New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add enable_release_device_manually setting to team and no-team #17698
Add enable_release_device_manually setting to team and no-team #17698
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## feat-prefill-account-name #17698 +/- ##
=============================================================
- Coverage 65.67% 65.62% -0.06%
=============================================================
Files 1193 1193
Lines 108026 108077 +51
Branches 2574 2574
=============================================================
- Hits 70947 70926 -21
- Misses 31709 31768 +59
- Partials 5370 5383 +13
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This implements setting the new enable_release_device_manually
config option and validating that await_device_configured
cannot be provided in a macOS setup assistant. It doesn't implement sending the MDM command to release the device, this will be in a subsequent PR. This PR should unblock finishing wiring up the UI (@ghernandez345 FYI), the rest of the work should be backend only.
@@ -933,6 +943,7 @@ func (svc *Service) getOrCreatePreassignTeam(ctx context.Context, groups []strin | |||
// instead by CopyDefaultMDMAppleBootstrapPackage below | |||
// BootstrapPackage: ac.MDM.MacOSSetup.BootstrapPackage, | |||
EnableEndUserAuthentication: ac.MDM.MacOSSetup.EnableEndUserAuthentication, | |||
// TODO(mna): should we copy the EnableReleaseDeviceManually setting from the global config? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@noahtalerman @roperzh This is the settings used when creating a new team from a Puppet run (the preassignment step), it already copies the MacOS Setup Assistant and End-user authentication settings from the no-team (global) config. Should it also copy the new EnableReleaseDeviceManually
global setting?
Note that ModifyTeam
(called next) only supports the end-user authentication update, not the macos_setup_assistant
, so I don't think this really copies that path information unless I'm missing something. It would need to call "Apply Team Specs" to do so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the usage the customer is doing I think it should mirror it as well 👍 . They want to:
- Define the ABM settings in the "default ABM team"
- Make sure that hosts still have those settings, even after the Puppet module reassigns the host to a different team.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha, thanks! I think this will require switching from ModifyTeam
to ApplyTeamSpecs
so that the whole range of settings can be updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
damn, sorry about that! I remember we do special handling for the bootstrap package, maybe for this same reason.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quite possibly. Yeah this is very error-prone, the fact that ModifyTeam
only handles few if any configs (it was none at first I think, but disk encryption was moved and was added there).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So as mentioned in standup, if you don't mind I'll address that change in a future PR, so we can land this in the feature branch and Gabe can integrate the UI with the API changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
absolutely! makes sense!
#17401
Checklist for submitter
changes/
ororbit/changes/
.See Changes files for more information.
SELECT *
is avoided, SQL injection is prevented (using placeholders for values in statements)