43890 MLAPR frontend

frontend/interfaces/activity.ts

@@ -170,6 +170,8 @@ export enum ActivityType {
   DisabledManagedLocalAccount = "disabled_managed_local_account",
   ViewedManagedLocalAccount = "read_managed_local_account",
   CreatedManagedLocalAccount = "created_managed_local_account",
+  RotatedManagedLocalAccountPassword = "rotated_managed_local_account_password",
+  FailedToRotateManagedLocalAccountPassword = "failed_to_rotate_managed_local_account_password",
   FailedEnrollmentProfileRenewal = "failed_enrollment_profile_renewal",
   CreatedLabel = "created_label",
   EditedLabel = "edited_label",
@@ -204,6 +206,8 @@ export type IHostPastActivityType =
   | ActivityType.ClearedPasscode
   | ActivityType.ViewedManagedLocalAccount
   | ActivityType.CreatedManagedLocalAccount
+  | ActivityType.RotatedManagedLocalAccountPassword
+  | ActivityType.FailedToRotateManagedLocalAccountPassword
   | ActivityType.FailedEnrollmentProfileRenewal;
 
 /** This is a subset of ActivityType that are shown only for the host upcoming activities */
@@ -503,6 +507,10 @@ export const ACTIVITY_TYPE_TO_FILTER_LABEL: Record<ActivityType, string> = {
     "Turned off managed local account",
   [ActivityType.ViewedManagedLocalAccount]: "Viewed managed account",
   [ActivityType.CreatedManagedLocalAccount]: "Created managed account",
+  [ActivityType.RotatedManagedLocalAccountPassword]:
+    "Triggered managed local account password rotation",
+  [ActivityType.FailedToRotateManagedLocalAccountPassword]:
+    "Failed to rotate managed local account password",
   [ActivityType.FailedEnrollmentProfileRenewal]:
     "Enrollment profile renewal failed",
   [ActivityType.CreatedLabel]: "Created label",

frontend/interfaces/host.ts

@@ -132,6 +132,8 @@ export interface IOSSettings {
   managed_local_account?: {
     status: string | null;
     password_available: boolean;
+    auto_rotate_at?: string;
+    pending_rotation?: boolean;
   };
   certificates: IHostAndroidCert[];
 }
@@ -268,6 +270,8 @@ export interface IHostManagedAccountPasswordResponse {
     username: string;
     password: string;
     updated_at: string;
+    auto_rotate_at?: string;
+    pending_rotation?: boolean;
   };
 }
 

frontend/pages/DashboardPage/cards/ActivityFeed/GlobalActivityItem/GlobalActivityItem.tests.tsx

@@ -684,6 +684,58 @@ describe("Activity Feed", () => {
     expect(screen.getByText("Alex's Macbook Air")).toBeInTheDocument();
   });
 
+  it("renders a 'rotated_managed_local_account_password' type activity", () => {
+    const activity = createMockActivity({
+      type: ActivityType.RotatedManagedLocalAccountPassword,
+      details: { host_display_name: "Marsh's Macbook Air" },
+    });
+    render(<GlobalActivityItem activity={activity} isPremiumTier />);
+
+    expect(
+      screen.getByText(
+        "triggered rotation of the managed local account password for",
+        { exact: false }
+      )
+    ).toBeInTheDocument();
+    expect(screen.getByText("Marsh's Macbook Air")).toBeInTheDocument();
+  });
+
+  it("renders a Fleet-initiated 'rotated_managed_local_account_password' type activity", () => {
+    const activity = createMockActivity({
+      type: ActivityType.RotatedManagedLocalAccountPassword,
+      fleet_initiated: true,
+      details: { host_display_name: "Marsh's Macbook Air" },
+    });
+    render(<GlobalActivityItem activity={activity} isPremiumTier />);
+
+    expect(screen.getByText("Fleet")).toBeInTheDocument();
+    expect(
+      screen.getByText(
+        "triggered rotation of the managed local account password for",
+        { exact: false }
+      )
+    ).toBeInTheDocument();
+    expect(screen.getByText("Marsh's Macbook Air")).toBeInTheDocument();
+  });
+
+  it("renders a 'failed_to_rotate_managed_local_account_password' type activity", () => {
+    const activity = createMockActivity({
+      type: ActivityType.FailedToRotateManagedLocalAccountPassword,
+      fleet_initiated: true,
+      details: { host_display_name: "Marsh's Macbook Air" },
+    });
+    render(<GlobalActivityItem activity={activity} isPremiumTier />);
+
+    expect(screen.getByText("Fleet")).toBeInTheDocument();
+    expect(
+      screen.getByText(
+        "failed to rotate the managed local account password for",
+        { exact: false }
+      )
+    ).toBeInTheDocument();
+    expect(screen.getByText("Marsh's Macbook Air")).toBeInTheDocument();
+  });
+
   it("renders an 'enabled_recovery_lock_passwords' type activity for a team", () => {
     const activity = createMockActivity({
       type: ActivityType.EnabledRecoveryLockPasswords,

