search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.93k stars 409 forks source link

Scoping config profile deployment with label exclusions is flakey #22162

Open dherder opened 1 day ago

dherder commented 1 day ago

Fleet version: 4.57.0

Web browser and operating system: n/a

💥  Actual behavior

Restricting the deployment of a config profile to a group of hosts defined by a label exclusion results in the profile getting deployed when it shouldn't. For example, I want to restrict the installation of a dock config profile (customizes the app aliases in the dock) such that I'm excluding hosts that do not have specific software included. If I were to install this dock config profile to a host that did not have the custom software installed, the app icons would not display properly (they would appear in the dock as question marks, because the apps are not present).

When a device first enrolls into Fleet, it seems that there is some delay in the population of the label. As a result, even if the criteria for the exclusion is met, the label has not registered to the host. Thus, the exclusion does not get applied and the config profile gets deployed to hosts that should not get the profile. This results in end user confusion and a poor user experience.

The above use case is just one example. There could be more impactful outcomes where config profiles that control restrictions, certificate provisioning, etc. could be deployed to hosts that shouldn't receive them.

🧑‍💻  Steps to reproduce

  1. Create a dynamic label to detect the absence of 3 software titles: 
    WITH app_check AS (
SELECT 
    MAX(CASE WHEN name = 'Slack.app' THEN 1 ELSE 0 END) AS has_slack,
    MAX(CASE WHEN name = 'Firefox.app' THEN 1 ELSE 0 END) AS has_firefox,
    MAX(CASE WHEN name = 'zoom.us.app' THEN 1 ELSE 0 END) AS has_zoom
FROM apps
WHERE name IN ('Slack.app', 'Firefox.app', 'zoom.us.app')
)
SELECT 
CASE 
    WHEN has_slack = 0 AND has_firefox = 0 AND has_zoom = 0 THEN 1
    ELSE 0
END AS missing_all_apps
FROM app_check WHERE missing_all_apps=1;
  2. Ensure that at least one of the apps listed above does not exist on a test host.
  3. Upload the linked mobile config profile to the test team of your host.
  4. Refetch host vitals

Actual Result

Config profile gets deployed

Expected Result

Label should populate before config profile push, honoring the exclusion and the config profile should not be installed.

georgekarrv commented 1 day ago

Thanks Dave, we will take a stab at this after getting 57 out