2024-05-30 14:10:26 +00:00
|
|
|
import { IConfigServerSettings } from "./config";
|
|
|
|
|
|
2022-12-16 22:33:10 +00:00
|
|
|
export interface IMdmApple {
|
|
|
|
|
common_name: string;
|
|
|
|
|
serial_number: string;
|
|
|
|
|
issuer: string;
|
|
|
|
|
renew_date: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IMdmAppleBm {
|
|
|
|
|
default_team?: string;
|
|
|
|
|
apple_id: string;
|
2023-02-03 16:36:27 +00:00
|
|
|
org_name: string;
|
2022-12-16 22:33:10 +00:00
|
|
|
mdm_server_url: string;
|
|
|
|
|
renew_date: string;
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-29 22:51:46 +00:00
|
|
|
export type ITokenTeam = {
|
|
|
|
|
team_id: number;
|
|
|
|
|
name: string;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
export interface IMdmAbmToken {
|
|
|
|
|
id: number;
|
|
|
|
|
apple_id: string;
|
|
|
|
|
org_name: string;
|
|
|
|
|
mdm_server_url: string;
|
|
|
|
|
renew_date: string;
|
|
|
|
|
terms_expired: boolean;
|
|
|
|
|
macos_team: ITokenTeam;
|
|
|
|
|
ios_team: ITokenTeam;
|
|
|
|
|
ipados_team: ITokenTeam;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IMdmVppToken {
|
|
|
|
|
id: number;
|
|
|
|
|
org_name: string;
|
|
|
|
|
location: string;
|
|
|
|
|
renew_date: string;
|
|
|
|
|
teams: ITokenTeam[] | null; // null means token isn't configured to a team; empty array means all teams
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-30 14:10:26 +00:00
|
|
|
export const getMdmServerUrl = ({ server_url }: IConfigServerSettings) => {
|
|
|
|
|
return server_url.concat("/mdm/apple/mdm");
|
|
|
|
|
};
|
|
|
|
|
|
2025-07-21 11:07:03 +00:00
|
|
|
/** These are the values the API will send back to the UI for mdm enrollment status */
|
|
|
|
|
export type MdmEnrollmentStatus =
|
|
|
|
|
| "On (manual)"
|
|
|
|
|
| "On (automatic)"
|
|
|
|
|
| "On (personal)"
|
|
|
|
|
| "Off"
|
|
|
|
|
| "Pending";
|
|
|
|
|
|
|
|
|
|
/** This is the filter value used for query string parameters */
|
|
|
|
|
export type MdmEnrollmentFilterValue =
|
|
|
|
|
| "manual"
|
|
|
|
|
| "automatic"
|
|
|
|
|
| "personal"
|
|
|
|
|
| "unenrolled"
|
|
|
|
|
| "pending";
|
|
|
|
|
|
|
|
|
|
interface IMdmEnrollmentStatusUIData {
|
|
|
|
|
displayName: string;
|
|
|
|
|
filterValue: MdmEnrollmentFilterValue;
|
|
|
|
|
}
|
2023-01-24 17:55:43 +00:00
|
|
|
|
2025-07-21 11:07:03 +00:00
|
|
|
/** This maps the MdmEnrollmentStatus to the various data needed in the UI.
|
|
|
|
|
* This include the display name, and the filter values.
|
|
|
|
|
*/
|
|
|
|
|
export const MDM_ENROLLMENT_STATUS_UI_MAP: Record<
|
|
|
|
|
MdmEnrollmentStatus,
|
|
|
|
|
IMdmEnrollmentStatusUIData
|
|
|
|
|
> = {
|
|
|
|
|
"On (manual)": {
|
|
|
|
|
displayName: "On (manual)",
|
|
|
|
|
filterValue: "manual",
|
|
|
|
|
},
|
|
|
|
|
"On (automatic)": {
|
|
|
|
|
// This is the new name for "On (automatic)". The API will still return
|
|
|
|
|
// "On (automatic)" for backwards compatibility.
