Restricting the deployment of a config profile to a group of hosts defined by a label exclusion results in the profile getting deployed when it shouldn't. For example, I want to restrict the installation of a dock config profile (customizes the app aliases in the dock) such that I'm excluding hosts that do not have specific software included. If I were to install this dock config profile to a host that did not have the custom software installed, the app icons would not display properly (they would appear in the dock as question marks, because the apps are not present).
When a device first enrolls into Fleet, it seems that there is some delay in the population of the label. As a result, even if the criteria for the exclusion is met, the label has not registered to the host. Thus, the exclusion does not get applied and the config profile gets deployed to hosts that should not get the profile. This results in end user confusion and a poor user experience.
The above use case is just one example. There could be more impactful outcomes where config profiles that control restrictions, certificate provisioning, etc. could be deployed to hosts that shouldn't receive them.
🧑💻 Steps to reproduce
Create a dynamic label to detect the absence of 3 software titles:
WITH app_check AS (
SELECT
MAX(CASE WHEN name = 'Slack.app' THEN 1 ELSE 0 END) AS has_slack,
MAX(CASE WHEN name = 'Firefox.app' THEN 1 ELSE 0 END) AS has_firefox,
MAX(CASE WHEN name = 'zoom.us.app' THEN 1 ELSE 0 END) AS has_zoom
FROM apps
WHERE name IN ('Slack.app', 'Firefox.app', 'zoom.us.app')
)
SELECT
CASE
WHEN has_slack = 0 AND has_firefox = 0 AND has_zoom = 0 THEN 1
ELSE 0
END AS missing_all_apps
FROM app_check WHERE missing_all_apps=1;
Ensure that at least one of the apps listed above does not exist on a test host.
Fleet version: 4.57.0
Web browser and operating system: n/a
💥 Actual behavior
Restricting the deployment of a config profile to a group of hosts defined by a label exclusion results in the profile getting deployed when it shouldn't. For example, I want to restrict the installation of a dock config profile (customizes the app aliases in the dock) such that I'm excluding hosts that do not have specific software included. If I were to install this dock config profile to a host that did not have the custom software installed, the app icons would not display properly (they would appear in the dock as question marks, because the apps are not present).
When a device first enrolls into Fleet, it seems that there is some delay in the population of the label. As a result, even if the criteria for the exclusion is met, the label has not registered to the host. Thus, the exclusion does not get applied and the config profile gets deployed to hosts that should not get the profile. This results in end user confusion and a poor user experience.
The above use case is just one example. There could be more impactful outcomes where config profiles that control restrictions, certificate provisioning, etc. could be deployed to hosts that shouldn't receive them.
🧑💻 Steps to reproduce
Actual Result
Config profile gets deployed
Expected Result
Label should populate before config profile push, honoring the exclusion and the config profile should not be installed.