search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 418 forks source link

failed to get up-to-date MDM command results #8815

Closed roperzh closed 1 year ago

roperzh commented 1 year ago

Fleet version: 4a73d4a8871aa7cc96cabe8185184c70080a055c

🧑‍💻  Expected behavior

I'm able to get up-to-date MDM command results using fleetctl.

💥  Actual behavior

  1. I uploaded a package
./build/fleetctl apple-mdm installers upload fleet-osquery.pkg

the package got assigned ID = 1.

  1. I tried to install the application in an enrolled device
./build/fleetctl apple-mdm enqueue-command InstallEnterpriseApplication --installer-id 1 --device-ids=<DEVICE_ID>
  1. I had log stream --info --debug --predicate 'processImagePath contains "mdmclient" OR processImagePath contains "storedownloadd"' running in the device, and I spotted an error with the installation:
2022-11-24 23:05:53.003616-0300 0xe82b     Error       0x0                  1075   0    mdmclient: [com.apple.ManagedClient:ManagedApps] [ERROR] Aborting app install: Package signature cannot be verified <PKInstallErrorDomain:100>
  1. However, when I query the status via fleetctl:
~/fleet $ ./build/fleetctl apple-mdm command-results --command-uuid 4926e911-0912-4ff7-933d-180aa5048dd0
+--------------------------------------+--------------+--------------------------------------------------------------------------------------------------------+
|              DEVICE ID               |    STATUS    |                                                 RESULT                                                 |
+--------------------------------------+--------------+--------------------------------------------------------------------------------------------------------+
| B4ABC725-94D6-58BD-BA0E-845398DC80CC | Acknowledged | <?xml version="1.0" encoding="UTF-8"?>                                                                 |
|                                      |              | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
|                                      |              | <plist version="1.0">                                                                                  |
|                                      |              | <dict>                                                                                                 |
|                                      |              |  <key>CommandUUID</key>                                                                                |
|                                      |              |  <string>4926e911-0912-4ff7-933d-180aa5048dd0</string>                                                 |
|                                      |              |  <key>Queued</key>                                                                                     |
|                                      |              |  <true/>                                                                                               |
|                                      |              |  <key>Status</key>                                                                                     |
|                                      |              |  <string>Acknowledged</string>                                                                         |
|                                      |              |  <key>UDID</key>                                                                                       |
|                                      |              |  <string>B4ABC725-94D6-58BD-BA0E-845398DC80CC</string>                                                 |
|                                      |              | </dict>                                                                                                |
|                                      |              | </plist>                                                                                               |
|                                      |              |                                                                                                        |
+--------------------------------------+--------------+--------------------------------------------------------------------------------------------------------+
roperzh commented 1 year ago

This ended up being a lack of understanding on my part of how this specific command works, concretely, the Apple docs mention:

In macOS, the device returns an Acknowledged response after validating the parameters, but before downloading and installing the app. Howevever, it doesn’t notify the MDM server about errors that occur during the installation process.

@zhumo I'm going to close this as it's the expected MDM behavior, we could potentially in the future try to validate that the app was installed by other means but seems out of scope for now.

zhumo commented 1 year ago

Hey Roberto, is this installation of a package via the Apple enterprise app process, or is it commands in general?

If commands in general, it might not be something immediate but it is something we will be talking about design pretty soon. We want to expose to our users the status of the command (enqueued vs. done) and potentially cancel them.

roperzh commented 1 year ago

@zhumo this is only for InstallEnterpriseApplication