frontend/pages/DashboardPage/cards/ActivityFeed/GlobalActivityItem/GlobalActivityItem.tsx

@@ -583,6 +583,24 @@ const TAGGED_TEMPLATES = {
       </>
     );
   },
+  rotatedManagedLocalAccountPassword: (activity: IActivity) => {
+    return (
+      <>
+        {" "}
+        triggered rotation of the managed local account password for{" "}
+        <b>{activity.details?.host_display_name}</b>.
+      </>
+    );
+  },
+  failedToRotateManagedLocalAccountPassword: (activity: IActivity) => {
+    return (
+      <>
+        {" "}
+        failed to rotate the managed local account password for{" "}
+        <b>{activity.details?.host_display_name}</b>.
+      </>
+    );
+  },
   createdAppleOSProfile: (activity: IActivity, isPremiumTier: boolean) => {
     const profileName = activity.details?.profile_name;
     return (
@@ -2119,6 +2137,14 @@ const getDetail = (activity: IActivity, isPremiumTier: boolean) => {
     case ActivityType.CreatedManagedLocalAccount: {
       return TAGGED_TEMPLATES.createdManagedLocalAccount(activity);
     }
+    case ActivityType.RotatedManagedLocalAccountPassword: {
+      return TAGGED_TEMPLATES.rotatedManagedLocalAccountPassword(activity);
+    }
+    case ActivityType.FailedToRotateManagedLocalAccountPassword: {
+      return TAGGED_TEMPLATES.failedToRotateManagedLocalAccountPassword(
+        activity
+      );
+    }
     case ActivityType.CreatedAppleOSProfile: {
       return TAGGED_TEMPLATES.createdAppleOSProfile(activity, isPremiumTier);
     }

frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tests.tsx

@@ -2051,6 +2051,40 @@ describe("Host Actions Dropdown", () => {
       });
     });
 
+    it("enables the action when status is pending but password is available (e.g. viewed-and-waiting)", async () => {
+      const render = createCustomRenderer({
+        context: {
+          app: {
+            isGlobalAdmin: true,
+            isPremiumTier: true,
+            currentUser: createMockUser(),
+          },
+        },
+      });
+
+      const { user } = render(
+        <HostActionsDropdown
+          hostTeamId={null}
+          onSelect={noop}
+          hostStatus="online"
+          hostMdmEnrollmentStatus="On (automatic)"
+          hostMdmDeviceStatus="unlocked"
+          hostScriptsEnabled
+          isConnectedToFleetMdm
+          hostPlatform="darwin"
+          isManagedLocalAccountEnabled
+          managedAccountStatus="pending"
+          managedAccountPasswordAvailable
+        />
+      );
+
+      await user.click(screen.getByText("Actions"));
+
+      const option = screen.getByText("Show managed account");
+      expect(option).toBeInTheDocument();
+      expect(option).not.toHaveAttribute("aria-disabled", "true");
+    });
+
     it("renders the action for company-owned ADE enrollment status", async () => {
       const render = createCustomRenderer({
         context: {

frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/HostActionsDropdown.tsx

@@ -28,6 +28,7 @@ interface IHostActionsDropdownProps {
   recoveryLockPasswordAvailable?: boolean;
   isManagedLocalAccountEnabled?: boolean;
   managedAccountStatus?: string | null;
+  managedAccountPasswordAvailable?: boolean;
 }
 
 const HostActionsDropdown = ({
@@ -46,6 +47,7 @@ const HostActionsDropdown = ({
   recoveryLockPasswordAvailable = false,
   isManagedLocalAccountEnabled = false,
   managedAccountStatus,
+  managedAccountPasswordAvailable = false,
 }: IHostActionsDropdownProps) => {
   const {
     isPremiumTier = false,
@@ -102,6 +104,7 @@ const HostActionsDropdown = ({
     recoveryLockPasswordAvailable,
     isManagedLocalAccountEnabled,
     managedAccountStatus,
+    managedAccountPasswordAvailable,
   });
 
   // No options to render. Exit early

frontend/pages/hosts/details/HostDetailsPage/HostActionsDropdown/helpers.tsx

@@ -115,6 +115,7 @@ interface IHostActionConfigOptions {
   recoveryLockPasswordAvailable: boolean;
   isManagedLocalAccountEnabled: boolean;
   managedAccountStatus: string | null | undefined;
+  managedAccountPasswordAvailable: boolean;
 }
 
 const canTransferTeam = (config: IHostActionConfigOptions) => {
@@ -523,6 +524,7 @@ const modifyOptions = (
     diskEncryptionProfileStatus,
     recoveryLockPasswordAvailable,
     managedAccountStatus,
+    managedAccountPasswordAvailable,
   }: IHostActionConfigOptions
 ) => {
   const disableOptions = (optionsToDisable: IDropdownOption[]) => {
@@ -632,13 +634,18 @@ const modifyOptions = (
     }
   }
 
-  if (managedAccountStatus !== "verified") {
+  // Gate on password_available rather than status === "verified" — a row whose
+  // status is "pending" because of a recent view (or a deferred rotation
+  // waiting on UUID capture) still has a viewable password. Mirrors the
+  // backend gate in GetHostManagedAccountPassword.
+  if (!managedAccountPasswordAvailable) {
     const managedAccountOption = options.find(
       (option) => option.value === "managedAccount"
     );
     if (managedAccountOption) {
       managedAccountOption.disabled = true;
       if (managedAccountStatus === "pending") {
+        // No password yet — the AccountConfiguration command hasn't been acked.
         managedAccountOption.tooltipContent = (
           <>
             The managed account is still being

frontend/pages/hosts/details/HostDetailsPage/HostDetailsPage.tsx

@@ -1053,6 +1053,10 @@ const HostDetailsPage = ({
         managedAccountStatus={
           host.mdm.os_settings?.managed_local_account?.status
         }
+        managedAccountPasswordAvailable={
+          host.mdm.os_settings?.managed_local_account?.password_available ??
+          false
+        }
       />
     );
   };
@@ -1657,10 +1661,25 @@ const HostDetailsPage = ({
           {showManagedAccountModal && host && (
             <ManagedAccountModal
               hostId={host.id}
+              canRotatePassword={
+                isGlobalAdmin ||
+                isGlobalMaintainer ||
+                isHostTeamAdmin ||
+                isHostTeamMaintainer
+              }
               onCancel={() => {
                 setShowManagedAccountModal(false);
                 // Opening the modal triggers a "viewed managed account"
-                // activity server-side, so refetch to show it in the feed.
+                // activity server-side and may set auto_rotate_at; refetch
+                // host details + activities so they reflect the new state.
+                refetchHostDetails();
+                refetchPastActivities();
+              }}
+              onRotate={() => {
+                // The rotation activity and cleared auto_rotate_at land on
+                // host details / activities — refresh both so the banner and
+                // feed are in sync with the newly-rotated state.
+                refetchHostDetails();
                 refetchPastActivities();
               }}
             />