Research: Get `UnlockToken` to send clear passcode MDM command

[marko-lisica]

Goal

User story
As a Fleet contributor,
I want to know if Fleet can get the UnlockToken for hosts that already have MDM turned on it Fleet
so that I can know if hosts will have to re-turn on MDM to send the clear passcode MDM command (we think this command requires UnlockToken).

Key result

Customer request

Original requests

• #27646

Context

• Product Designer: @noahtalerman

Changes

Product

• [ ] Create a public Google doc with findings for these questions:
  • Is the UnlockToken is required to run the clear passcode MDM command? If yes, what does the UnlockToken look like?
  • If the UnlockToken is required to run the clear passcode MDM command, how can we get the UnlockToken? Can the IT admin get it today in Fleet? Maybe by running a different MDM command?
    • If the IT admin can't get it today in Fleet, what changes could we make to Fleet to get the token?
      • After we make these changes, will the end user have to turn off and re-turn on MDM to send Fleet the UnlockToken? Is there a way to get it without IT admin or end user action?
• [ ] UI changes: No changes
• [ ] CLI (fleetctl) usage changes: No changes
• [ ] YAML changes: No changes
• [ ] REST API changes: No changes
• [ ] Fleet's agent (fleetd) changes: No changes
• [ ] GitOps mode changes: No changes
• [ ] Activity changes: No changes
• [ ] Permissions changes: No changes
• [ ] Changes to paid features or tiers: No changes
• [ ] My device and fleetdm.com/better changes: No changes
• [ ] First draft of test plan added
• [ ] Other reference documentation changes: No changes
• [ ] Once shipped, requester has been notified
• [ ] Once shipped, dogfooding issue has been filed

Engineering

No changes for this research story.

QA

Risk assessment

• Requires load testing: N/A
• Risk level: Low / High: N/A

Test plan

No QA for this research story.

[noahtalerman]

FYI @georgekarrv I moved this research story to "Ready to spec." Think we can move it to "Ready to estimate"?

Since it's a research story, I wiped out the "Engineering" and "QA" sections.

[noahtalerman]

FYI @georgekarrv I moved this story over the "Ready to estimate." Can you please help us estimate it today? Thanks!

[georgekarrv]

@MagnusHJensen test

[georgekarrv]

