CSUD: Add validation for OS Update profiles and OS updates being configured

[MagnusHJensen]

Related issue: Resolves #45282

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Summary by CodeRabbit

• New Features

  • Deploy custom OS update configuration profiles for Apple (macOS/iOS/iPadOS) and Windows; tracks and enforces one custom OS‑update profile per scope.

• Improvements

  • Prevent changing OS update settings when a custom profile exists; returns guidance to remove the custom profile first.
  • Batch upload now detects OS‑update payloads and enforces license requirements.
  • UI error handling surfaces API-specific messages.
  • FileVault control separated from OS updates and gated behind a configurable flag/license.

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 62 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.87%. Comparing base (4b04063) to head (9ee22a3).
⚠️ Report is 46 commits behind head on main.

Files with missing lines	Patch %	Lines
ee/server/service/teams.go	50.00%	8 Missing and 6 partials ⚠️
server/datastore/mysql/mdm.go	66.66%	5 Missing and 5 partials ⚠️
server/service/apple_mdm.go	84.44%	3 Missing and 4 partials ⚠️
server/datastore/mysql/apple_mdm.go	75.00%	3 Missing and 3 partials ⚠️
server/datastore/mysql/microsoft_mdm.go	66.66%	3 Missing and 3 partials ⚠️
server/service/windows_mdm_profiles.go	80.64%	3 Missing and 3 partials ⚠️
...OSUpdates/components/AppleOSTargetForm/helpers.tsx	0.00%	4 Missing ⚠️
cmd/fleet/serve.go	0.00%	3 Missing ⚠️
server/service/appconfig.go	81.25%	2 Missing and 1 partial ⚠️
server/service/mdm.go	92.85%	1 Missing and 1 partial ⚠️
... and 1 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #46545      +/-   ##
==========================================
+ Coverage   66.82%   66.87%   +0.05%     
==========================================
  Files        2808     2814       +6     
  Lines      223582   224120     +538     
  Branches    11347    11519     +172     
==========================================
+ Hits       149413   149886     +473     
- Misses      60615    60619       +4     
- Partials    13554    13615      +61     

Flag	Coverage Δ
backend	68.60% <76.22%> (+0.05%)	⬆️
frontend	56.54% <0.00%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[MagnusHJensen]

@coderabbitai review once

[coderabbitai]

@MagnusHJensen Sure, I'll review the PR now!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR enables deployment of custom Apple OS update declarations and Windows OS-update configuration profiles, adds datastore tracking (mdm_configuration_profile_update_settings) to enforce one-per-team uniqueness, updates validation signatures to narrow FileVault controls and tighten Windows LocURI checks, adds service-level handlers that require Fleet Premium and prevent conflicting settings or uploads, extends BatchSetMDMProfiles to scan and atomically record OS-update profiles, updates GitOps/app-config/team flows to gate edits when custom profiles exist, and includes comprehensive unit/integration test and mock updates plus frontend error-message handling.

Possibly related PRs

• fleetdm/fleet#46433: The main PR’s new OS-updates tracking logic (e.g., HasAppleUpdateConfigProfileConfigured/HasWindowsUpdateConfigProfileConfigured and inserting into mdm_configuration_profile_update_settings) directly depends on the migration/table introduced in PR #46433.
• fleetdm/fleet#46029: Both PRs modify Windows MDM profile validation in server/fleet/windows_mdm.go (notably MDMWindowsConfigProfile.ValidateUserProvided and LocURI-related checks).
• fleetdm/fleet#45139: Both PRs modify BatchSetMDMProfiles in server/service/mdm.go and change batch validation/ordering behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding validation logic for OS Update profiles and configurations.
Description check	✅ Passed	The description includes a related issue reference, security/data validation checklist items marked as complete, and testing confirmation, though some non-critical template sections were omitted.
Linked Issues check	✅ Passed	The PR implements the core objectives from #45282: validation for profile/settings conflicts [#45282], tracking table updates [#45282], team-scoped checks [#45282], and multi-platform mixing support [#45282].
Out of Scope Changes check	✅ Passed	All changes align with linked issue objectives: OS update tracking, validation logic, configuration profile changes, API/GitOps enforcement, and necessary test updates are all within scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 45282-add-logic-for-os-update-profiles

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MagnusHJensen]

@claude review once

[claude]

Two correctness issues are flagged inline (one license-status mapping bug, one missing Premium gate on the batch endpoint); this PR also touches MDM license gating across both Apple and Windows paths, so a human should review before merge.

