Send DeviceConfigured MDM command after DEP enrollment
#17737
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## feat-prefill-account-name #17737 +/- ##
============================================================
Coverage ? 65.64%
============================================================
Files ? 1194
Lines ? 108292
Branches ? 2574
============================================================
Hits ? 71093
Misses ? 31802
Partials ? 5397
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| } | ||
| } | ||
|
|
||
| func (s *integrationMDMTestSuite) TestDEPProfileAssignment() { |
There was a problem hiding this comment.
This test was not modified, just moved here from the integration_mdm_test.go as it is DEP-specific.
| @@ -1981,745 +1999,6 @@ func createWindowsHostThenEnrollMDM(ds fleet.Datastore, fleetServerURL string, t | |||
| return host, mdmDevice | |||
| } | |||
|
|
|||
| func (s *integrationMDMTestSuite) TestDEPProfileAssignment() { | |||
There was a problem hiding this comment.
Since this file is already huuuuuge, I created a new integration_mdm_dep_test.go file for the DEP-specific MDM integration tests, and moved this one over there.
server/worker/apple_mdm.go
Outdated
| // On the next try, new commands will be enqueued for the same task (e.g. if | ||
| // it failed at the bootstrap package, install fleetd will be enqeueued | ||
| // again), will Apple MDM process both commands successfully or would the | ||
| // second one fail? Relevant for the device release. |
There was a problem hiding this comment.
@roperzh maybe you know this? My hunch is that those are idempotent so if e.g. fleetd is already installed and the command is sent again, it would succeed again.
There was a problem hiding this comment.
it would! they're not idempotent, but I believe the commands we send won't produce errors either.
- All
InstallProfilecommands won't have any effect (because it'll be considered an 'edit' by the OS and nothing changed) - All
InstallEnterpriseApplicationwill trigger a second install. This might be problematic for the bootstrap package, but I believe Noah's plan is to document that the bootstrap package must be "idempotent" (as much as an application can be)
I don't know if I'm missing other commands.
There was a problem hiding this comment.
I believe the commands we send won't produce errors either.
This might be problematic for the bootstrap package, but I believe Noah's plan is to document that the bootstrap package must be "idempotent" (as much as an application can be)
Awesome, thanks for the clarifications!
There was a problem hiding this comment.
I don't know if I'm missing other commands.
The other potential one is AccountConfiguration, which I assume would be like an edit to the previous settings and would not result in an error.
There was a problem hiding this comment.
agreed, IIRC that's fine as well.
| // the release device task is always added with a delay | ||
| var delay time.Duration | ||
| if task == AppleMDMPostDEPReleaseDeviceTask { | ||
| delay = 30 * time.Second |
There was a problem hiding this comment.
This task is always delayed, so that the device has the time to process the initial enrollment commands and a Reconcile profiles job has a chance to run.
| @@ -191,6 +209,7 @@ func (w *Worker) processJob(ctx context.Context, job *fleet.Job) error { | |||
| args = *job.Args | |||
| } | |||
|
|
|||
| ctx = context.WithValue(ctx, retryNumberCtxKey, job.Retries) | |||
There was a problem hiding this comment.
A bit hacky, but that was a quick and easy way to make that info available to the job processor.
| // | ||
| // but without calling that function, in case the code changes in the future, | ||
| // breaking this migration. Instead we insert directly the job in the | ||
| // database, and the worker will process it shortly after Fleet restarts. |
There was a problem hiding this comment.
@roperzh do you know if that means that existing DEP-enrolled devices will now need to be explicitly released? The Apple docs mention it blocks in Setup Assistant so presumably devices that are already past this assistant will be ok, but worth double-checking in tests? Because re-generating the profiles also re-assigns them to existing hosts here: https://github.com/fleetdm/fleet/blob/main/server/worker/macos_setup_assistant.go#L113-L137
There was a problem hiding this comment.
Yes, I believe we're fine here! those settings only affect the next time the device goes through the setup assistant 👍
…ll-device-release
ghernandez345
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
|
@roperzh I'll merge as it's only going to the feature branch and Gabe is waiting on this to implement some fixes on top of it, but I did merge a fix and some minor changes after your approval, if you want to take another look (if there's anything to address, I'll do so in a subsequent PR). The Go mysql8 tests are also failing, but looks like that might be something we inherited from merging |
|
It's a test time-out on mysql 8: I'll increase the test timeout limit for now, in a future PR. |
#17401
Checklist for submitter
changes/ororbit/changes/.See Changes files for more information.
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements)