search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.12k stars 431 forks source link

On the Host details page, turn MDM off on BYOD iPhones/iPads #22820

Open allenhouchins opened 1 month ago

allenhouchins commented 1 month ago
ddribeiro commented 1 month ago

I think behind the scenes this button would send a RemoveProfile MDM command to the host with com.fleetdm.fleet.mdm.apple passed as the value for the Identifier key:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Command</key>
        <dict>
            <key>Identifier</key>
            <string>com.fleetdm.fleet.mdm.apple</string>
            <key>RequestType</key>
            <string>RemoveProfile</string>
        </dict>
        <key>CommandUUID</key>
        <string>E1C4537E-91C0-401D-A138-A67FF393726E</string>
    </dict>
</plist>

I used the Run MDM Command API endpoint to send this to my test host and it removed the MDM enrollment profile and all the other profiles that got delivered from Fleet. The host was no longer MDM enrolled.

I 100% agree there should be a button to simplify this, but I wanted to mention this in case this was blocking for any customers or prospects. It is possible today for an admin to turn off MDM on a host from Fleet without having access to the device.

cc: @allenhouchins @harrisonravazzolo @nonpunctual

allenhouchins commented 1 month ago

@ddribeiro Thanks! I also included some MDM clean up in the cleanup_macos.sh script yesterday that takes a similar approach but using the on host profiles binary. https://github.com/fleetdm/fleet/blob/f2fedb0187ddaaa488ee4cf4473d4700210c6eb4/orbit/tools/cleanup/cleanup_macos.sh#L26

noahtalerman commented 1 month ago

Problem

There is not an easy way for an admin to unenroll an iOS/iPadOS device from MDM remotely from Fleet UI. If an employee leaves the company, there is no way for an admin to ensure their management framework has been removed from the device. Deleting the host in Fleet does not remove MDM. Admins also need to remove the MDM profile remotely for troubleshooting or isolating a device from corporate data if they suspect the device has been compromised.

What have you tried?

Screenshot 2024-10-10 at 9 21 41 AM

Potential solutions

There should be a "Remove MDM" (or similar) option under the Actions menu on MDM-enabled devices. This action should also be available as a bulk action across many devices (ex: employee layoffs, voluntary departures, internships ending)

What is the expected workflow as a result of your proposal?

As an admin, I would click an option to Remove MDM and it remotely removes the MDM enrollment profile and any associated configuration profiles and managed apps.

nonpunctual commented 1 month ago

related: https://github.com/fleetdm/fleet/issues/19548

noahtalerman commented 1 month ago

@harrisonravazzolo can you please attach the Gong snippet from pingali? Thanks :)

noahtalerman commented 3 weeks ago

Hey @harrisonravazzolo just giving you another ping! Can you please attach the Gong snippet from pingali?

harrisonravazzolo commented 3 weeks ago

https://us-65885.app.gong.io/call?id=4502089861812328304&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1488%2C%22to%22%3A1546%7D%5D

After you watch this snippet, let me know your thoughts. I'm tempted to create a separate issue for adding ios/ipados release mdm functionality to the pre-existing endpoint, which would change the scope.

noahtalerman commented 3 weeks ago

Hey @ambrusps we peeled this user story off this request and pulled the story into the current design sprint.

Keep in the mind that the story likely won't address the entire request. It will be a small iterative piece.