Commit Graph

61 Commits

Author SHA1 Message Date
Martin Angers
d0f276cd75
Log when ABM terms have changed without requiring debug logging (#14712) 2023-10-24 09:51:34 -04:00
Marcos Oviedo
f0d77ab3db
Merging Bitlocker feature branch (#14350)
This relates to #12577

---------

Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>
2023-10-06 19:04:33 -03:00
Marcos Oviedo
d0ab1c744e
Adding error logging for SOAP faults. Relaxing enrollment request checks (#13876)
This relates to #13875 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Manual QA for all new/changed functionality
2023-09-14 14:29:12 -03:00
Roberto Dip
ea6b59f179
upgrade Go version to 1.21.1 (#13877)
For #13715, this:

- Upgrades the Go version to `1.21.1`, infrastructure changes are
addressed separately at https://github.com/fleetdm/fleet/pull/13878
- Upgrades the linter version, as the current version doesn't work well
after the Go upgrade
- Fixes new linting errors (we now get errors for memory aliasing in
loops! 🎉 )

After this is merged people will need to:

1. Update their Go version. I use `gvm` and I did it like:

```
$ gvm install go1.21.1
$ gvm use go1.21.1 --default
```

2. Update the local version of `golangci-lint`:

```
$ go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2
```

3. (optional) depending on your setup, you might need to re-install some
packages, for example:

```
# goimports to automatically import libraries
$  go install golang.org/x/tools/cmd/goimports@latest

# gopls for the language server
$ go install golang.org/x/tools/gopls@latest

# etc...
```
2023-09-13 15:59:35 -03:00
gillespi314
5935c0bb48
Add retries to MDM profile verification (#13811) 2023-09-12 09:59:47 -05:00
Roberto Dip
b50e1939db
Allow to configure fleetd for script execution (#13564)
Related to #13310 and #13304 this adds two ways to enable script
execution in `fleetd` (the orbit component)

- By building a package with `--enable-scripts`
- By providing a setting via a configuration profile (macOS only)

Due to how the profile assignment works, this change automatically
updates the `com.fleetdm.fleetd.config` for hosts that already have the
profile installed.

> [!NOTE]
> Documentation is in
[#13577](https://github.com/fleetdm/fleet/pull/13577) to decouple
reviews.
2023-08-30 10:18:34 -03:00
Roberto Dip
902e064d04
fix issues with migration flow (#13297)
For #13094
2023-08-14 09:56:59 -03:00
Roberto Dip
d845720c2d
fix: ensure we assign ABM profiles for modified hosts (#13275)
for #12958 and #13110
2023-08-10 19:51:17 -03:00
Roberto Dip
8fda48db8b
use only the UUID part of external_host_identifier for Puppet runs (#13176)
related to #12483, we have found out that in distributed scenarios, the
URL of the Puppet server used for the request is appended to the
identifier, and it can be different between `/preassign` and `/match`
calls.

to account for this, we're only grabbing the first 36 characters of the
identifier.
2023-08-07 12:41:13 -03:00
gillespi314
9ae3aa8036
Update MDM profile verification (#13138) 2023-08-07 09:46:03 -05:00
Roberto Dip
442e03b276
Improve the error handling for MDM SSO during DEP enrollment (#12966)
For #12692
2023-07-26 14:20:36 -03:00
Marcos Oviedo
501ef480b0
Windows mdm TOS endpoint (#12900)
This relates to https://github.com/fleetdm/fleet/issues/12604 and
https://github.com/fleetdm/fleet/issues/12600

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-21 14:36:26 -03:00
Roberto Dip
ee461bac2e
optimizations to profile delivery (#12808)
for #12481
2023-07-20 18:11:45 -03:00
Marcos Oviedo
2c02ab3be5
Adding temporary MS-MDM implementation (#12852)
This is the prototype implementation for MS-MDM. Most of the code here
will change in the upcoming sprints once
https://github.com/fleetdm/fleet/issues/12839,
https://github.com/fleetdm/fleet/issues/12840,
https://github.com/fleetdm/fleet/issues/12841 get implemented.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-20 11:54:04 -03:00
Marcos Oviedo
f429c6db49
12613 Azure AD JWT Auth token support (#12817)
This PR adds support to parse Azure JWT tokens, and it also adds the STS
endpoint ([Section
3.2](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mde2/27ed8c2c-0140-41ce-b2fa-c3d1a793ab4a)
on the MS-MDE2 spec)

This relates to #12614 and #12613 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-07-19 13:30:24 -03:00
Roberto Dip
eb75e303ec
change how team assignment works for the Puppet module (#12566)
For #12532, all details of how this works/why is done are in the issue
description.
2023-07-13 15:00:45 -03:00
Roberto Dip
666ae8d787
ensure ds.TeamByName returns a 4xx response if no team is found (#12620)
this helps consumer of the datastore method handle the not found
scenario better and ensures we always return a 4xx code by default if we
can't find a matching team.