Extended reasoning...

Overview

This PR (#46545) is a substantial change (~33 files, +170 net lines) that introduces deployment of custom OS-update profiles for both Apple (DDM declarations) and Windows (SyncML), replacing the prior blanket validation that rejected these profile types. It adds a new mdm_configuration_profile_update_settings tracking table, atomic insert/delete within the existing profile transactions, a new softwareUpdateProfileError error type, conflict detection between custom profiles and API-configured OS-update settings on Team/AppConfig edits, and a new deprecated/replacement config flag pair (enable_custom_os_updates_and_filevault → enable_custom_filevault).

Security risks

Two real issues were surfaced by automated review and posted as inline comments:

1. softwareUpdateProfileError wrapper drops 402/client-error semantics (server/mdm/mdm.go:392-402). When wrapping fleet.ErrMissingLicense, StatusCode() returns 500 and IsClientError() returns false instead of delegating to the wrapped *licenseError (402, client). Free-tier uploads of OS-update profiles surface as 5xx in logging/alerting and break premium-upsell UI that keys on 402.
2. Batch endpoint bypasses the Premium license check (server/service/mdm.go:2238-2266). The single-profile entrypoints gate on lic.IsPremium() via handleDeclarationSoftwareUpdate / handleWindowsProfileSoftwareUpdate, but BatchSetMDMProfiles only enforces Premium when team_id is set. A free-tier global admin can POST to /api/v1/fleet/mdm/profiles/batch with team_id omitted and persist a software-update declaration / Windows OS-update profile, bypassing the paywall.

Both findings are reproducible from the diff alone and are not covered by the new tests (TestBatchSetMDMProfilesOSUpdates only exercises TierPremium; the apple/windows handler tests assert ErrorIs(ErrMissingLicense) but never the resulting HTTP status code).

Level of scrutiny

This is production-critical, security-sensitive MDM code: it modifies license-tier gating, removes prior blanket validations (MDMAppleRawDeclaration.ValidateUserProvided no longer rejects com.apple.configuration.softwareupdate.enforcement.specific; fleetProvidedLocURIValidationMap no longer contains FleetOSUpdateTargetLocURI), and introduces a new tracking table with cross-cutting transaction semantics. The blast radius spans datastore schema, multiple endpoint families, batch and single-profile paths, both Apple and Windows MDM, and license enforcement. CODEOWNERS likely cover MDM in this repo.

Other factors

Copilot and CodeRabbit have raised additional points (rollback messaging mismatches, fixture clarity, transactional symmetry between profile insert and update-settings tracking, etc.) and some have been addressed in subsequent commits — but the two findings above remain open and warrant a human reviewer who can confirm the intended free-tier behavior, decide on the 402-vs-500 contract for software-update license errors, and validate the batch path Premium gate before merge.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

cmd/fleetctl/fleetctl/gitops_test.go (1)

6067-6093: ⚡ Quick win

Restore the conflict-check mocks with t.Cleanup.

These subtests mutate shared datastore mock fields and only reset them at the end. If a failure happens before the reset, later sibling subtests inherit the true stub and fail for the wrong reason.

♻️ Suggested pattern

 t.Run("os updates with existing OS updates config profile", func(t *testing.T) {
-	ds.HasWindowsUpdateConfigProfileConfiguredFunc = func(ctx context.Context, teamID uint) (bool, error) {
+	prev := ds.HasWindowsUpdateConfigProfileConfiguredFunc
+	ds.HasWindowsUpdateConfigProfileConfiguredFunc = func(ctx context.Context, teamID uint) (bool, error) {
 		return true, nil
 	}
+	t.Cleanup(func() {
+		ds.HasWindowsUpdateConfigProfileConfiguredFunc = prev
+	})
 	teamFile, err := os.CreateTemp(t.TempDir(), "*.yml")
 	require.NoError(t, err)
 	// ...
 	_ = runAppCheckErr(t, []string{"gitops", "-f", teamFile.Name()}, "A custom OS updates profile already exists")
-	ds.HasWindowsUpdateConfigProfileConfiguredFunc = func(ctx context.Context, teamID uint) (bool, error) {
-		return false, nil
-	}
 })

Apply the same pattern to the Apple declaration conflict subtests.

