You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
when a device gets wiped and redeployed, it re-enrolls via DEP, but because Fleet recognizes the serial number it drops it back into Abandoned instead of picking up the default enrollment team. so the new employee gets a mac that's sitting in the wrong team from day one.
@spalmesano0: We generally recommend that users remove devices from Fleet before re-enrolling. However, most MDMs do not require this, so our users don't expect it and report issues regarding it.
Two recent examples:
customer-fairbank commented that they generally never remove devices from Fleet.
customer-fourier has a workflow where old devices are moved to a fleet called "Abandoned" after they report a missing status for 90 days. These devices tend to be wiped and re-enrolled, but never removed from Fleet before re-enrollment. Because of this, after re-enrollment, the devices stay in the "Abandoned" fleet, instead of being added back to the default "Workstations" fleet that ABM Macs are assigned to.
This request is to have Fleet automatically handle detecting this flow and treat the device as a fresh slate, making the process of re-enrolling devices easier by reducing the manual step of removing the record before re-enrollment.
@allenhouchins: We want to still show the old activity (IT admin actions) so that a legal investigation can happen during/after the device is repurposed.
@noahtalerman: In this case, it sounds like the best approach would be to create a new host in Fleet. Leave the old record alone.
@noahtalerman: We do now reset IdP host vitals to the new user's IdP info on re-enrollment (manual and automatic) if end user authentication is turned on. We don't cancel pending commands.
@noahtalerman: We might not clear all other vitals...
@allenhouchins: We want to update the MDM host vitals and IdP foreign vitals on re-enrollment.
If a device was enrolled with ADE and has the IdP username info populated, then the enrollment profile is manually removed, if that device gets reassigned to another employee and re-enrolled without going through ADE, we want the data in Fleet to be accurate or trustworthy so that we know that employee is going to receive apps, configurations, certs, etc. meant for them.
Ideally this wouldn't be a problem but admins are not always going to know or be aware of when a device is re-enrolled. So we need to consider either clearing that field on every re-enrollment, or better yet, put authentication in front of user-initiated (manual) enrollment and capture/update the IdP username then.
@marko-lisica: we now support IdP authentication for manual enrollment on /enroll page.
@getvictor: What if the device is unenrolled and never re-enrolled again. Do we want to keep IdP data or clear it? I believe we currently keep it.
@noahtalerman I think we stick with the existing behavior. We can follow up later if we want to change it.
customer-starchick: We would love to have all previous device data cleared on re-enrollment.
customer-fairbank: Slack thread.customer-fourier: Slack thread.customer-fairbankcommented that they generally never remove devices from Fleet.customer-fourierhas a workflow where old devices are moved to a fleet called "Abandoned" after they report amissingstatus for 90 days. These devices tend to be wiped and re-enrolled, but never removed from Fleet before re-enrollment. Because of this, after re-enrollment, the devices stay in the "Abandoned" fleet, instead of being added back to the default "Workstations" fleet that ABM Macs are assigned to./enrollpage.customer-starchick: We would love to have all previous device data cleared on re-enrollment.