after the fix was in place. Made sure to click the disable automatic enrollment button as well and can confirm it functions as expected.

Banner and copy updates look good too. (note: the laptop pic for "something went wrong" doesn't display in our dev env) Screenshot 2024-07-01 at 9 42 53 AM Screenshot 2024-07-01 at 9 49 11 AM

Note: If the customer no longer has a copy of the public-key.cert they will need to go thru the disable workflow. But at least now the UI will present them with options.

fleet-release commented 3 months ago

Broken link no more, Fleet mends the Apple tie, Cloud city restored.