.mobileconfig files deleted during default MDM migration workflow

[bo7k4]

Fleet 4.53.0: Chrome Version 126.0.6478.127 - macOS:

---

💥  Actual behavior

As documented in the MDM migration flow, it mentions to install the fleetd agent, re-assign the device to the fleet ABM server, then proceed to delete the device from the current MDM provider. Our MDM platform, Jumpcloud deletes all existing profiles, including any MDM profiles deployed by the initial install of the fleetd agent. We are attempting to deploy the agent at scale to avoid doing this manually for each device with physical hardware, but this problem might slow us down in terms of migrating to fleet. ### 🧑‍💻  Steps to reproduce

1. Install Fleetd agent
2. Unassign device from current ABM server
3. Assign device to Fleet ABM server
4. Delete system from current MDM platform
5. Mobile configs disappear, including fleetdm configuration files
6. OS settings in fleet remain in pending state (picture attached)

🕯️ More info (optional)

System is deleted first from current MDM, but then removes the ability for us to deploy the fleetd.pkg agent at scale. ### 🛠️ To fix --> introduce a way to manually re-sync/re-deploy the OS settings that are held in pending state.

[georgekarrv]

Thanks for creating this issue! We'll take a look here shortly

[Patagonia121]

@georgekarrv was the team able to look into this one yet? Or since it's been tagged to 4.55, does that mean we're going to not get to this in the upcoming sprint?

[georgekarrv]

The plan is to try and reproduce this Monday after our current release is finished being QA'd and then when we better understand it try to help. When this was discussed in scrum we are not sure 100% what is happening since Fleet doesn't delete these we believe this may be the previous MDM server initiating this behavior.

[lukeheath]

@PezHub @georgekarrv Looks like this slipped off the radar this week.

[PezHub]

sure did, apologies.

If jumpcloud is deleting the Fleet MDM profiles when removed then our current migration workflow will def fail.

@bo7k4 for step 4., when you delete the system from jumpcloud are you initiating that from the jumpcloud dashboard or via some other method?

[PezHub]

after poking around jumpcloud's documentation I noticed it says when deleting devices via the Jumpcloud Portal only the agent is removed and "The user, the user's password, local files and profile data, and device policies will remain on the device after the JumpCloud Agent is uninstalled." It sounds like you are experiencing something different or perhaps deleting the devices via a different method?

I also noticed there's a way to remove the MDM configuration via API and was curious if you'd tried that?

Any additional info would be great, we'd love to help you get your devices migrated!

[bo7k4]

Hello! Sorry for the late reply, I am in fact carrying out the deletion of the device via API because this is the faster method for us to remove in bulk. After installing the fleet agent and issuing the DELETE api call for a specific systemID, unfortunately all policies assigned (policies are mobileconfig files) get removed.

I tried both methods, via API and via the portal, still the result was the same.

I can reach out to their support to confirm why this is happening and also update this case, but having a feature that can push out the policies once more within fleet would be very beneficial, just in case circumstances like these do happen.

[PezHub]

got it, thanks for the additional info! Please let us know what jumpcloud support says and we can go from there. If needed, we can create a separate feature request to try and address your specific use case.

[bo7k4]

Hey! Would it be possible to confirm if there where any changes to the logic on when the agent pulls/installs the mobileconfig files when fleetd is installed, and also prior to turning on MDM within fleet.instance/device/UUID?

It seems it isn't pre-installing the initial mdm mobileconfigs, and in short resolves my issue above.

It would still be a nice to have some sort of push mechanism to re-send any mobileconfigs that remain in pending state though!

[PezHub]

Hi @bo7k4 , I'm glad to hear the issue is resolved! No we have not made any recent changes to the logic regarding mobileconfig installs during fleetd installs. Thanks for following up and feel free to submit any feature requests or issues going forward.

[fleet-release]

Manual sync option blooms, Files saved, migration smooth, Fleet's light in cloud looms.