Old MDM commands run when touchless migration script is run twice

[zwass]

Fleet version: 4.54.0

Web browser and operating system: macOS

---

💥  Actual behavior

Reproduced with VM: https://www.loom.com/share/3288ed4e9c1b4bb38fd9f18cf25f0e5b

A customer (customer-rosner) ran into this issue. When there are pending MDM commands and a host is deleted (and even un-enrolled), those commands run when the device re-enrolls. This causes unexpected side effects (eg. the customer is asking why there were RemoveProfile commands sent).

🧑‍💻  Steps to reproduce

1. Enroll a macOS device
2. Take the device offline so that it doesn't run MDM commands
3. Enqueue commands (eg. by changing teams so that a new set of profiles is calculated)
4. Unenroll the device and delete it in Fleet
5. Reenroll the device
6. All of the pending commands now run

🕯️ More info (optional)

The customer's expectation is that when the device is deleted in Fleet, any pending MDM commands are cancelled.

[roperzh]

@zwass thanks for the amazing description. When you say re-enroll, is this using ADE/Manual enrollment or via touchless migration?

When the device enrolls we're technically cleaning the queue

https://github.com/fleetdm/fleet/blob/098087b6979b06221b261338c773aa300929f096/server/mdm/nanomdm/service/nanomdm/service.go#L118-L123

[roperzh]

hey @zwass we verified the other day by accident with Sarah and Martin that any commands enqueued prior to re-enrollment are not sent (marked as disabled in the database) and it reminded me of this.

I suspect of the migration script, is it okay if I adjust the issue title/description accordingly?

[jahzielv]

@roperzh do you still think that this could be the migration script, or is this OK to grab and start debugging?

[roperzh]

I'm @jahzielv 99% sure it's related to the migration

[fleet-release]

Old commands at bay, Touchless script grants clear path, Peace in re-enroll's sway.