Roberto Dip
b112505bf1
rename profile status constants to be platform agnostic ( #15013 )
...
part of https://github.com/fleetdm/fleet/issues/14364 , submitting
separately to reduce noise for the important bits.
2023-11-07 18:03:03 -03:00
Roberto Dip
33db665d63
show full formatted results for windows commands in fleetctl ( #14922 )
...
for #14912 this adds the full results to the "RESULTS" column of
`fleetctl get mdm-command-results`.
Additionally I included formatting of the XML output to improve
readability.
2023-11-03 12:01:43 -03:00
Roberto Dip
9cf30a9131
Feat windows msmdm ( #14837 )
...
for #13069
---------
Co-authored-by: Marcos Oviedo <marcos@fleetdm.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-11-01 11:13:12 -03:00
Roberto Dip
683c1dfe95
allow macOS hosts that turned on MDM via SSO to renew their enrollment ( #14739 )
...
for #14238
2023-10-27 12:42:30 -03:00
Roberto Dip
001120274c
adjust response status code for mdm/apple/enqueue ( #14666 )
...
For #14529
2023-10-26 18:20:11 -03:00
gillespi314
c10ee875f2
Fix validations for applying MDM config changes ( #14517 )
2023-10-26 15:48:32 -05:00
gillespi314
9c123ddd2b
Add integration tests for host disk encryption details ( #14636 )
2023-10-19 09:23:42 -05:00
Roberto Dip
436733763a
always assign a DEP profile if the host is assigned in ABM ( #14606 )
...
for #13703 and #13992 , this updates the logic used by the functions that
gather hosts that need DEP profile updates to use hosts directly from
`host_dep_assignments`, regardless of their MDM status.
2023-10-18 11:29:40 -03:00
Roberto Dip
9172b69669
don't preemptively set disk encryption as on ( #14533 )
...
for #14422
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-10-13 18:05:03 -03:00
Roberto Dip
540f8b9657
Bring MDM hotfixes to main ( #14494 )
...
This brings the hotfixes in https://github.com/fleetdm/fleet/pull/14433
for https://github.com/fleetdm/confidential/issues/3922 and
https://github.com/fleetdm/confidential/issues/https://github.com/fleetdm/fleet/issues/3904
---------
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-10-13 08:49:11 -03:00
Roberto Dip
9ffa11c25d
Feat: saved scripts ( #14409 )
...
For #9537
2023-10-10 19:00:45 -03:00
Marcos Oviedo
f0d77ab3db
Merging Bitlocker feature branch ( #14350 )
...
This relates to #12577
---------
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2023-10-06 19:04:33 -03:00
Roberto Dip
60ab8c1ac8
ensure enrollment commands are sent to devices assigned in ABM to Fleet ( #14100 )
...
for #13702
2023-09-22 21:54:45 -03:00
gillespi314
38bf87b0a0
Preserve pending status for DEP-assigned hosts that are deleted in Fleet ( #14073 )
2023-09-22 16:50:43 -05:00
gillespi314
5935c0bb48
Add retries to MDM profile verification ( #13811 )
2023-09-12 09:59:47 -05:00
Gabriel Hernandez
f810fc31e2
use OrbitNodeKey for windows mdm enrollment authentication instead of HostUUID ( #13503 )
...
related to #12847
This changes the authentication method for windows mdm enrollment. We
were using `HostByIndentifier ` method but have changed to
`LoadHostByOrbitNodeKey`.
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-08-29 14:50:13 +01:00
Roberto Dip
183e2e56cf
automatically set DEP profile for teams created by Puppet ( #13496 )
...
for #13363
2023-08-28 11:36:00 -03:00
Roberto Dip
4be557bb57
allow padded strings in mdm/apple/enqueue endpoint ( #13502 )
...
for #11384
2023-08-24 15:17:05 -03:00
Martin Angers
edf4a4d02f
Add script execution simulation to osquery-perf in preparation for load testing (part 3 of ticket) ( #13456 )
2023-08-23 18:31:47 -04:00
Roberto Dip
d5c7e7eb51
store email used for authentication during MDM SSO ( #13480 )
...
related to #13431 , this stores the email during SSO auth. Still left to
figure out how to link this email to an specific host.
2023-08-23 18:23:26 -03:00
Martin Angers
de32faefdb
Add /scripts/run and scripts/run/sync API endpoints to run scripts (part 1) ( #13417 )
2023-08-21 14:47:19 -04:00
gillespi314
e08bb000c9
Update nanomdm dependency ( #12721 )
...
Updates include:
- Fix issues where `GetBootstrapToken` returned `500` instead of no data
and no error per Apple MDM
[documentation](https://developer.apple.com/documentation/devicemanagement/get_bootstrap_token )
- Incorporate additional updates from the upstream nanomdm repo
2023-08-21 11:07:57 -03:00
Roberto Dip
d845720c2d
fix: ensure we assign ABM profiles for modified hosts ( #13275 )
...
for #12958 and #13110
2023-08-10 19:51:17 -03:00
Martin Angers
554e024f7b
Fix gitops access when using --dry-run with fleetctl apply ( #13178 )
2023-08-07 13:51:11 -04:00
Roberto Dip
8fda48db8b
use only the UUID part of external_host_identifier for Puppet runs ( #13176 )
...
related to #12483 , we have found out that in distributed scenarios, the
URL of the Puppet server used for the request is appended to the
identifier, and it can be different between `/preassign` and `/match`
calls.
to account for this, we're only grabbing the first 36 characters of the
identifier.
