fleet
fleet copied to clipboard
fleetdm
Install fleetd when MDM is turned on
Goal
| User story |
|---|
As an IT admin who enrolls hosts to Fleet by delivering the MDM enrollment profile (ex. customer-preston), |
| I want Fleet to install the fleetd agent whenever the MDM enrollment profile is applied |
| so that I can re-enroll a macOS host to Fleet after it's been wiped. |
Context
- Product designer: @noahtalerman
Noah: The plan later is to also install the bootstrap package anytime MDM is turned on. I think we can address that in a later pass. Keep the scope smaller for this story.
Changes
Product
- [ ] Whenever MDM is turned on, install fleetd. Don’t clear host vitals (everything you see on the Host details page)
- [ ] Outdated documentation changes: No doc changes needed. We've learned that this is the expected behavior.
- [ ] Changes to paid features or tiers: Changes apply to Fleet Free and Fleet Premium
Engineering
- [ ] Database schema migrations: TODO
- [ ] Load testing: TODO
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: TODO
- Risk level: Low / High TODO
- Risk description: TODO
Manual testing steps
- Step 1
- Step 2
- Step 3
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
Thanks for tracking this @ksatter.
Updated the issue description to use Fleet's "enrolled v. MDM turned on" language. Check out the "why" in handbook here: https://fleetdm.com/handbook/company/why-this-way#why-does-fleet-use-mdm-on-off-instead-of-mdm-enrolled-unenrolled
Google doc on host behavior when turning on/off MDM (internal): https://docs.google.com/document/d/1khTZiUJAMP2YT22Eu3VTtAM2-uL_eq_67JeAXVefZhI/edit
Hey @ksatter, I updated this issue to the user story format. I moved your original issue description below for safekeeping.
Problem
A macOS host enrolled to Fleet w/ MDM features on is wiped.
When it's set back up, MDM is turned on but the fleetd agent isn't redelivered.
This means, the IT admin can't manage the device (run queries, MDM commands, etc.) w/o reinstalling fleetd themselves or with the help of the end user.
Potential solutions
When MDM is turned on, install fleetd, bootstrap package (if DEP), and profiles. Don’t clear host vitals (everything you see on the Host details page)
FYI @roperzh, upcoming improvement related to host re-enrollment.
Goal is to bring this one through the next estimation.
Let me know if you have any feedback/thoughts on the changes.
~@noahtalerman have we confirmed that this is not the case now? I believe that with the "mdm lifecycle revamp" this might already be working as described here.~
EDIT: no, I was wrong. But, I don't see any problems 👍, thanks for the heads-up!
Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @gillespi314 @jahzielv @mna @roperzh
can confirm that this happens since fleet-v4.50.0, I tested using customer-preston's workflow for manual enrollments (download profile from API, modify it with a custom email, install it)
I believe this issue was created before that release went out so we might be good here! cc: @ksatter in case there's another flow I might be missing.
QA Steps:
- I removed all profiles and uninstalled fleetd from my MBAir
- I left the host in the Fleet UI to verify vitals remained unchanged after reenroll (they did)
- I manually enrolled then confirmed Fleetd re-installed after a few minutes (see video) QA Approved!
https://www.loom.com/share/d0e1074e2f0645539124368475d0cba6?sid=06fd38db-5551-46a3-9b35-8748f245c1be
MDM turns on, fleetd installs, data persists, Peace for admins blooms.
