gravitational · codingllama · Jun 16, 2023 · Jun 14, 2023 · Jun 14, 2023 · Jun 14, 2023
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_profile.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_profile.pb.go
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/devicetrust_service.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/devicetrust_service.pb.go
diff --git a/api/proto/teleport/devicetrust/v1/device_profile.proto b/api/proto/teleport/devicetrust/v1/device_profile.proto
@@ -46,4 +46,7 @@ message DeviceProfile {
   // Jamf binary version, without the leading 'v'.
   // Example: "9.27" or "10.44.1-t1677509507".
   string jamf_binary_version = 6;
+
+  // External device identifier, for example the Jamf or Intune ID.
+  string external_id = 7;
 }
diff --git a/api/proto/teleport/devicetrust/v1/devicetrust_service.proto b/api/proto/teleport/devicetrust/v1/devicetrust_service.proto
@@ -525,8 +525,10 @@ message AuthenticateDeviceChallengeResponse {
 // (end loop)
 // -> SyncInventoryEnd
 // (loop until server closes the stream, zero or more times)
-// <- SyncInventoryResult (deleted/missing devices)
-// (end)
+// <- SyncInventoryMissingDevices
+// -> SyncInventoryDevices (removals only)
+// <- SyncInventoryResult
+// (end loop)
 message SyncInventoryRequest {
   oneof payload {
     SyncInventoryStart start = 1;
@@ -541,6 +543,7 @@ message SyncInventoryResponse {
   oneof payload {
     SyncInventoryAck ack = 1;
     SyncInventoryResult result = 2;
+    SyncInventoryMissingDevices missing_devices = 3;
   }
 }
 
@@ -551,15 +554,25 @@ message SyncInventoryStart {
   // by this RPC.
   DeviceSource source = 1;
 
+  // TODO(codingllama): Delete deprecated fields once they are unused.
+
   // Mode of syncing.
-  // Required.
-  SyncInventoryMode mode = 2;
+  // Deprecated: Use `track_missing_devices` instead.
+  SyncInventoryMode mode = 2 [deprecated = true];
 
   // Action for devices missing from the external inventory, but present in
   // Teleport.
   // Only executed if mode is FULL and external_sync_successful is set to true
   // in the SyncInventoryEnd message.
-  SyncInventoryDeviceAction on_missing_action = 3;
+  // Deprecated: Use `track_missing_devices` instead.
+  SyncInventoryDeviceAction on_missing_action = 3 [deprecated = true];
+
+  // If true, the server keeps track of the devices upserted during the sync.
+  // After receiving the [SyncInventoryEnd] message, the server informs the
+  // client of all devices that are present in storage but not observed in the
+  // upserts.
+  // See [SyncInventoryRequest] and [SyncInventoryMissingDevices] for details.
+  bool track_missing_devices = 4;
 }
 
 // Mode of sync for SyncInventory.
@@ -595,7 +608,8 @@ message SyncInventoryEnd {
   // True if the external sync was fully successful (for example, all reads from
   // an MDM API were successful).
   // If false the sync's on_missing_action is skipped.
-  bool external_sync_successful = 1;
+  // Deprecated: Use [SyncInventoryStart.track_missing_devices] instead.
+  bool external_sync_successful = 1 [deprecated = true];
 }
 
 // SyncInventoryDevices transports devices to add/update/remove.
@@ -616,3 +630,18 @@ message SyncInventoryResult {
   // Devices modified, in the same order as the input when applicable.
   repeated DeviceOrStatus devices = 1;
 }
+
+// SyncInventoryMissingDevices informs the sync client of all stored devices
+// that were not observed in upserts during the sync.
+//
+// Requires `track_missing_devices` to be set in the [SyncInventoryStart]
+// message.
+//
+// The client must follow up with a [SyncInventoryDevices] message, including
+// any devices to be deleted.
+message SyncInventoryMissingDevices {
+  // Devices missing from the client-side sync.
+  // Guaranteed to have the following fields: id, os_type, asset_tag and
+  // profile.external_id.
+  repeated Device devices = 1;
+}
diff --git a/api/proto/teleport/legacy/types/device.proto b/api/proto/teleport/legacy/types/device.proto
@@ -145,4 +145,5 @@ message DeviceProfile {
   string os_build = 4 [(gogoproto.jsontag) = "os_build,omitempty"];
   repeated string os_usernames = 5 [(gogoproto.jsontag) = "os_usernames,omitempty"];
   string jamf_binary_version = 6 [(gogoproto.jsontag) = "jamf_binary_version,omitempty"];
+  string external_id = 7 [(gogoproto.jsontag) = "external_id,omitempty"];
 }
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -5766,8 +5766,8 @@ message JamfSpecV1 {
     (gogoproto.jsontag) = "sync_delay,omitempty",
     (gogoproto.casttype) = "Duration"
   ];
-  // Jamf API endpoint.
-  // Example: "https://yourtenant.jamfcloud.com".
+  // Jamf Pro API endpoint.
+  // Example: "https://yourtenant.jamfcloud.com/api".
   // Required.
   string api_endpoint = 4 [(gogoproto.jsontag) = "api_endpoint,omitempty"];
   // Jamf API username.

diff --git a/api/types/device.go b/api/types/device.go
@@ -173,6 +173,7 @@ func DeviceFromResource(res *DeviceV1) (*devicepb.Device, error) {
 			OsBuild:           p.OsBuild,
 			OsUsernames:       p.OsUsernames,
 			JamfBinaryVersion: p.JamfBinaryVersion,
+			ExternalId:        p.ExternalId,
 		}
 	}
 
@@ -258,6 +259,7 @@ func DeviceToResource(dev *devicepb.Device) *DeviceV1 {
 			OsBuild:           p.OsBuild,
 			OsUsernames:       p.OsUsernames,
 			JamfBinaryVersion: p.JamfBinaryVersion,
+			ExternalId:        p.ExternalId,
 		}
 	}