JoStableford
commented
1 month ago Open ddribeiro opened 1 month ago
JoStableford
commented
1 month ago JoStableford
commented
1 month ago 
noahtalerman
commented
1 month ago A common scenario is a new macOS device does not catch the "Remote Enrollment" screen during the Setup Assistant.
Hey @ddribeiro do you know if our customers have run into this scenario using Fleet?
I'm trying to understand the urgency of this request. And whether there's a bug w/ the ABM sync.
Heads up that we sync w/ ABM every minute by default. Here's the server config option.
Let's assume Fleet is indeed syncing w/ ABM every minute. Do you think we still need a button to sync?
noahtalerman
commented
1 month ago I'd look to see the last time a sync with ABM was completed
@roperzh just curious, is this something we store in the Fleet DB? Trying to understand level of effort for exposing this in the UI.
roperzh
commented
1 month ago @noahtalerman we don't currently store this in the DB, but it would be simple to do. Estimate 3 for the back-end work
ddribeiro
commented
1 month ago @noahtalerman
Hey @ddribeiro do you know if our customers have run into this scenario using Fleet?
Yes, customer-epoch ran into this situation earlier this week and prompted the creation of this feature request. It turned out to be a quirk in their infrastructure. I don’t believe there is a bug in Fleet at this time.
However, there are many different components to a successful ADE enrollment. Correct assignment in ABM, the MDM server responding with the enrollment information in a timely manner, network conditions, and user behavior are all factors.
Having ABM sync details in Fleet would provide IT admins with a good starting point for troubleshooting the issue. When I’ve run into ADE issues in the past with other products, checking that ABM is syncing properly and the MDM discovered the device assignment (and when) were great first steps.
Let's assume Fleet is indeed syncing w/ ABM every minute. Do you think we still need a button to sync?
I don’t think we need a button if the sync period is every minute. Since this is user configurable, if a customer set their sync time to something longer (20 minutes, etc.), then I think the manual sync button becomes more valuable.
customer-rosner asked about a sync button earlier this week. I think because a) there is the expectation from using other MDM products that sync button exists in the UI and b) they did not know ABM syncs every minute and were not able to see last sync time in the UI.
nonpunctual
commented
3 weeks ago @noahtalerman @marko-lisica I think the most important thing to surface is the list of synced devices from ABM.
In Jamf there is a page that shows all devices synced from ABM.
Each device in that list can be scoped to a PreStage Enrollment.
Seeing the list of devices that ABM & the MDM server are aware of & ready to be enrolled is critical feedback that admins using MDMs expect to see.
both customer-eponym & prospect-redwine have raised this. Thanks.
roperzh
commented
3 weeks ago @ddribeiro @nonpunctual
I think the most important thing to surface is the list of synced devices from ABM.
This already exists in Fleet, hosts in ABM have a "pending" MDM enrollment status, and for Dogfood can be seen here
This is documented here https://fleetdm.com/docs/using-fleet/mdm-setup#apple-business-manager-abm
@noahtalerman what seems like a regression (or maybe intentional?) is that I can't find a way to filter by pending anymore in the UI. I built the link I sent above by editing the query parameters. Could you confirm? I can fill a bug
marko-lisica
commented
3 weeks ago @roberto @nonpunctual There's a way to filter pending hosts in the UI as well. Go to Dashboard > MDM > Status (see screenshot)
Problem
As an IT Admin, I am not able to easily confirm my connection between ABM and Fleet is healthy in the Fleet UI.
This gives me fewer tools to troubleshoot ADE/ABM issues compared to other MDM products.
What have you tried?
In the Fleet UI, I went to Settings > Integrations > Automatic enrollment. This only tells me that I have automatic enrollment enabled on my Fleet server.
When I click the Edit button, I can see information about the ABM token and when it needs to be renewed. As an Admin, this is where I'd expect to find more details about my connection, like if the connection is healthy and when the last sync occurred.
Potential solutions
Somewhere in the Fleet UI, it would be beneficial to display information like:
As an Admin, I would expect to find this information in Settings > Integrations > Automatic enrollment > Edit.
What is the expected workflow as a result of your proposal?
A common scenario is a new macOS device does not catch the "Remote Enrollment" screen during the Setup Assistant. The end user proceeds through the Setup Assistant as normal and the result is an unmanaged device that is not enrolled in an MDM server. This is a situation where an IT admin needs to perform troubleshooting to resolve the "missed" enrollment. As an IT Admin, one of the first places I'd look is in my MDM product to make sure the device is assigned to my MDM product. If I don't see the device there, I'd look to see the last time a sync with ABM was completed (perhaps the device was recently assigned to the Fleet server in ABM and a sync hadn't taken place yet). If there was a button to trigger a manual sync, I could use that to resolve the issue.