|
|
|
|
|
displayName: "On (company-owned)",
|
|
|
|
|
filterValue: "automatic",
|
|
|
|
|
},
|
|
|
|
|
"On (personal)": {
|
|
|
|
|
displayName: "On (personal)",
|
|
|
|
|
filterValue: "personal",
|
|
|
|
|
},
|
|
|
|
|
Off: {
|
|
|
|
|
displayName: "Off",
|
|
|
|
|
filterValue: "unenrolled",
|
|
|
|
|
},
|
|
|
|
|
Pending: {
|
|
|
|
|
displayName: "Pending",
|
|
|
|
|
filterValue: "pending",
|
|
|
|
|
},
|
|
|
|
|
};
|
2023-01-24 17:55:43 +00:00
|
|
|
|
|
|
|
|
export interface IMdmStatusCardData {
|
UI: 9274 unenroll mdm modal (#9539)
# Addresses #9274
https://www.loom.com/share/2edd946cbd424af2b960801cc505ac85
## Button and permissions:
- no permission, enrolled, online: <img width="1131" alt="no permission,
enrolled, online"
src="https://user-images.githubusercontent.com/61553566/215197330-abc1606d-bf0a-44ec-b2de-2ef687bd529b.png">
- permission, enrolled, online: <img width="1131" alt="permission,
enrolled, online"
src="https://user-images.githubusercontent.com/61553566/215197443-a1353b9b-10dd-408b-8295-56029f2df4c3.png">
- permission, enrolled, offline: <img width="1131" alt="permission,
enrolled, offline"
src="https://user-images.githubusercontent.com/61553566/215197544-b2a997a7-09e5-4f8a-b723-af587b61a90d.png">
- not enrolled: <img width="1131" alt="not enrolled"
src="https://user-images.githubusercontent.com/61553566/215197630-87f99cb3-63a9-45ce-bc85-57a45d54cae0.png">
## Modal
- <img width="672" alt="modal"
src="https://user-images.githubusercontent.com/61553566/215214640-96670a23-d927-4213-a8fa-89411279c075.png">
- <img width="672" alt="Screenshot 2023-01-27 at 2 12 42 PM"
src="https://user-images.githubusercontent.com/61553566/215215098-40d29556-3b73-4f52-a4ae-cc8b09122f5d.png">
- <img width="672" alt="Screenshot 2023-01-27 at 2 17 48 PM"
src="https://user-images.githubusercontent.com/61553566/215216304-b9362b13-f37f-4454-81b5-423f6fc72280.png">
- <img width="787" alt="success-shot"
src="https://user-images.githubusercontent.com/61553566/215236373-be7b1970-662d-47e6-ac59-f51eff344fcd.png">
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`
- [x] Updated test inventory
- [x] Manual QA for all new/changed functionality
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
2023-01-30 23:59:02 +00:00
|
|
|
status: MdmEnrollmentStatus;
|
2022-12-16 21:12:11 +00:00
|
|
|
hosts: number;
|
2025-07-21 11:07:03 +00:00
|
|
|
selectedPlatformLabelId?: number;
|
2022-12-16 21:12:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IMdmAggregateStatus {
|
|
|
|
|
enrolled_manual_hosts_count: number;
|
|
|
|
|
enrolled_automated_hosts_count: number;
|
|
|
|
|
unenrolled_hosts_count: number;
|
2023-01-24 17:55:43 +00:00
|
|
|
pending_hosts_count?: number;
|
2022-12-16 21:12:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IMdmSolution {
|
|
|
|
|
id: number;
|
|
|
|
|
name: string | null;
|
|
|
|
|
server_url: string;
|
|
|
|
|
hosts_count: number;
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-05 15:48:55 +00:00
|
|
|
/** This is the mdm solution that comes back from the host/summary/mdm
|
|
|
|
|
request. We will always get a string for the solution name in this case */
|
|
|
|
|
export interface IMdmSummaryMdmSolution extends IMdmSolution {
|
|
|
|
|
name: string;
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-24 17:55:43 +00:00
|
|
|
interface IMdmStatus {
|
2022-12-16 21:12:11 +00:00
|
|
|
enrolled_manual_hosts_count: number;
|
|
|
|
|
enrolled_automated_hosts_count: number;
|
2025-07-21 11:07:03 +00:00
|
|
|
enrolled_personal_hosts_count: number;
|
2022-12-16 21:12:11 +00:00
|
|
|
unenrolled_hosts_count: number;
|
2023-01-24 17:55:43 +00:00
|
|
|
pending_hosts_count?: number;
|
2022-12-16 21:12:11 +00:00
|
|
|
hosts_count: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IMdmSummaryResponse {
|
|
|
|
|
counts_updated_at: string;
|
2023-01-24 17:55:43 +00:00
|
|
|
mobile_device_management_enrollment_status: IMdmStatus;
|
2024-03-05 15:48:55 +00:00
|
|
|
