fleet
fleet copied to clipboard
fleetdm
Config less Windows END_USER_EMAIL support
Fleet version: Fleet 4.50.0 (dogfood rc-snapshot) Web browser and operating system: current browser, Windows 11 VM 23H2
💥 Actual behavior
This might not be a supported workflow or possibly holding the tool incorrectly. Is also experimental. Following https://fleetdm.com/guides/config-less-fleetd-agent-deployment and https://github.com/fleetdm/fleet/blob/825e78582119242b713a9ce2a4fa5b162982fd4b/cmd/fleetctl/package.go#L236C28-L236C51
thinking could supply FLEETCTL_END_USER_EMAIL and install.
msiexec /i fleetd-base.msi FLEET_URL="https://dogfood.fleetdm.com/" FLEET_SECRET="oursupersecretenroll" FLEETCTL_END_USER_EMAIL="[email protected]" also tried with ORBIT_END_USER_EMAIL="[email protected]" found in orbit https://github.com/fleetdm/fleet/blob/2e8da551d04aaf0305087f4c1871f9def1ce94fa/orbit/cmd/orbit/orbit.go#L190
Fleetd installs fine and even Windows MDM enrollment is good, but does not look like the end user email is passed on.
> curl -LSs -H 'Authorization: Bearer token' -H 'Content-Type:application/json' 'https://dogfood.fleetdm.com/api/v1/fleet/hosts/1001/device_mapping'
{
"host_id": 1001,
"device_mapping": null
}
Again, not sure if this flow was supported or designed only for during package build. Is possible this is more of a feature request.
🧑💻 Steps to reproduce
- Fresh windows VM started up, making sure removed host from dogfood
- install the fleetd-base.msi with msiexec passing envvar
- enrolls in Fleet fine but does not seem to pass
FLEETCTL_END_USER_EMAILorORBIT_END_USER_EMAIL
🕯️ More info (optional)
This would help with workflows on Windows by supplying the fleetd package and then installing with a command that could pass, instead of having to build individual fleetd packages for each "email mapping".
Was able to get this working by setting in the SYSTEM Environment Varribles (tested with ORBIT_END_USER_EMAIL and ORBIT_ENABLE_SCRIPTS) for Windows. Also needed to uninstall fleet-osquery delete from Fleet and enroll. Did not set when restarting orbit.
> curl -LSs -H 'Authorization: Bearer token' -H 'Content-Type:application/json' 'https://dogfood.fleetdm.com/api/v1/fleet/hosts/1005/device_mapping'
{
"host_id": 1005,
"device_mapping": [
{
"email": "[email protected]",
"source": "custom"
}
]
}
Hey @lucasmrod, when installing fleetd using the "config-less" method (msiexec) can we pass any of the flags that we can specify when running fleetctl package?
For example, Grant is trying to pass --end-user-email.
@pacamaster I would try just END_USER_EMAIL and see what happens 🤷
@sharon-fdm @noahtalerman Is this a new bug in v4.50.0 that should be release blocking?
@noahtalerman attempted END_USER_EMAIL flag does not function the same/as expected.
END_USER_EMAIL is not supported for fleetd-base.msi, seems only FLEET_URL and FLEET_SECRET are supported:
https://github.com/fleetdm/fleet/blob/54cca7b28a5c4f66f9994a42857346c688bbcb85/orbit/pkg/packaging/windows_templates.go#L57-L58
@lucasmrod and @sharon-fdm yep! Let's transform this one into a feature request and send it to feature fest.
@pacamaster I changed the labels to match the feature_fest format. Please feel free to edit the story to match what you want to achieve.