Also applies to: 6725-6741, 6787-6803, 6849-6865

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/fleetctl/fleetctl/gitops_test.go` around lines 6067 - 6093, The test
mutates the shared mock field ds.HasWindowsUpdateConfigProfileConfiguredFunc
without guaranteeing restoration on test failure; wrap the stub assignment in a
t.Cleanup that restores the previous function so sibling subtests don't inherit
the stubbed behavior (e.g., capture old :=
ds.HasWindowsUpdateConfigProfileConfiguredFunc, set
ds.HasWindowsUpdateConfigProfileConfiguredFunc = func(...) { return true, nil },
and call t.Cleanup(func(){ ds.HasWindowsUpdateConfigProfileConfiguredFunc = old
})). Apply the same t.Cleanup restore pattern to the other conflict-check mocks
(the Apple declaration conflict stubs and the other occurrences referenced) so
each subtest leaves ds unmodified on exit.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/datastore/mysql/apple_mdm.go`:
- Around line 8614-8631: The current read-then-insert in
trackAppleUpdateConfigProfileDB (checkStmt + insertStmt) is race-prone; enforce
team-scoped uniqueness atomically: either add a team_id column to
mdm_configuration_profile_update_settings with a UNIQUE(team_id) index and
change the INSERT to include team_id (use INSERT ... ON DUPLICATE KEY UPDATE or
handle duplicate-key error to return
AppleDeclarationOSUpdateAlreadyExistsErrorMessage), or, if schema changes are
unacceptable, perform the check and insert inside a transaction with an explicit
lock (e.g., SELECT ... FOR UPDATE on mdm_apple_declarations or a team-scoped
lock row) so the read and the write are serialized; update the logic around
checkStmt/insertStmt in trackAppleUpdateConfigProfileDB to use one of these
atomic approaches.
- Line 5602: SetOrUpdateMDMAppleDeclaration currently always calls
insertOrUpsertMDMAppleDeclaration with isSoftwareUpdate=false, which skips
tracking OS-update declarations; change SetOrUpdateMDMAppleDeclaration to detect
whether the incoming declaration represents a software/OS update (e.g., inspect
the declaration.Type or payload fields that indicate an OS/software-update
profile) and pass isSoftwareUpdate=true when it is such a declaration to
insertOrUpsertMDMAppleDeclaration so entries are written to
mdm_configuration_profile_update_settings; ensure the detection logic is
implemented inside SetOrUpdateMDMAppleDeclaration and that the call site to
insertOrUpsertMDMAppleDeclaration uses that boolean instead of the hardcoded
false.

In `@server/datastore/mysql/mdm.go`:
- Around line 640-669: The current upserts only write
windows_profile_uuid/apple_declaration_uuid and don't atomically enforce the
one-per-team uniqueness; change the INSERTs to include team_id and use
VALUES(...) in the ON DUPLICATE KEY UPDATE so the DB unique key on team_id
enforces one-per-team atomically. Specifically, in the winProfiles loop update
the const stmt to INSERT INTO mdm_configuration_profile_update_settings
(team_id, windows_profile_uuid) VALUES (?, ?) ON DUPLICATE KEY UPDATE
windows_profile_uuid = VALUES(windows_profile_uuid) and pass (teamID,
profileUUID) to tx.ExecContext; do the analogous change in the macDeclarations
loop (insert team_id and apple_declaration_uuid, ON DUPLICATE KEY UPDATE
apple_declaration_uuid = VALUES(apple_declaration_uuid)) so the DB-level
uniqueness on team_id is reused instead of relying on service prevalidation.

In `@server/datastore/mysql/microsoft_mdm_test.go`:
- Around line 2201-2234: Add a team-scoped variant of the existing test: after
exercising the global/team 0 path, repeat the same sequence but with a non-zero
TeamID (e.g., TeamID: 42) when calling NewMDMWindowsConfigProfile and
HasWindowsUpdateConfigProfileConfigured; assert the first profile succeeds, the
second duplicate for the same TeamID is rejected with the same
WindowsProfileOSUpdateAlreadyExistsErrorMessage, and that the rejected profile
was not persisted by querying mdm_windows_configuration_profiles with team_id =
42 via ExecAdhocSQL/sqlx.GetContext; also verify a non-OS-update profile for
that same team can still be created. Ensure you reference
NewMDMWindowsConfigProfile and HasWindowsUpdateConfigProfileConfigured in the
new case and set TeamID on the fleet.MDMWindowsConfigProfile instances.

