macOS Automatic enrollment does not complete when using mTLS for orbit endpoints

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.15k stars 432 forks source link

macOS Automatic enrollment does not complete when using mTLS for orbit endpoints #24024

Open ksatter opened 3 days ago

ksatter commented 3 days ago

Fleet version: v4.59.0

Web browser and operating system: macOS

💥 Actual behavior

When a new or freshly wiped macOS host attempts to enroll in MDM, it gets stuck after installing profiles, while Orbit checks in for software and scripts:

After turning off mTLS for the /orbit endpoints and restarting the enrollment process, the host was successfully enrolled.

🧑‍💻 Steps to reproduce

Enable Apple MDM and configure ABM
Configure the ingress point to require mTLS for Orbit endpoints
Assign a device in ABM and attempt to enroll to Fleet

🕯️ More info (optional)

N/A

noahtalerman commented 3 days ago

Heads up @lukeheath, I added the P1 label to this bug b/c we think it's a critical bug (workflow blocking).

lukeheath commented 3 days ago

@noahtalerman Agreed, this is workflow blocking and is a P1 critical bug we will patch (or include in the upcoming v4.60.0).

JoStableford commented 2 days ago

Linked to Unthread ticket:

Inquiry about configurability of fleetd config profile payload content #3601

PezHub commented 2 days ago

QA Notes:

Ran through a few workflows to ensure orbit was not getting installed during ADE enrollment if Scripts or Software are not configured as part of the new Setup Experience feature and can confirm I no longer see the SWIFT Dialogue window (indicating Orbit was installed) and proceeded to successfully enroll the host.

Made sure all other setup experience features still work as expected and completed host enrollment.

Finally I tested setup experience with everything configured to ensure no regression occurred.