2023-08-07 12:41:13 -03:00
gillespi314
9ae3aa8036
Update MDM profile verification ( #13138 )
2023-08-07 09:46:03 -05:00
Roberto Dip
442e03b276
Improve the error handling for MDM SSO during DEP enrollment ( #12966 )
...
For #12692
2023-07-26 14:20:36 -03:00
Marcos Oviedo
501ef480b0
Windows mdm TOS endpoint ( #12900 )
...
This relates to https://github.com/fleetdm/fleet/issues/12604 and
https://github.com/fleetdm/fleet/issues/12600
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-21 14:36:26 -03:00
Roberto Dip
ee461bac2e
optimizations to profile delivery ( #12808 )
...
for #12481
2023-07-20 18:11:45 -03:00
Marcos Oviedo
2c02ab3be5
Adding temporary MS-MDM implementation ( #12852 )
...
This is the prototype implementation for MS-MDM. Most of the code here
will change in the upcoming sprints once
https://github.com/fleetdm/fleet/issues/12839 ,
https://github.com/fleetdm/fleet/issues/12840 ,
https://github.com/fleetdm/fleet/issues/12841 get implemented.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-20 11:54:04 -03:00
Marcos Oviedo
f429c6db49
12613 Azure AD JWT Auth token support ( #12817 )
...
This PR adds support to parse Azure JWT tokens, and it also adds the STS
endpoint ([Section
3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a )
on the MS-MDE2 spec)
This relates to #12614 and #12613
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-19 13:30:24 -03:00
Roberto Dip
e8070e0bd8
properly report changed profiles in the Puppet module ( #12719 )
...
For #12480
2023-07-14 12:53:03 -03:00
Gabriel Hernandez
9aa7c0c714
add dark and light background logo colors and show them on mdm migrat… ( #12681 )
2023-07-13 19:35:25 +01:00
Roberto Dip
eb75e303ec
change how team assignment works for the Puppet module ( #12566 )
...
For #12532 , all details of how this works/why is done are in the issue
description.
2023-07-13 15:00:45 -03:00
Roberto Dip
2b4798c4ab
add activity items when a Windows host turns MDM on ( #12635 )
...
For #12427 , and its sub-tasks #12288 and #12612
2023-07-06 15:33:40 -03:00
Marcos Oviedo
96449dd47b
Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint ( #12555 )
...
This relates to #12263
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests
---------
Co-authored-by: Roberto Dip <me@roperzh.com>
2023-07-05 10:06:37 -03:00
Roberto Dip
5ddd940cb8
ensure profiles and commands are delivered when MDM is turned on ( #12580 )
...
Related to #12482 and #12453 , this cleans up Fleet tables that track
profile and bootstrap package status on re-enrollment.
2023-06-30 12:30:49 -03:00
Roberto Dip
4b139245cb
only show Nudge to hosts with MDM features turned on ( #12588 )
...
For #12582
2023-06-30 12:29:27 -03:00
Martin Angers
f641c3ec57
Add activities when Windows MDM is turned on/off ( #12533 )
2023-06-28 12:53:46 -04:00
Martin Angers
1db2f7646a
Implement Windows MDM programmatic unenrollment (notification + orbit trigger) ( #12505 )
2023-06-28 09:13:37 -04:00
Martin Angers
e323a3d881
Consider an empty EULA pdf file the same as an invalid one, returning 400 Bad Request ( #12542 )
2023-06-28 08:19:42 -04:00
Marcos Oviedo
821f6b064f
Adding support for GetPolicies message ( #12477 )
...
This relates to #12262
- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-06-27 12:59:33 -03:00
Martin Angers
8b95155ae2
Add mdm_enabled field to response of PATCH /config ( #12498 )
2023-06-26 09:16:42 -04:00
Marcos Oviedo
22bb16bf2e
Pushing initial support for MS-MDE2 Discovery message ( #12387 )
...
This PR requires the Windows MDM configuration changes - This will be
updated next week
- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files )
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Documented any permissions changes
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
2023-06-22 17:31:17 -03:00
gillespi314
8cc7d38300
Mark "verifying" or "verified" MDM profiles as "failed" if osquery cannot confirm they are installed ( #12414 )
2023-06-21 13:00:49 -05:00
Martin Angers
1c249b60da
Add support to configure and enable Windows MDM, notify elegible hosts ( #12340 )
2023-06-20 14:06:45 -04:00
Martin Angers
96aec85a0a
Add mechanism to force read from primary DB, use it for puppet matching ( #12396 )
2023-06-19 13:55:15 -04:00
Martin Angers
09d2ccd009
Add Windows MDM feature flag environment variable ( #12306 )
2023-06-14 08:44:42 -04:00
Martin Angers
68fa60c54d
Add a transferred_hosts activity when hosts are transferred to a new team ( #12287 )
2023-06-14 08:15:05 -04:00
Roberto Dip
1ad80fa251
bugfixes + adjustments for the puppet module ( #12221 )
...
A few minor things going on:
1. Adjusted the Puppet module to send the profiles base64 encoded
2. Enabled FileVault by default on teams created using the `/match`
endpoint.
3. Remove profiles when a team is removed. We can't do a foreign key
because the global team.id is NULL. I also included a migration to
cleanup orphaned profiles.
2023-06-08 18:05:44 -03:00