In `@server/datastore/mysql/microsoft_mdm.go`:
- Around line 3691-3708: The COUNT+INSERT sequence in checkStmt/insertStmt is
racy; serialize the check and insert by acquiring a team-scoped lock or adding a
true uniqueness constraint: either (preferred) add a team-keyed unique
constraint (e.g., store team_id on mdm_configuration_profile_update_settings and
create UNIQUE(team_id)) so the DB enforces one update profile per team, or (if
schema change is not possible) perform the check and insert inside the same
transaction while locking the team's mdm_windows_configuration_profiles rows
(SELECT ... FOR UPDATE on mwcp rows filtered by team_id) before re-checking
existence and then calling tx.ExecContext(insertStmt, profileUUID) to ensure
atomicity and avoid concurrent inserts; update the code paths around checkStmt,
insertStmt and the tx usage accordingly.

In `@server/service/windows_mdm_profiles.go`:
- Around line 151-157: The current handleWindowsProfileSoftwareUpdate function
uses bytes.Contains against syncml.FleetOSUpdateTargetLocURI which can
false-positive on payloads that only include the path text; instead parse the
SyncML payload into CmdItem structures and check for exact matches on each
CmdItem.Target value (not substring matching). Locate and call the same
parsing/helper used by BatchSetMDMProfiles to produce CmdItems (reuse that
helper so both paths stay consistent), then treat the profile as an OS-update
only when a CmdItem.Target equals syncml.FleetOSUpdateTargetLocURI. Ensure you
update handleWindowsProfileSoftwareUpdate to use the helper and remove the
bytes.Contains check.

---

Nitpick comments:
In `@cmd/fleetctl/fleetctl/gitops_test.go`:
- Around line 6067-6093: The test mutates the shared mock field
ds.HasWindowsUpdateConfigProfileConfiguredFunc without guaranteeing restoration
on test failure; wrap the stub assignment in a t.Cleanup that restores the
previous function so sibling subtests don't inherit the stubbed behavior (e.g.,
capture old := ds.HasWindowsUpdateConfigProfileConfiguredFunc, set
ds.HasWindowsUpdateConfigProfileConfiguredFunc = func(...) { return true, nil },
and call t.Cleanup(func(){ ds.HasWindowsUpdateConfigProfileConfiguredFunc = old
})). Apply the same t.Cleanup restore pattern to the other conflict-check mocks
(the Apple declaration conflict stubs and the other occurrences referenced) so
each subtest leaves ds unmodified on exit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0181eb19-cf83-4739-a485-24a28a477f33

📥 Commits

Reviewing files that changed from the base of the PR and between 899427d and 1fbd44e.

📒 Files selected for processing (21)

• cmd/fleetctl/fleetctl/apply_deprecated_test.go
• cmd/fleetctl/fleetctl/apply_test.go
• cmd/fleetctl/fleetctl/gitops_test.go
• frontend/pages/ManageControlsPage/OSUpdates/components/WindowsTargetForm/WindowsTargetForm.tsx
• frontend/pages/ManageControlsPage/OSUpdates/components/WindowsTargetForm/helpers.tsx
• server/datastore/mysql/apple_mdm.go
• server/datastore/mysql/apple_mdm_test.go
• server/datastore/mysql/mdm.go
• server/datastore/mysql/mdm_test.go
• server/datastore/mysql/microsoft_mdm.go
• server/datastore/mysql/microsoft_mdm_test.go
• server/fleet/datastore.go
• server/fleet/mdm.go
• server/mock/datastore_mock.go
• server/service/appconfig.go
• server/service/apple_mdm.go
• server/service/apple_mdm_test.go
• server/service/mdm.go
• server/service/mdm_test.go
• server/service/windows_mdm_profiles.go
• server/service/windows_mdm_profiles_test.go

💤 Files with no reviewable changes (1)

• server/mock/datastore_mock.go

✅ Files skipped from review due to trivial changes (1)

• frontend/pages/ManageControlsPage/OSUpdates/components/WindowsTargetForm/helpers.tsx

🚧 Files skipped from review as they are similar to previous changes (3)

• cmd/fleetctl/fleetctl/apply_deprecated_test.go
• server/service/appconfig.go
• server/service/mdm_test.go

[coderabbitai]

♻️ Duplicate comments (2)

server/datastore/mysql/microsoft_mdm.go (1)

3687-3696: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

This is a duplicate of a previous review concern.

The teamID parameter is unused, and the function still does not enforce team-level uniqueness as flagged in the earlier review. Two concurrent profile uploads for the same team can both insert different windows_profile_uuid values into mdm_configuration_profile_update_settings, violating the one-OS-update-profile-per-team invariant. The ON DUPLICATE KEY UPDATE only prevents duplicate insertions of the same profile UUID, not multiple different profiles for the same team.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/datastore/mysql/microsoft_mdm.go` around lines 3687 - 3696, The
function trackWindowsUpdateConfigProfileDB currently ignores the teamID
parameter and allows multiple distinct windows_profile_uuid rows for different
uploads; modify the INSERT to include the team identifier and enforce uniqueness
on team (e.g., insert into mdm_configuration_profile_update_settings (team_id,
windows_profile_uuid) ... with a UNIQUE key on team_id) so that concurrent
uploads for the same team update the single team row instead of creating
multiple profiles; update the tx.ExecContext call in
trackWindowsUpdateConfigProfileDB to pass teamID and profileUUID and use ON
DUPLICATE KEY UPDATE windows_profile_uuid = VALUES(windows_profile_uuid) (or an
equivalent UPSERT) to atomically replace the team's profile, ensuring team-level
uniqueness and using the previously-unused teamID parameter.

server/service/mdm.go (1)

2192-2200: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Drive OS-update detection from the parsed/expanded payload, not raw substring scans.

Line 2194/2199 restores the original bytes before the scan at Lines 2221-2237, so this logic no longer operates on the already-validated payloads. That creates two escape hatches: a real OS-update profile can be missed if the marker only appears after embedded-secret expansion, and a later false-positive substring match can overwrite rawAppleDecl/rawWindowsProfile, causing handle*SoftwareUpdate to validate the wrong payload and skip the real conflict/license check. Keep the OS-update flag/payload from the expanded parse path until after handleDeclarationSoftwareUpdate / handleWindowsProfileSoftwareUpdate runs, then swap back to the original bytes before persistence.

Also applies to: 2219-2255

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/service/mdm.go` around lines 2192 - 2200, The code currently
overwrites appleDecls/windowsProfiles payload bytes back to their original raw
form before running the OS-update detection, which causes missed detections or
false positives; instead, when building appleDeclsSlice and windowsProfilesSlice
set each p.RawJSON / p.SyncML to the expanded/parsed payload from
profiles[i].Contents and carry forward any "is OS-update" flag or payload
pointer into the slice so that handleDeclarationSoftwareUpdate and
handleWindowsProfileSoftwareUpdate operate on the expanded payload, and only
after those handlers finish swap p.RawJSON / p.SyncML back to the original raw
bytes for persistence; update the construction of
appleDeclsSlice/windowsProfilesSlice and the call sites of
handleDeclarationSoftwareUpdate/handleWindowsProfileSoftwareUpdate to preserve
the expanded payload through validation and then restore original bytes before
saving.

🧹 Nitpick comments (2)

server/datastore/mysql/apple_mdm_test.go (1)

6630-6640: ⚡ Quick win

Assert the tracking row stays unique per team.

This only proves su2 was inserted into mdm_apple_declarations. If the second declaration also writes a duplicate row into mdm_configuration_profile_update_settings, this test still passes even though that per-team tracking invariant is the point of this change. Please add an assertion that the tracking table still has exactly one row for the no-team scope after the second insert.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/datastore/mysql/apple_mdm_test.go` around lines 6630 - 6640, Add an
assertion that the per-team tracking row in
mdm_configuration_profile_update_settings remains unique after the second
declaration: after calling ds.NewMDMAppleDeclaration(...) and verifying
mdm_apple_declarations, run another ExecAdhocSQL/sqlx.GetContext to SELECT
COUNT(*) FROM mdm_configuration_profile_update_settings WHERE team_id = 0 AND
identifier = "com.fleet.su2" into a new variable (e.g., trackingCount) and
require.Equal(t, 1, trackingCount); this ensures the tracking table has exactly
one row for the no-team scope.

server/service/mdm_test.go (1)

2743-2750: ⚡ Quick win

Assert counts in the “allows more than one” cases.

These cases currently flip gotAppleOSUpdate / gotWindowsOSUpdate to true when any matching payload reaches ds.BatchSetMDMProfilesFunc, so they would still pass if the batch path silently collapsed two OS-update profiles down to one. Count the matching declarations/profiles in macDeclarations / winProfiles and assert 2 for the multi-profile cases so the test actually locks in the “allow multiple” behavior.

Also applies to: 2839-2874

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/service/mdm_test.go` around lines 2743 - 2750, Update the two "Allows
more than one" test cases to assert counts rather than just flipping a boolean:
inside the ds.BatchSetMDMProfilesFunc handler (where gotAppleOSUpdate /
gotWindowsOSUpdate are currently set) count matching items in macDeclarations
for Apple OS update declarations and in winProfiles for Windows OS update
profiles and assert the count equals 2 for the multi-profile cases ("Allows more
than one Apple OS update declaration" and "Allows more than one Windows OS
update profile"); keep existing boolean checks if desired but replace the
single-true check with an explicit comparison to 2 so the test fails if the
batch collapsed profiles.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@server/datastore/mysql/microsoft_mdm.go`:
- Around line 3687-3696: The function trackWindowsUpdateConfigProfileDB
currently ignores the teamID parameter and allows multiple distinct
windows_profile_uuid rows for different uploads; modify the INSERT to include
the team identifier and enforce uniqueness on team (e.g., insert into
mdm_configuration_profile_update_settings (team_id, windows_profile_uuid) ...
with a UNIQUE key on team_id) so that concurrent uploads for the same team
update the single team row instead of creating multiple profiles; update the
tx.ExecContext call in trackWindowsUpdateConfigProfileDB to pass teamID and
profileUUID and use ON DUPLICATE KEY UPDATE windows_profile_uuid =
VALUES(windows_profile_uuid) (or an equivalent UPSERT) to atomically replace the
team's profile, ensuring team-level uniqueness and using the previously-unused
teamID parameter.

In `@server/service/mdm.go`:
- Around line 2192-2200: The code currently overwrites
appleDecls/windowsProfiles payload bytes back to their original raw form before
running the OS-update detection, which causes missed detections or false
positives; instead, when building appleDeclsSlice and windowsProfilesSlice set
each p.RawJSON / p.SyncML to the expanded/parsed payload from
profiles[i].Contents and carry forward any "is OS-update" flag or payload
pointer into the slice so that handleDeclarationSoftwareUpdate and
handleWindowsProfileSoftwareUpdate operate on the expanded payload, and only
after those handlers finish swap p.RawJSON / p.SyncML back to the original raw
bytes for persistence; update the construction of
appleDeclsSlice/windowsProfilesSlice and the call sites of
handleDeclarationSoftwareUpdate/handleWindowsProfileSoftwareUpdate to preserve
the expanded payload through validation and then restore original bytes before
saving.

---

Nitpick comments:
In `@server/datastore/mysql/apple_mdm_test.go`:
- Around line 6630-6640: Add an assertion that the per-team tracking row in
mdm_configuration_profile_update_settings remains unique after the second
declaration: after calling ds.NewMDMAppleDeclaration(...) and verifying
mdm_apple_declarations, run another ExecAdhocSQL/sqlx.GetContext to SELECT
COUNT(*) FROM mdm_configuration_profile_update_settings WHERE team_id = 0 AND
identifier = "com.fleet.su2" into a new variable (e.g., trackingCount) and
require.Equal(t, 1, trackingCount); this ensures the tracking table has exactly
one row for the no-team scope.

In `@server/service/mdm_test.go`:
- Around line 2743-2750: Update the two "Allows more than one" test cases to
assert counts rather than just flipping a boolean: inside the
ds.BatchSetMDMProfilesFunc handler (where gotAppleOSUpdate / gotWindowsOSUpdate
are currently set) count matching items in macDeclarations for Apple OS update
declarations and in winProfiles for Windows OS update profiles and assert the
count equals 2 for the multi-profile cases ("Allows more than one Apple OS
update declaration" and "Allows more than one Windows OS update profile"); keep
existing boolean checks if desired but replace the single-true check with an
explicit comparison to 2 so the test fails if the batch collapsed profiles.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 470fa578-548b-46c7-a1fc-6a3c5033baeb

📥 Commits

Reviewing files that changed from the base of the PR and between ea4ea3b and 9ee22a3.

📒 Files selected for processing (10)

• server/datastore/mysql/apple_mdm.go
• server/datastore/mysql/apple_mdm_test.go
• server/datastore/mysql/microsoft_mdm.go
• server/datastore/mysql/microsoft_mdm_test.go
• server/fleet/mdm.go
• server/service/appconfig.go
• server/service/apple_mdm_test.go
• server/service/mdm.go
• server/service/mdm_test.go
• server/service/windows_mdm_profiles_test.go

💤 Files with no reviewable changes (3)

• server/fleet/mdm.go
• server/service/windows_mdm_profiles_test.go
• server/service/apple_mdm_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• server/service/appconfig.go