seems like calls to this method were special-cased everywhere except in
the apply user roles endpoint, where we returned a `500` status code if
we couldn't find a team.
2023-07-13 11:55:05 -03:00
Marcos Oviedo
a49e980394
Windows MDM identity certs missing check (#12702)
This is related #12701 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
- [X] Manual QA for all new/changed functionality
2023-07-10 17:36:17 -03:00
Marcos Oviedo
96449dd47b
Adding support for RequestSecurityToken messages - Windows MDM enroll endpoint (#12555)
This relates to #12263 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated tests

---------

Co-authored-by: Roberto Dip <me@roperzh.com>
2023-07-05 10:06:37 -03:00
gillespi314
410cbc3972
Add certificate management for Microsoft MDM (WSTEP) (#12543)
Issue #12261

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-06-29 19:31:53 -03:00
Marcos Oviedo
821f6b064f
Adding support for GetPolicies message (#12477)
This relates to #12262 

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
2023-06-27 12:59:33 -03:00
Marcos Oviedo
22bb16bf2e
Pushing initial support for MS-MDE2 Discovery message (#12387)
This PR requires the Windows MDM configuration changes - This will be
updated next week

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Documented any permissions changes
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
2023-06-22 17:31:17 -03:00
Martin Angers
1c249b60da
Add support to configure and enable Windows MDM, notify elegible hosts (#12340) 2023-06-20 14:06:45 -04:00
Roberto Dip
3127c9fffd
handle "modified" and "deleted" operation types in DEP sync (#12150)
for #10605, this modifies the cron used to ping the list/sync devices
API from ABM to account for the "deleted" and "modified" operation
types.

We know that:

1. Sometimes, Apple sends a "modified" operation type when a device's
MDM server is reassigned in ABM, up until now, we were ignoring these
devices.
2. Devices that are no longer assigned to Fleet in ABM can't be
migrated.
2023-06-06 15:04:59 -03:00
Martin Angers
9f064acd2e
Match pre-assigned profiles to a team (or create one) and assign host to team (#12127) 2023-06-05 15:08:21 -04:00
Martin Angers
4322a28f5a
Implement preassign endpoint as first step to match profiles and hosts to teams (#12046) 2023-05-31 09:24:22 -04:00
Roberto Dip
8e532a5e76
pre-populate username/fullname during account creation (#11557)
Related to #10744, this pre-populates and disables the username/fullname
fields.

https://user-images.githubusercontent.com/4419992/236854781-ac67ee28-c19c-4130-a5e6-2872220501b5.mov


# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
2023-05-18 12:50:00 -03:00
Martin Angers
e3a4e5fa0c
Add support for profile UUIDs per team/no-team for the default profile (#11717) 2023-05-17 09:06:14 -04:00
Martin Angers
7b1b392627
Implement worker jobs that update/re-assign setup assistants on changes (#11630) 2023-05-15 14:06:09 -04:00
Lucas Manuel Rodriguez
bb3b21b574
Add TestMDMClient to simulate MDM clients in osquery-perf (#11672)
#11528

osquery-perf simulated hosts enroll and are identified as manually
enrolled. (Enrolling as DEP requires more work, e.g. a new mocked Apple
DEP endpoint).

Given that these are simulated MDM clients, they cannot be woken up with
push notifications. Instead, these check for new commands to execute
every 10 seconds (which is not realistic, but could serve as a good
loadtesting exercise).

I will now start setting up the loadtest environment with MDM enabled
and configured to test this.

- ~[ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.~
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - ~For Orbit and Fleet Desktop changes:~
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-12 13:50:20 -03:00
gillespi314
a9584dc32f
Allow end user authentication during automatic MDM enrollment to be enabled on a per-team basis (#11566) 2023-05-10 15:22:08 -05:00
Martin Angers
70f18dda4a
Apply custom setup assistants (if present) when ingesting new devices (#11563) 2023-05-09 13:00:18 -04:00
Martin Angers
b3993ebda4
Allow "not_before" timestamp for worker jobs, schedule more quickly (#11512) 2023-05-03 16:25:36 -04:00
Roberto Dip
a23d208b1d
gate DEP enrollment behind SSO when configured (#11309)
#10739

Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
2023-04-27 09:43:20 -03:00
Roberto Dip
5c487890ca
add an endpoint to get an aggregate summary of bootstrap packages (#11156)
Co-authored-by: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
2023-04-22 10:23:38 -05:00
Roberto Dip
77e5c004f4
implement bootstrap packages during DEP enrollment (#11052)
#10213
2023-04-07 17:31:02 -03:00
Roberto Dip
cf874f2901
update fleetd manifest url (#11032)
#10971 this updates the manifest url
2023-04-06 13:50:40 -03:00
Roberto Dip
40c5bb1c25
install fleetd on DEP enrolled hosts during enrollment (#10971)
https://github.com/fleetdm/fleet/issues/9459
2023-04-05 20:52:26 -03:00
Martin Angers
741a7aa5d0
Finalize MDM commands part 3: add the fleetctl get mdm-command-results command (#10964) 2023-04-05 10:50:36 -04:00
Roberto Dip
ab583d66e6
Add a tool to generate manifests for Apple MDM (#10959)
Related to #9459 this will allow us to host a `fleetd` metadata
alongside the installer that can be used by Apple's MDM
`InstallEnterpriseApplication`
2023-04-05 10:35:38 -03:00
Roberto Dip
337d61c823
automatically install a fleetd configuration profile to relevant teams (#10910)
Related to #9459, this adds logic to the cron to add a
`com.fleetdm.fleetd.config` configuration profile to the
`apple_mdm_configuration_profiles` table.

As noted in the comments, this makes some assumptions:

- This profile will be applied to all hosts in the team (or "no team",)
but it will only be used by hosts that have a fleetd installation
without
  an enroll secret and fleet URL (mainly DEP enrolled hosts).
- Once the profile is applied to a team (or "no team",) it's not removed
if
  AppConfig.MDM.AppleBMDefaultTeam changes, this is to preserve existing
agents using the configuration (mainly ServerURL as EnrollSecret is used
  only during enrollment)
2023-04-04 17:09:20 -03:00
Roberto Dip
729c1e4042
automatically create DEP JSON profiles if none is set. (#10871)
#9569
2023-03-30 14:25:30 -03:00
Roberto Dip
f04ff27180
Prevent user action in profiles managed by Fleet (#10559)
related to https://github.com/fleetdm/fleet/issues/10547,
https://github.com/fleetdm/fleet/issues/10549,
https://github.com/fleetdm/fleet/issues/10550 and
https://github.com/fleetdm/fleet/issues/10552 this prevents user
interaction with fleet-managed profiles, including:

- batch actions
- individual POST/UPDATE/DELETE actions
- listing

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
2023-03-17 18:52:30 -03:00
Roberto Dip
a1ca172c95
allow to set up a DEP flow gated by Okta auth (#10338)
#10271
2023-03-13 10:33:32 -03:00
Roberto Dip
164bb4bf5c
add logic to configure FileVault + escrow (#10160)
Related to #9495, this adds the underlying methods to send a
configuration profile that enables FileVault and FileVault Escrow, so we
can fetch and decrypt the encryption key later on.

These methods still need to be called somewhere, and they might need to
be moved outside of `Service`, but at least this gives us a start.
2023-03-01 10:43:15 -03:00
Roberto Dip
af6d4059b9
Read enroll-secret and fleet-url from config profile on macOS (#10134)
This allows orbit to read enroll-secret and fleet-url from a
configuration profile if both values are not set when the package is
built.

Part of https://github.com/fleetdm/fleet/issues/9459
2023-02-28 15:54:06 -03:00
Roberto Dip
8284274c3b
incomplete implementation of device wipe and lock (#9947) 2023-02-22 17:11:44 -03:00
Roberto Dip
0f5a35061e
don't filter DEP hosts by OS before ingesting and improve logs (#9815)
Related to https://github.com/fleetdm/fleet/issues/9653 I couldn't find
any documentation to back this up, but I have a strong suspicion that
the `os` field in the device sync response might come empty in some
scenarios (particularly, when a laptop is brand new, which is hard to
reproduce 😅)

My thoughts are:

1. For the recently purchased MacBooks,
`IngestMDMAppleDevicesFromDEPSync` didn't create an entry in the
database, BUT `nanodep.Assigner.ProcessDeviceResponse` correctly
assigned a DEP profile (the devices were able to enroll). Both methods
filter by `op_type` but only ours filters by `os`.
2. I think this is safe-ish to do, as you will normally assign a MDM
server per device type in ABM

![image](https://user-images.githubusercontent.com/4419992/218732609-0936e3a9-cadf-4485-9aa4-af2c9398cff9.png)
3. I have added extra logs to try to prove this hypothesis next time a
brand new device comes in, let's keep an eye on and re-evaluate this
approach.
2023-02-14 10:23:19 -03:00
Roberto Dip
046401d190
Ingest file vault recovery keys in macOS (#9712)
Related + details at https://github.com/fleetdm/fleet/issues/8708
2023-02-08 11:49:42 -03:00
Roberto Dip
ffed7f8ebe
return 422 status code if fleetdm.com returns any 4xx status for CSR (#9610)
Related to https://github.com/fleetdm/fleet/issues/9588, we now handle 4xx responses from the fleetdm.com server and forward those to the client.

At the time of this commit, the only 4xx response that wasn't already handled by the server is because of an invalid email domain, so we assume that, but we should look into establishing a pattern of error messages with the website instead.
2023-02-01 12:50:22 -03:00