search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 418 forks source link

Dep profile not assigned when mdm server modified #8741

Closed michalnicp closed 1 year ago

michalnicp commented 1 year ago

Fleet version: 9d8a8ca07e09f2d0197650fbe4ae1eac62e099f3

🧑‍💻  Expected behavior

In Apple Business Manager, when a device is assigned to the fleet MDM server, the automatic dep profile should be assigned to it.

💥  Actual behavior

Dep profile is not assigned.

More info

This works correctly when unassigning the device from the previous MDM server, than assigning it to the fleet MDM server. It does not work when "modifying" the MDM server.

GuillaumeRoss commented 1 year ago

Had this issue on a laptop when removing and assigning, so it might not be just when we edit the MDM server.

roperzh commented 1 year ago

Looking at the logs for the specific case Guillaume mentioned above, seems like it takes a few minutes for the DEP sync endpoint to report that the device has changed. Definitely requires more digging, but this might be a good starting point.

lukeheath commented 1 year ago

We are pretty confident that this is an ABM issue that we cannot control, but @roperzh is going to spend ~30 minutes looking into it to see if we can ease the experience for the user.

fleet-release commented 1 year ago

A city in the sky A fleet with no worries Protected, secure, safe

roperzh commented 1 year ago

Confirmed that the underlying issue is due to what's described here

When re-assigning a serial number it appears that instead of generating an "added" event (which MicroMDM will use to auto-assign serial numbers) Apple instead generates a "modified" event — even if that MDM server has never seen the device before. Because these are "modified" events the auto-assigner won't work on those serials. This appears to be some issue with the ABM/ASM/DEP portal.

I think we could find a heuristic to account for this ABM issue, but it will require modifying our nanomdm fork (which behaves the same way as described above in the micromdm wiki)

For now, Noah documented this gotcha and the steps to prevent it in https://github.com/fleetdm/fleet/pull/9820

fleet-release commented 1 year ago

Matter-of-fact haiku:
Modifying MDM server
Assigns dep profile fast
User ease of use