search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.12k stars 431 forks source link

Software update not enforcing during ADE enrollment #22361

Open ddribeiro opened 1 month ago

ddribeiro commented 1 month ago

Fleet version: 4.56

💥  Actual behavior

customer-eponym has been testing the new “enforce minimum OS version during ADE enrollment” feature in Fleet v4.56.0. Their test host running macOS 14.6.1 is not forced to update to macOS 14.7 during the setup assistant, despite the settings in Fleet seemingly being configured correctly.

🧑‍💻  Steps to reproduce

  1. Assign an ADE eligible host to your test team in Fleet.
  2. For that team, navigate to Controls > OS updates > macOS. Set Minimum version to 14.7 and Deadline to a date in the past.
  3. Erase a test host with a macOS version between 14.0 and 14.6. The customer tested with 14.6.1 and 14.2.1.
  4. Turn on the device and proceed with the normal ADE enrollment process. The host should be expected to enforce the macOS 14.7 update during the setup assistant, but never does.

🕯️ More info (optional)

The customer reports they did see a DDM software update prompt on their host after configuring the OS updates settings for their team, but was never able to get the enforcement during setup assistant to work.

JoStableford commented 1 month ago

Linked to Unthread ticket:

Inquiry about Minimum OS Version with ADE and Nudge/DDM #2920)

PezHub commented 1 month ago

Hi @ddribeiro , looking at the unthread ticket comments

Hmm not sure how to find that. I think our default is no team, and then we move into teams using a gitops workflow.

every team in the stage instance has no version or deadline set, except for the 'foundation' team I'm testing in and my test machine is a part of.

it sounds like all their unenrolled hosts are set to "no team". they need to set the minimum version on "no team" or we need confirmation they are actually assigning the host to the "foundation" team in the correct place prior to enrollment and after deleting the host from fleet. Like in my example here for a mbair that is awaiting ADE enrollment and assigned to the "QA" team Screenshot 2024-09-24 at 9 02 43 PM

Would you mind having them send a screenshot of the same page so we can confirm?

lashomb commented 1 month ago

@PezHub Hey, I'm the one who has this issue. I've done it about a dozen times with the same results. Right now I approach my tests with this process.

  1. Erase All Contents and Settings on my test device to prep for enrollment into our staging MDM server running Fleet 4.57.
  2. Delete existing computer record in Fleet.
  3. Assign computer in Fleet to team 'foundation'.
  4. Activate Mac and proceed with ADE.
lashomb commented 1 month ago
Screenshot 2024-09-25 at 9 49 45 AM Screenshot 2024-09-25 at 9 49 30 AM
georgekarrv commented 1 month ago

Thanks for the update, I'll go ahead and take a look at this today!

georgekarrv commented 1 week ago

What I found was with a host on 14.5 with the minimum set to 14.5.1 it no longer triggered. There was a discussion in slack with sarah that I will try to find and link. This seems to be based on if the minimum version is in the public assets on gdmf or not.

georgekarrv commented 1 week ago

https://fleetdm.slack.com/archives/C03C41L5YEL/p1730136898165769?thread_ts=1730135983.240809&channel=C03C41L5YEL&message_ts=1730136898.165769

BillysCoolJob commented 3 days ago

Just wanted to add a ➕ as I am also seeing this issue on 14.7.1, 15, and 15.0.1 when the minimum version is set to 15.1. It just rolls straight through enrollment and does not do the update.