Skip to content

macOS Automatic enrollment does not complete when using mTLS for orbit endpoints #24024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ksatter opened this issue Nov 21, 2024 · 5 comments
Closed

macOS Automatic enrollment does not complete when using mTLS for orbit endpoints #24024

ksatter opened this issue Nov 21, 2024 · 5 comments
Assignees
@jahzielv
Labels
bug Something isn't working as documented customer-starchik #g-mdm MDM product group :incoming New issue in triage process. P1 Prioritize as critical :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
4.60.0

Comments

@ksatter
Copy link
Member

ksatter commented Nov 21, 2024

Fleet version: v4.59.0

Web browser and operating system: macOS

💥  Actual behavior

When a new or freshly wiped macOS host attempts to enroll in MDM, it gets stuck after installing profiles, while Orbit checks in for software and scripts:

image

After turning off mTLS for the /orbit endpoints and restarting the enrollment process, the host was successfully enrolled.

🧑‍💻  Steps to reproduce

  1. Enable Apple MDM and configure ABM
  2. Configure the ingress point to require mTLS for Orbit endpoints
  3. Assign a device in ABM and attempt to enroll to Fleet

🕯️ More info (optional)

N/A
@ksatter ksatter added bug Something isn't working as documented :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release. #g-mdm MDM product group :incoming New issue in triage process. labels Nov 21, 2024
@noahtalerman noahtalerman added the P1 Prioritize as critical label Nov 21, 2024
@noahtalerman
Copy link
Member

Heads up @lukeheath, I added the P1 label to this bug b/c we think it's a critical bug (workflow blocking).

@lukeheath
Copy link
Member

@noahtalerman Agreed, this is workflow blocking and is a P1 critical bug we will patch (or include in the upcoming v4.60.0).

@jahzielv jahzielv assigned jahzielv and unassigned georgekarrv Nov 21, 2024
@JoStableford
Copy link
Contributor

Linked to Unthread ticket:

Inquiry about configurability of fleetd config profile payload content #3601

@jahzielv jahzielv mentioned this issue Nov 22, 2024
Merged
4 tasks
jahzielv added a commit that referenced this issue Nov 22, 2024
@jahzielv
feat: do not run setup experience on hosts in a team with no software…
5dab4f5 
… or script configured (#24073)

> Related issue: #24024 

# Checklist for submitter

Demo video: https://www.youtube.com/watch?v=F7p2PyJce7E

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
jahzielv added a commit that referenced this issue Nov 22, 2024
@jahzielv
feat: do not run setup experience on hosts in a team with no software…
277968a 
… or script configured (#24073)

> Related issue: #24024 

# Checklist for submitter

Demo video: https://www.youtube.com/watch?v=F7p2PyJce7E

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
@jahzielv jahzielv added this to the 4.60.0 milestone Nov 22, 2024
@PezHub
Copy link
Contributor

PezHub commented Nov 22, 2024

QA Notes:

Ran through a few workflows to ensure orbit was not getting installed during ADE enrollment if Scripts or Software are not configured as part of the new Setup Experience feature and can confirm I no longer see the SWIFT Dialogue window (indicating Orbit was installed) and proceeded to successfully enroll the host.

Made sure all other setup experience features still work as expected and completed host enrollment.

Finally I tested setup experience with everything configured to ensure no regression occurred.

This was referenced Nov 27, 2024
Merged
Merged
mna added a commit that referenced this issue Nov 27, 2024
@mna
Cherry-pick of #24207 for #24024 fix (#24219)
00112e6
@fleet-release
Copy link
Contributor

Orbit's dance with Mac,
mTLS tune now complete,
Enrollment flows smooth.

This was referenced Dec 3, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jahzielv jahzielv

Labels
bug Something isn't working as documented customer-starchik #g-mdm MDM product group :incoming New issue in triage process. P1 Prioritize as critical :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Projects
None yet
Milestone
4.60.0
Development

No branches or pull requests
8 participants
@georgekarrv @lukeheath @jahzielv @ksatter @noahtalerman @JoStableford @fleet-release @PezHub