gkarr@gkarr-m5-pro:~/projects/fleet$ cat gk/ipad_unlock.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>RequestType</key>
        <string>ClearPasscode</string>
        <key>UnlockToken</key>
        <data>
        REFUQQAABPRWRVJTAAAABAAAAAVUWVBFAAAABAAAAAJVVUlEAAAAEH4VniN+6EkYl30M
        6v69XkxITUNLAAAAKFrjueTm9qvd7X3qTEk9XHEckOqpIlCO53xfmZ7DiNf+TwHRlF+a
        lxJXUkFQAAAABAAAAAFTQUxUAAAAFHfCyN5PuQFkjs6qdhzJUKHVZ/jBSVRFUgAAAAQA
        AAVsVVVJRAAAABAylj....ejhWRHVQ0xBUwAAAAQAAAABV1JBUAAAAAQAAAAD
        S1RZUAAAAAQAAAAAV1BLWQAAAChdND6aRwE+iUWAbMGrsZ3LZnSW0/qxQ50Jog95FgFg
        buTAP3GTVl1HVVVJRAAAABA62QlxMk1Kq5lfqXjbMqXAQ0xBUwAAAAQAAAACV1JBUAAA
        AAQAAAADS1RZUAA....ACivgEQlT+4edZf6Ep+WsQ4WPYJIRggAbGCY
        hr6i7q6dZv0i2IBX7wUqUEJLWQAAACDIRprFQXaLsIMwtfMQKtGhgrYlw8b+YJVZ7y54
        T3RYHVVVSUQAAAAQlI8fmOlyTHa1fW3Chgbjr0NMQVMAAAAEAAAAA1dSQVAAAAAEAAAA
        A0tUWVAAAAAEAAAAAFdQS1kAAAAo3phuaN1zCz0AMXVIM4pNHjJwJpaoKHg3KOzNabzS
        1rIDspAMPPRZU1VVSUQAAAAQFw2dlEijSGiPEOU+MWkRp0NMQVMAAAAEAAAABVdSQVAA
        AAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAoTAYEhbCQ6ocF8N3wKmv5x3M+vLqKzu7e
        /ITOsoBm7LiXmhmXy1TDO....AAAAQ8Tiqeil7QPCDTGqzeDz6cENMQVMAAAAEAAAA
        BldSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAomtzjzhhBYi45Fx2Ssx3FryNa
        3x2zR1CCAA0Thx+AupsHAU5uo3777lVVSUQAAAAQZ+uqS7lPTSadBw9Bnx9yp0NMQVMA
        AAAEAAAAB1dSQVAAAAAEA....WVAAAAAEAAAAAFdQS1kAAAAozlzEezJHQmudn+3k
        8n0Yqe5SwinStmmzEy3sjoIK4grBLidI9Szte1VVSUQAAAAQCh6fa2SeQwW1jUE0YIdr
        lUNMQVMAAAAEAAAACFdSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAof2lxDOsD
        kVoR3n5aZwnApAG45y232OnbaEiDn2Avc+kDsVanMnuRjFVVSUQAAAAQlsTWehybTK+a
        LTWJUyn7H0NMQVMAAAAEAAAACVdSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQS1kAAAAo
        +SmWnRIBPYGVmA....XWfU+AeFYT2ZUjkka/6s3M5KQbclVVSUQAAAAQKRGB
        H6VmS2S8WRam8+PrS0NMQVMAAAAEAAAACldSQVAAAAAEAAAAA0tUWVAAAAAEAAAAAFdQ
        S1kAAAAoTUFEptLRDcBytd5sSE3ZAryKoeae7u1M1Vcx46s37/EpatWEifBg6VVVSUQA
        AAAQeeeFCrC4Tw+4qskYftgCZUNMQVMAAAAEAAAAC1dSQVAAAAAEAAAAA0tUWVAAAAAE
        AAAAAFdQS1kAAAAoaVEfzf3M3NYjDJAdlQ3Ikk5sayargrFiENK3z/gi6aWwBGHygPlG
        wFNJR04AAAAU9pZXW8Wj1KClXQEWLvZRtpTcT6g=
        </data>
    </dict>
    <key>CommandUUID</key>
    <string>0001_ClearPasscode</string>
</dict>
</plist>

This worked just fine

The token is given on enrollment and lives in the nano_devices table;

mysql> show columns from nano_devices;
+---------------------+--------------+------+-----+-------------------+-----------------------------------------------+
| Field               | Type         | Null | Key | Default           | Extra                                         |
+---------------------+--------------+------+-----+-------------------+-----------------------------------------------+
| id                  | varchar(255) | NO   | PRI | NULL              |                                               |
| identity_cert       | text         | YES  |     | NULL              |                                               |
| serial_number       | varchar(127) | YES  | MUL | NULL              |                                               |

>>| unlock_token        | mediumblob   | YES  |     | NULL              |                                               |

| unlock_token_at     | timestamp    | YES  |     | NULL              |                                               |
| authenticate        | text         | NO   |     | NULL              |                                               |
| authenticate_at     | timestamp    | NO   |     | CURRENT_TIMESTAMP | DEFAULT_GENERATED                             |
| token_update        | text         | YES  |     | NULL              |                                               |
| token_update_at     | timestamp    | YES  |     | NULL              |                                               |
| bootstrap_token_b64 | text         | YES  |     | NULL              |                                               |
| bootstrap_token_at  | timestamp    | YES  |     | NULL              |                                               |
| created_at          | timestamp    | YES  |     | CURRENT_TIMESTAMP | DEFAULT_GENERATED                             |
| updated_at          | timestamp    | YES  |     | CURRENT_TIMESTAMP | DEFAULT_GENERATED on update CURRENT_TIMESTAMP |
| platform            | varchar(255) | NO   |     |                   |                                               |
| enroll_team_id      | int unsigned | YES  | MUL | NULL              |                                               |
+---------------------+--------------+------+-----+-------------------+-----------------------------------------------+

[georgekarrv]

@marko-lisica ^

[fleet-release]

UnlockToken quest, Clarity for passcodes, brings Ease to Fleet's nest.

[noahtalerman]

The token is given on enrollment and lives in the nano_devices table;

@georgekarrv can we get the token via Fleet's API? Or, do we have to go diving into the Fleet database (DB)?

cc @ddribeiro @spalmesano0

[georgekarrv]

None that I'm aware of