fleet
fleet copied to clipboard
fleetdm
Old MDM commands run when device is re-enrolled
Fleet version: 4.54.0
Web browser and operating system: macOS
💥 Actual behavior
Reproduced with VM: https://www.loom.com/share/3288ed4e9c1b4bb38fd9f18cf25f0e5b
A customer (customer-rosner) ran into this issue. When there are pending MDM commands and a host is deleted (and even un-enrolled), those commands run when the device re-enrolls. This causes unexpected side effects (eg. the customer is asking why there were RemoveProfile commands sent).
🧑💻 Steps to reproduce
- Enroll a macOS device
- Take the device offline so that it doesn't run MDM commands
- Enqueue commands (eg. by changing teams so that a new set of profiles is calculated)
- Unenroll the device and delete it in Fleet
- Reenroll the device
- All of the pending commands now run
🕯️ More info (optional)
The customer's expectation is that when the device is deleted in Fleet, any pending MDM commands are cancelled.
@zwass thanks for the amazing description. When you say re-enroll, is this using ADE/Manual enrollment or via touchless migration?
When the device enrolls we're technically cleaning the queue
https://github.com/fleetdm/fleet/blob/098087b6979b06221b261338c773aa300929f096/server/mdm/nanomdm/service/nanomdm/service.go#L118-L123
hey @zwass we verified the other day by accident with Sarah and Martin that any commands enqueued prior to re-enrollment are not sent (marked as disabled in the database) and it reminded me of this.
I suspect of the migration script, is it okay if I adjust the issue title/description accordingly?
@roperzh do you still think that this could be the migration script, or is this OK to grab and start debugging?
Old commands at bay, Touchless script grants clear path, Peace in re-enroll's sway.