mobile_device_management_solution: IMdmSummaryMdmSolution[] | null;
|
2022-12-16 21:12:11 +00:00
|
|
|
}
|
2023-02-21 15:31:19 +00:00
|
|
|
|
2025-09-22 15:29:57 +00:00
|
|
|
export type ProfilePlatform =
|
|
|
|
|
| "darwin"
|
|
|
|
|
| "windows"
|
|
|
|
|
| "ios"
|
|
|
|
|
| "ipados"
|
|
|
|
|
| "linux"
|
|
|
|
|
| "android";
|
2023-11-13 23:30:22 +00:00
|
|
|
|
2024-01-26 16:00:58 +00:00
|
|
|
export interface IProfileLabel {
|
|
|
|
|
name: string;
|
2024-06-11 12:23:30 +00:00
|
|
|
id?: number; // id is only present when the label is not broken
|
|
|
|
|
broken?: boolean;
|
2024-01-26 16:00:58 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-21 15:31:19 +00:00
|
|
|
export interface IMdmProfile {
|
2023-12-04 15:04:06 +00:00
|
|
|
profile_uuid: string;
|
2023-02-21 15:31:19 +00:00
|
|
|
team_id: number;
|
|
|
|
|
name: string;
|
2023-11-29 14:32:42 +00:00
|
|
|
platform: ProfilePlatform;
|
|
|
|
|
identifier: string | null; // null for windows profiles
|
2023-02-21 15:31:19 +00:00
|
|
|
created_at: string;
|
|
|
|
|
updated_at: string;
|
2023-11-29 14:32:42 +00:00
|
|
|
checksum: string | null; // null for windows profiles
|
2024-06-11 12:23:30 +00:00
|
|
|
labels_include_all?: IProfileLabel[];
|
2024-10-31 15:10:49 +00:00
|
|
|
labels_include_any?: IProfileLabel[];
|
2024-06-11 12:23:30 +00:00
|
|
|
labels_exclude_any?: IProfileLabel[];
|
2023-02-21 15:31:19 +00:00
|
|
|
}
|
2023-02-22 16:13:12 +00:00
|
|
|
|
2023-06-06 14:52:10 +00:00
|
|
|
export type MdmProfileStatus = "verified" | "verifying" | "pending" | "failed";
|
2024-03-25 19:15:33 +00:00
|
|
|
export type MdmDDMProfileStatus =
|
|
|
|
|
| "success"
|
|
|
|
|
| "pending"
|
|
|
|
|
| "failed"
|
|
|
|
|
| "acknowledged";
|
2023-04-26 18:31:38 +00:00
|
|
|
|
2023-11-29 14:32:42 +00:00
|
|
|
export type ProfileOperationType = "remove" | "install";
|
2025-09-05 13:53:39 +00:00
|
|
|
export type ProfileScope = "device" | "user";
|
2023-02-22 16:13:12 +00:00
|
|
|
|
2023-10-06 22:04:33 +00:00
|
|
|
export interface IHostMdmProfile {
|
2023-12-04 15:04:06 +00:00
|
|
|
profile_uuid: string;
|
2023-02-22 16:13:12 +00:00
|
|
|
name: string;
|
2023-11-29 14:32:42 +00:00
|
|
|
operation_type: ProfileOperationType | null;
|
2023-12-04 15:04:06 +00:00
|
|
|
platform: ProfilePlatform;
|
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
|
|
|
status: MdmProfileStatus | MdmDDMProfileStatus | LinuxDiskEncryptionStatus;
|
2023-02-22 16:13:12 +00:00
|
|
|
detail: string;
|
2025-09-05 13:53:39 +00:00
|
|
|
scope: ProfileScope | null;
|
|
|
|
|
managed_local_account: string | null;
|
2023-03-06 15:03:48 +00:00
|
|
|
}
|
|
|
|
|
|
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
|
|
|
// TODO - move disk encryption related types to dedicated file
|
2023-10-06 22:04:33 +00:00
|
|
|
export type DiskEncryptionStatus =
|
2023-06-06 14:52:10 +00:00
|
|
|
| "verified"
|
|
|
|
|
| "verifying"
|
|
|
|
|
| "action_required"
|
|
|
|
|
| "enforcing"
|
|
|
|
|
| "failed"
|
|
|
|
|
| "removing_enforcement";
|
2023-04-26 18:31:38 +00:00
|
|
|
|
2023-10-06 22:04:33 +00:00
|
|
|
/** Currently windows disk enxryption status will only be one of these four
|
|
|
|
|
values. In the future we may add more. */
|
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
|
|
|
export type WindowsDiskEncryptionStatus = Extract<
|
2023-10-06 22:04:33 +00:00
|
|
|
DiskEncryptionStatus,
|
Implement BitLocker "action required" status (#31451)
for #31182
# Details
This PR implements the "Action Required" state for Windows host disk
encryption. This includes updates to reporting for:
* disk encryption summary (`GET /fleet/disk_encryption`)
* config profiles summary (`GET /configuration_profiles/summary`)
* config profile status ( `GET
/configuration_profiles/{profile_uuid}/status`)
For disk encryption summary, the statuses are now determined according
to [the rules in the
Figma](https://www.figma.com/design/XbhlPuEJxQtOgTZW9EOJZp/-28133-Enforce-BitLocker-PIN?node-id=5484-928&t=JB13g8zQ2QDVEmPB-0).
