search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.07k stars 426 forks source link

Provide validation for custom automatic enrollment profiles #21397

Closed ddribeiro closed 1 month ago

ddribeiro commented 2 months ago

UPDATE: Closed this issue because it's a duplicate of the following issue:

(noahtalerman 2024-09-04)

Problem

Fleet allows IT admins to upload custom automatic enrollment profiles for ADE enrollments for Apple devices. If an invalid enrollment profile is uploaded, it could prevent devices from being synced from Apple Business Manager to Fleet.

Specifically, when a profile contains "is_mdm_removable": false but does not contain "is_supervised": true, it will cause the apple_mdm_dep_profile_assigner cron to fail with FLAGS_INVALID and newly assigned devices won't appear in Fleet.

What have you tried?

A customer created a custom automatic enrollment profile to customize the setup experience for end users by defining the skip_setup_items array.

However, the custom profile did not include an is_supervised property when is_mdm_removable was set to false. This caused a device assigned to Fleet in ABM to not be imported to their Fleet server.

Potential solutions

If Fleet was able to perform some validation on custom automatic enrollment profiles, it could prevent customers from uploading profiles that result in device assignment to Fleet always failing.

Requiring "is_supervised": true if "is_mdm_removable": false is the only situation I'm aware of where one property relies on the value of another. Apple's documentation for this is here.

What is the expected workflow as a result of your proposal?

If a Fleet admin tries to upload a custom automatic enrollment profile that contains incompatible values, Fleet would not accept the profile and would provide messaging to tell the user why the profile is not being accepted. The admin would be able to take action and correct the issue with the profile without needing to reach to support.
nonpunctual commented 2 months ago

Related: https://github.com/fleetdm/fleet/issues/17558

noahtalerman commented 1 month ago

Hey @ddribeiro and @nonpunctual I closed this issue because I think it's a duplicate of the following issue:

Please feel free to re-open if I'm wrong!

fleet-release commented 1 month ago

Check profiles with care, Devices sync through thin air, Fleet aids, errors spare.