VPP Apps (from previous Token) remain available to install on Host after VPP Token is changed or removed for that Team

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

2.93k stars 409 forks source link

VPP Apps (from previous Token) remain available to install on Host after VPP Token is changed or removed for that Team #21804

Closed PezHub closed 1 week ago

PezHub commented 1 week ago

Fleet version: 4.56 Web browser and operating system: any

💥 Actual behavior

When changing (or removing) a VPP Token for a team, the previous VPP token's apps remain available for install for hosts that are members of that team.

🧑‍💻 Steps to reproduce

Assign a VPP App (enable Self-service) from Org A to Team A.
Move Team A to Org B that has a different VPP Token
Refetch host. Note Org A's VPP apps are still available for install on the host

Option B - remove a VPP token from a team after VPP apps are added to a host and observe the Apps remain available for install.

🕯️ More info (optional)

Slack convo

🛠️ To fix

The team decided if the VPP App is in a pending state when the token is changed to leave it be and allow the installation to complete.

georgekarrv commented 1 week ago

Is the bug here that the self-service available apps have not been updated? Are they removed eventually?

PezHub commented 1 week ago

was moving too quickly when creating the title and description. Edited to be more accurate

georgekarrv commented 1 week ago

I think the goal here would be if the token is removed we remove all apps from that team. If the token is changed we need to verify each app that was added if it's still available to that token (since renew would change but we don't want to put the admin through having to add all apps back).

If this is too much effort I would say just removing all apps when the token is removed might be enough @noahtalerman thoughts?

lukeheath commented 1 week ago

@georgekarrv Agreed we should go with the low effort for now, which is removing all apps. That doesn't expose anything it shouldn't, and we can improve in an iteration.

lukeheath commented 1 week ago

And we can document that changing a team's VPP token means you'll need to re-add apps to the hosts.

noahtalerman commented 1 week ago

Agreed we should go with the low effort for now, which is removing all apps. That doesn't expose anything it shouldn't, and we can improve in an iteration.

Agreed.

document that changing a team's VPP token means you'll need to re-add apps to the hosts.

Quick win would be adding copy for this in the "Edit teams" modal. In a follow up after the 4.56 release. Filed a feature request for this here so we don't forget: #21827

cc @georgekarrv @PezHub @lukeheath

PezHub commented 1 week ago

QA Notes: I can confirm running through various scenarios (including those mentioned above) that all of the VPP apps are removed from the Host when the token is changed or deleted.

fleet-release commented 1 week ago

Old tokens linger on, Yet, fleet adapts and moves forth, In cloud city's dawn.