Incorrect profile status on re-enrolled ADE host #17243
Comments
sabrinabuckets
added
bug
|
@sabrinabuckets So, here's my 2 ¢ on this: Lots of orgs that started w Jamf years ago did not have other systems for device data. This meant Jamf data as a "source of truth" for the org was important (think schools, small / med bz) Now, lots of orgs have lots of tools: ServiceNow for SAM & HAM, a million other integrations, so, the MDM's capability as an "archive" (MDM servers are kind of bad actually at tracking device history over time, but, good at showing the state right now) isn't as important. I think Fleet should be modern & wipe out the record when a device re-enrolls. It is almost always the behavior that I wanted as an admin: nuke & pave. But, because jamf was built with the idea of preserving the device record on re-enroll, lots of other MDMs follow. We could have an option for the admin to set so records are NOT wiped from previous enrollment records if that's what they want, but, imo, enrollments should always be new by default. Thanks. Thoughts? |
|
@georgekarrv is this something we should loop Noah/Marko in ? asking to not start working on it otherwise |
georgekarrv
added
:product
|
Noah: Expected behavior is for wiped/erased host to have a fresh host record when it re-enrolls to Fleet. |
noahtalerman
added
:release
|
TODO schedule a meeting to discuss all of the workflows and expected results. |
1 similar comment
|
TODO schedule a meeting to discuss all of the workflows and expected results. |
The mantra for MDM lifecycle events is: > - Noah: When MDM is turned on, install fleetd, bootstrap package (if DEP), > and profiles. Don't clear host vitals (everything you see on the Host > details page) > - Noah: On re-enrollment, don't clear host vitals. > - Noah: On lock and wipe, don't clear host vitals. > - Noah: On delete, clear host vitals. This addresses issues: - #17243 - #17481 - #17292 - #18030 - #18031
The mantra for MDM lifecycle events is: > - Noah: When MDM is turned on, install fleetd, bootstrap package (if DEP), > and profiles. Don't clear host vitals (everything you see on the Host > details page) > - Noah: On re-enrollment, don't clear host vitals. > - Noah: On lock and wipe, don't clear host vitals. > - Noah: On delete, clear host vitals. This addresses issues: - #17243 - #17481 - #17292 - #18030 - #18031
|
In cloud city's heart, |
Fleet version: (head to the "My account" page in the Fleet UI or run
fleetctl --version)fleetctl - version fleetd-chrome-v1.2.0-beta-83-g48f1ea994
branch: main
revision: 48f1ea9
build date: 2024-02-28
build user: bri
go version: go1.22.0
Operating system: (e.g. macOS 11.2.3)
macOS (observed on 13 & 14)
Web browser: (e.g. Chrome 88.0.4324)
NA
📝 Description
Erasing and re-enrolling a host without deleting the host record from Fleet results in the DB entry not being reset, causing all profiles to report as
Verified(or whatver status they were previously in.Deleting the host record resolves this, whether done before or after enrollment.
👣 Reproduction steps
Verified🧑💻 Expected behavior
Host will enroll with disk encryption reporting Off, profiles will go through Pending > Verifying > Verified flow
💥 Actual behavior
All profiles display
Verifiedstatus, Disk encryption state sometimes displays On despite encryption flow not yet completing.User is still required to complete encryption flow on restart/logout, however no banner is present.
More info
This does not impact manually re-enrolled hosts. When the MDM profile is manually removed from the host the profile statuses clear.
Note - in some of my tests, disk encryption state did correctly show as Off, but this was inconsistent.
The text was updated successfully, but these errors were encountered: