2024-04-15 13:17:08 +00:00
|
|
|
import {
|
|
|
|
|
FLEET_FILEVAULT_PROFILE_DISPLAY_NAME,
|
|
|
|
|
ProfileOperationType,
|
|
|
|
|
} from "interfaces/mdm";
|
2023-11-29 14:32:42 +00:00
|
|
|
|
|
|
|
|
import { IconNames } from "components/icons";
|
|
|
|
|
import {
|
|
|
|
|
TooltipInnerContentFunc,
|
|
|
|
|
TooltipInnerContentOption,
|
|
|
|
|
} from "./components/Tooltip/TooltipContent";
|
|
|
|
|
|
|
|
|
|
import { OsSettingsTableStatusValue } from "../OSSettingsTableConfig";
|
|
|
|
|
import TooltipInnerContentActionRequired from "./components/Tooltip/ActionRequired";
|
|
|
|
|
|
2024-04-15 13:17:08 +00:00
|
|
|
export const isDiskEncryptionProfile = (profileName: string) => {
|
|
|
|
|
return profileName === FLEET_FILEVAULT_PROFILE_DISPLAY_NAME;
|
|
|
|
|
};
|
|
|
|
|
|
2023-11-29 14:32:42 +00:00
|
|
|
export type ProfileDisplayOption = {
|
|
|
|
|
statusText: string;
|
|
|
|
|
iconName: IconNames;
|
|
|
|
|
tooltip: TooltipInnerContentOption | null;
|
|
|
|
|
} | null;
|
|
|
|
|
|
|
|
|
|
type OperationTypeOption = Record<
|
|
|
|
|
OsSettingsTableStatusValue,
|
|
|
|
|
ProfileDisplayOption
|
|
|
|
|
>;
|
|
|
|
|
|
|
|
|
|
type ProfileDisplayConfig = Record<ProfileOperationType, OperationTypeOption>;
|
|
|
|
|
|
2024-07-31 13:21:53 +00:00
|
|
|
// Profiles for iOS and iPadOS skip the verifying step
|
|
|
|
|
const APPLE_PROFILE_VERIFIED_DISPLAY_CONFIG: ProfileDisplayOption = {
|
2024-03-25 19:15:33 +00:00
|
|
|
statusText: "Verified",
|
|
|
|
|
iconName: "success",
|
|
|
|
|
tooltip: (innerProps) =>
|
|
|
|
|
innerProps.isDiskEncryptionProfile
|
|
|
|
|
? "The host turned disk encryption on and sent the key to Fleet. " +
|
2024-07-31 13:21:53 +00:00
|
|
|
"Fleet verified."
|
|
|
|
|
: "The host applied the setting. Fleet verified.",
|
2024-03-25 19:15:33 +00:00
|
|
|
} as const;
|
|
|
|
|
|
|
|
|
|
const MAC_PROFILE_VERIFYING_DISPLAY_CONFIG: ProfileDisplayOption = {
|
|
|
|
|
statusText: "Verifying",
|
|
|
|
|
iconName: "success-outline",
|
|
|
|
|
tooltip: (innerProps) =>
|
|
|
|
|
innerProps.isDiskEncryptionProfile
|
|
|
|
|
? "The host acknowledged the MDM command to turn on disk encryption. " +
|
|
|
|
|
"Fleet is verifying with osquery and retrieving the disk encryption key. " +
|
|
|
|
|
"This may take up to one hour."
|
|
|
|
|
: "The host acknowledged the MDM command to apply the setting. Fleet is " +
|
|
|
|
|
"verifying with osquery.",
|
|
|
|
|
} as const;
|
|
|
|
|
|
2023-11-29 14:32:42 +00:00
|
|
|
export const PROFILE_DISPLAY_CONFIG: ProfileDisplayConfig = {
|
|
|
|
|
install: {
|
2024-07-31 13:21:53 +00:00
|
|
|
verified: APPLE_PROFILE_VERIFIED_DISPLAY_CONFIG,
|
|
|
|
|
success: APPLE_PROFILE_VERIFIED_DISPLAY_CONFIG,
|
2024-03-25 19:15:33 +00:00
|
|
|
verifying: MAC_PROFILE_VERIFYING_DISPLAY_CONFIG,
|
|
|
|
|
acknowledged: MAC_PROFILE_VERIFYING_DISPLAY_CONFIG,
|
2023-11-29 14:32:42 +00:00
|
|
|
pending: {
|
|
|
|
|
statusText: "Enforcing (pending)",
|
|
|
|
|
iconName: "pending-outline",
|
|
|
|
|
tooltip: (innerProps) =>
|
|
|
|
|
innerProps.isDiskEncryptionProfile
|
|
|
|
|
? "The hosts will receive the MDM command to turn on disk encryption " +
|
|
|
|
|
"when the hosts come online."
|
2024-01-19 19:47:51 +00:00
|
|
|
: "The host will receive the MDM command to apply the setting when the " +
|
2023-11-29 14:32:42 +00:00
|
|
|
"host comes online.",
|
|
|
|
|
},
|
|
|
|
|
action_required: {
|
|
|
|
|
statusText: "Action required (pending)",
|
|
|
|
|
iconName: "pending-outline",
|
|
|
|
|
tooltip: TooltipInnerContentActionRequired as TooltipInnerContentFunc,
|
|
|
|
|
},
|
|
|
|
|
failed: {
|
|
|
|
|
statusText: "Failed",
|
|
|
|
|
iconName: "error",
|
|
|
|
|
tooltip: null,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
remove: {
|
|
|
|
|
pending: {
|
|
|
|
|
statusText: "Removing enforcement (pending)",
|
|
|
|
|
iconName: "pending-outline",
|
|
|
|
|
tooltip: (innerProps) =>
|
|
|
|
|
innerProps.isDiskEncryptionProfile
|
|
|
|
|
? "The host will receive the MDM command to remove the disk encryption profile when the " +
|
|
|
|
|
"host comes online."
|
|
|
|
|
: "The host will receive the MDM command to remove the setting when the host " +
|
|
|
|
|
"comes online.",
|
|
|
|
|
},
|
|
|
|
|
action_required: null, // should not be reached
|
|
|
|
|
verified: null, // should not be reached
|
|
|
|
|
verifying: null, // should not be reached
|
2024-03-25 19:15:33 +00:00
|
|
|
success: null, // should not be reached
|
|
|
|
|
acknowledged: null, // should not be reached
|
2023-11-29 14:32:42 +00:00
|
|
|
failed: {
|
|
|
|
|
statusText: "Failed",
|
|
|
|
|
iconName: "error",
|
|
|
|
|
tooltip: null,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
type WindowsDiskEncryptionDisplayConfig = Omit<
|
|
|
|
|
OperationTypeOption,
|
2024-03-25 19:15:33 +00:00
|
|
|
// windows disk encryption does not have these states
|
Implement BitLocker "action required" status (#31451)
for #31182
# Details
This PR implements the "Action Required" state for Windows host disk
encryption. This includes updates to reporting for:
* disk encryption summary (`GET /fleet/disk_encryption`)
* config profiles summary (`GET /configuration_profiles/summary`)
* config profile status ( `GET
/configuration_profiles/{profile_uuid}/status`)
For disk encryption summary, the statuses are now determined according
to [the rules in the
Figma](https://www.figma.com/design/XbhlPuEJxQtOgTZW9EOJZp/-28133-Enforce-BitLocker-PIN?node-id=5484-928&t=JB13g8zQ2QDVEmPB-0).
TL;DR if the criteria for "verified" or "verifying" are set, but a
required PIN is not set, we report a host as "action required".
For profiles, I followed what seems to be the existing pattern and set
the profile status to "pending" if the disk encryption status is "action
required". This is what we do for hosts with the "enforcing" or
"removing enforcement" statuses.
A lot of the changes in these files are due to the creation of the
`fleet.DiskEncryptionConfig` struct to hold info about disk encryption
config, and passing variables of that type to various functions instead
of passing a `bool` to indicate whether encryption is enabled. Other
than that, the functional changes are constrained to a few files.
> Note: to get the "require bitlocker pin" UI, compile the front end
with:
```
SHOW_BITLOCKER_PIN_OPTION=true NODE_ENV=development yarn run webpack --progress --watch
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
Changelog will be added when feature is complete.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
Could use some help testing this end-to-end. I was able to test the
banners showing up correctly, but testing the Disk Encryption table
requires some Windows-MDM-fu (I just get all zeroes).
## Database migrations
- [X] Checked table schema to confirm autoupdate
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
2025-08-05 16:23:27 +00:00
|
|
|
"success" | "acknowledged"
|
2023-11-29 14:32:42 +00:00
|
|
|
>;
|
|
|
|
|
|
|
|
|
|
export const WINDOWS_DISK_ENCRYPTION_DISPLAY_CONFIG: WindowsDiskEncryptionDisplayConfig = {
|
|
|
|
|
verified: {
|
|
|
|
|
statusText: "Verified",
|
|
|
|
|
iconName: "success",
|
|
|
|
|
tooltip: () =>
|
2024-07-31 13:21:53 +00:00
|
|
|
"The host turned disk encryption on and sent the key to Fleet. Fleet verified.",
|
2023-11-29 14:32:42 +00:00
|
|
|
},
|
|
|
|
|
verifying: {
|
|
|
|
|
statusText: "Verifying",
|
|
|
|
|
iconName: "success-outline",
|
|
|
|
|
tooltip: () =>
|
|
|
|
|
"The host acknowledged the MDM command to turn on disk encryption. Fleet is verifying with " +
|
|
|
|
|
"osquery and retrieving the disk encryption key. This may take up to one hour.",
|
|
|
|
|
},
|
|
|
|
|
pending: {
|
|
|
|
|
statusText: "Enforcing (pending)",
|
|
|
|
|
iconName: "pending-outline",
|
|
|
|
|
tooltip: () =>
|
|
|
|
|
"The host will receive the MDM command to turn on disk encryption when the host comes online.",
|
|
|
|
|
},
|
Implement BitLocker "action required" status (#31451)
for #31182
# Details
This PR implements the "Action Required" state for Windows host disk
encryption. This includes updates to reporting for:
* disk encryption summary (`GET /fleet/disk_encryption`)
* config profiles summary (`GET /configuration_profiles/summary`)
* config profile status ( `GET
/configuration_profiles/{profile_uuid}/status`)
For disk encryption summary, the statuses are now determined according
to [the rules in the
Figma](https://www.figma.com/design/XbhlPuEJxQtOgTZW9EOJZp/-28133-Enforce-BitLocker-PIN?node-id=5484-928&t=JB13g8zQ2QDVEmPB-0).
TL;DR if the criteria for "verified" or "verifying" are set, but a
required PIN is not set, we report a host as "action required".
For profiles, I followed what seems to be the existing pattern and set
the profile status to "pending" if the disk encryption status is "action
required". This is what we do for hosts with the "enforcing" or
"removing enforcement" statuses.
A lot of the changes in these files are due to the creation of the
`fleet.DiskEncryptionConfig` struct to hold info about disk encryption
config, and passing variables of that type to various functions instead
of passing a `bool` to indicate whether encryption is enabled. Other
than that, the functional changes are constrained to a few files.
> Note: to get the "require bitlocker pin" UI, compile the front end
with:
```
SHOW_BITLOCKER_PIN_OPTION=true NODE_ENV=development yarn run webpack --progress --watch
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
Changelog will be added when feature is complete.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
Could use some help testing this end-to-end. I was able to test the
banners showing up correctly, but testing the Disk Encryption table
requires some Windows-MDM-fu (I just get all zeroes).
## Database migrations
- [X] Checked table schema to confirm autoupdate
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
2025-08-05 16:23:27 +00:00
|
|
|
action_required: {
|
|
|
|
|
statusText: "Action required (pending)",
|
|
|
|
|
iconName: "pending-outline",
|
|
|
|
|
tooltip: () =>
|
|
|
|
|
"Disk encryption is on, but the user has not set a BitLocker PIN yet.",
|
|
|
|
|
},
|
2023-11-29 14:32:42 +00:00
|
|
|
failed: {
|
|
|
|
|
statusText: "Failed",
|
|
|
|
|
iconName: "error",
|
|
|
|
|
tooltip: null,
|
|
|
|
|
},
|
|
|
|
|
};
|
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
|
|
|
|
|
|
|
|
type LinuxDiskEncryptionDisplayConfig = Omit<
|
|
|
|
|
OperationTypeOption,
|
|
|
|
|
"success" | "pending" | "acknowledged" | "verifying"
|
|
|
|
|
>;
|
|
|
|
|
|
|
|
|
|
export const LINUX_DISK_ENCRYPTION_DISPLAY_CONFIG: LinuxDiskEncryptionDisplayConfig = {
|
|
|
|
|
verified: {
|
|
|
|
|
statusText: "Verified",
|
|
|
|
|
iconName: "success",
|
|
|
|
|
tooltip: () =>
|
|
|
|
|
"The host turned disk encryption on and sent the key to Fleet. Fleet verified.",
|
|
|
|
|
},
|
|
|
|
|
failed: {
|
|
|
|
|
statusText: "Failed",
|
|
|
|
|
iconName: "error",
|
|
|
|
|
tooltip: null,
|
|
|
|
|
},
|
|
|
|
|
action_required: {
|
|
|
|
|
statusText: "Action required (pending)",
|
|
|
|
|
iconName: "pending-outline",
|
|
|
|
|
tooltip: TooltipInnerContentActionRequired as TooltipInnerContentFunc,
|
|
|
|
|
},
|
|
|
|
|
};
|