fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

On the Host details page, turn MDM off on BYOD iPhones/iPads

Open allenhouchins opened this issue 1 year ago • 6 comments

  • customer-pingali: Gong snippet TODO
  • @noahtalerman: User requested this because when an employee leaves the organization we want to remove their BYOD iPhone from Fleet.
    • @noahtalerman: In the interim the user can send a custom MDM command using Fleet's run MDM command API endpoint.
    • @noahtalerman: Eventually TODO
  • @noahtalerman: User requested this because they expect that an employee's is going rogue or they are going to be terminated soon. We want to turn off MDM on their BYOD iPhone b/c our organization requires MDM to grant access to company resources/data (ex. Slack/Gmail). Users enforce this requirement in their IdP.
  • @noahtalerman: For company-owned iPhones and iPads, we can't think of a use case in which lost mode/wipe would be used instead of turning off MDM.

allenhouchins avatar Oct 10 '24 14:10 allenhouchins

I think behind the scenes this button would send a RemoveProfile MDM command to the host with com.fleetdm.fleet.mdm.apple passed as the value for the Identifier key:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>Command</key>
		<dict>
			<key>Identifier</key>
			<string>com.fleetdm.fleet.mdm.apple</string>
			<key>RequestType</key>
			<string>RemoveProfile</string>
		</dict>
		<key>CommandUUID</key>
		<string>E1C4537E-91C0-401D-A138-A67FF393726E</string>
	</dict>
</plist>

I used the Run MDM Command API endpoint to send this to my test host and it removed the MDM enrollment profile and all the other profiles that got delivered from Fleet. The host was no longer MDM enrolled.

I 100% agree there should be a button to simplify this, but I wanted to mention this in case this was blocking for any customers or prospects. It is possible today for an admin to turn off MDM on a host from Fleet without having access to the device.

cc: @allenhouchins @harrisonravazzolo @nonpunctual

ddribeiro avatar Oct 15 '24 18:10 ddribeiro

@ddribeiro Thanks! I also included some MDM clean up in the cleanup_macos.sh script yesterday that takes a similar approach but using the on host profiles binary. https://github.com/fleetdm/fleet/blob/f2fedb0187ddaaa488ee4cf4473d4700210c6eb4/orbit/tools/cleanup/cleanup_macos.sh#L26

allenhouchins avatar Oct 15 '24 18:10 allenhouchins

Problem

There is not an easy way for an admin to unenroll an iOS/iPadOS device from MDM remotely from Fleet UI. If an employee leaves the company, there is no way for an admin to ensure their management framework has been removed from the device. Deleting the host in Fleet does not remove MDM. Admins also need to remove the MDM profile remotely for troubleshooting or isolating a device from corporate data if they suspect the device has been compromised.

What have you tried?

Screenshot 2024-10-10 at 9 21 41 AM

Potential solutions

There should be a "Remove MDM" (or similar) option under the Actions menu on MDM-enabled devices. This action should also be available as a bulk action across many devices (ex: employee layoffs, voluntary departures, internships ending)

What is the expected workflow as a result of your proposal?

As an admin, I would click an option to Remove MDM and it remotely removes the MDM enrollment profile and any associated configuration profiles and managed apps.

noahtalerman avatar Oct 15 '24 20:10 noahtalerman

related: https://github.com/fleetdm/fleet/issues/19548

nonpunctual avatar Oct 16 '24 14:10 nonpunctual

@harrisonravazzolo can you please attach the Gong snippet from pingali? Thanks :)

noahtalerman avatar Oct 17 '24 19:10 noahtalerman

Hey @harrisonravazzolo just giving you another ping! Can you please attach the Gong snippet from pingali?

noahtalerman avatar Oct 21 '24 13:10 noahtalerman

https://us-65885.app.gong.io/call?id=4502089861812328304&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1488%2C%22to%22%3A1546%7D%5D

After you watch this snippet, let me know your thoughts. I'm tempted to create a separate issue for adding ios/ipados release mdm functionality to the pre-existing endpoint, which would change the scope.

harrisonravazzolo avatar Oct 23 '24 19:10 harrisonravazzolo

Hey @ambrusps we peeled this user story off this request and pulled the story into the current design sprint.

Keep in the mind that the story likely won't address the entire request. It will be a small iterative piece.

noahtalerman avatar Oct 25 '24 14:10 noahtalerman

Hey @Patagonia121 , we shipped part of this request (user story) in 4.69. In the request customer mentioned "turn off MDM for Windows hosts" so I think we still need to address that portion.

Please let me know if customer-pingali has feedback on this improvement.

marko-lisica avatar Jun 25 '25 13:06 marko-lisica

Hey @Patagonia121 , we shipped part of this request (user story) in 4.69. In the request customer mentioned "turn off MDM for Windows hosts" so I think we still need to address that portion.

Please let me know if customer-pingali has feedback on this improvement.

FYI @Patagonia121 moved this customer request over to #g-unicorns.

noahtalerman avatar Jul 16 '25 13:07 noahtalerman

Hey @Patagonia121 , we shipped part of this request (user story) in 4.69. In the request customer mentioned "turn off MDM for Windows hosts" so I think we still need to address that portion.

Please let me know if customer-pingali has feedback on this improvement.

FYI @Patagonia121 moved this customer request over to #g-unicorns.

FYI @Patagonia121 moved this customer request to :help-customers: https://github.com/fleetdm/fleet/issues/30613#issuecomment-3134236137

noahtalerman avatar Jul 29 '25 22:07 noahtalerman

Sorry @noahtalerman no feedback on this yet from customer-pingali. I think it's okay to keep pressing ahead.

Patagonia121 avatar Sep 17 '25 03:09 Patagonia121

@Patagonia121 we got feedback from pingali: https://us-65885.app.gong.io/call?id=1897295774891642215&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1165%2C%22to%22%3A1552%7D%5D

They told us that it's not clear what "Turn off MDM" v. "Unenroll" v. "Delete" means for different platforms.

I think we leave this request open and bring it back to feature fest. I think we want to follow up and document what "Turn off MDM" v. "Unenroll" v. "Delete" in a guide somewhere. Maybe we can add some copy to the product too.

FYI @marko-lisica

noahtalerman avatar Sep 17 '25 14:09 noahtalerman

@noahtalerman Wanted to confirm this story/issue is only for copy/guide updates, and has nothing to do with actually turning MDM off on BYOD iOS/iPadOS devices? If so, then a user story for it is done in this sprint and will be shipped in 4.75 https://github.com/fleetdm/fleet/issues/31584

MagnusHJensen avatar Sep 26 '25 09:09 MagnusHJensen

@MagnusHJensen thanks for raising!

Wanted to confirm this story/issue is only for copy/guide updates, and has nothing to do with actually turning MDM off on BYOD iOS/iPadOS devices? If so, then a user story for it is done in this sprint and will be shipped in 4.75 https://github.com/fleetdm/fleet/issues/31584

That's right. Copy and/or guide updates to address pingali feedback is what's left for this request.

Tracking those updates in a separate sub-issue here:

  • #22820

We already shipped this story (biggest piece of this request): https://github.com/fleetdm/fleet/issues/23239

noahtalerman avatar Sep 26 '25 17:09 noahtalerman