TL;DR if the criteria for "verified" or "verifying" are set, but a
required PIN is not set, we report a host as "action required".
For profiles, I followed what seems to be the existing pattern and set
the profile status to "pending" if the disk encryption status is "action
required". This is what we do for hosts with the "enforcing" or
"removing enforcement" statuses.
A lot of the changes in these files are due to the creation of the
`fleet.DiskEncryptionConfig` struct to hold info about disk encryption
config, and passing variables of that type to various functions instead
of passing a `bool` to indicate whether encryption is enabled. Other
than that, the functional changes are constrained to a few files.
> Note: to get the "require bitlocker pin" UI, compile the front end
with:
```
SHOW_BITLOCKER_PIN_OPTION=true NODE_ENV=development yarn run webpack --progress --watch
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
Changelog will be added when feature is complete.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
Could use some help testing this end-to-end. I was able to test the
banners showing up correctly, but testing the Disk Encryption table
requires some Windows-MDM-fu (I just get all zeroes).
## Database migrations
- [X] Checked table schema to confirm autoupdate
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
2025-08-05 16:23:27 +00:00
|
|
|
"verified" | "verifying" | "enforcing" | "failed" | "action_required"
|
2023-10-06 22:04:33 +00:00
|
|
|
>;
|
|
|
|
|
|
|
|
|
|
export const isWindowsDiskEncryptionStatus = (
|
|
|
|
|
status: DiskEncryptionStatus
|
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
|
|
|
): status is WindowsDiskEncryptionStatus => {
|
2023-10-12 15:57:39 +00:00
|
|
|
switch (status) {
|
|
|
|
|
case "verified":
|
|
|
|
|
case "verifying":
|
|
|
|
|
case "enforcing":
|
|
|
|
|
case "failed":
|
Implement BitLocker "action required" status (#31451)
for #31182
# Details
This PR implements the "Action Required" state for Windows host disk
encryption. This includes updates to reporting for:
* disk encryption summary (`GET /fleet/disk_encryption`)
* config profiles summary (`GET /configuration_profiles/summary`)
* config profile status ( `GET
/configuration_profiles/{profile_uuid}/status`)
For disk encryption summary, the statuses are now determined according
to [the rules in the
Figma](https://www.figma.com/design/XbhlPuEJxQtOgTZW9EOJZp/-28133-Enforce-BitLocker-PIN?node-id=5484-928&t=JB13g8zQ2QDVEmPB-0).
TL;DR if the criteria for "verified" or "verifying" are set, but a
required PIN is not set, we report a host as "action required".
For profiles, I followed what seems to be the existing pattern and set
the profile status to "pending" if the disk encryption status is "action
required". This is what we do for hosts with the "enforcing" or
"removing enforcement" statuses.
A lot of the changes in these files are due to the creation of the
`fleet.DiskEncryptionConfig` struct to hold info about disk encryption
config, and passing variables of that type to various functions instead
of passing a `bool` to indicate whether encryption is enabled. Other
than that, the functional changes are constrained to a few files.
> Note: to get the "require bitlocker pin" UI, compile the front end
with:
```
SHOW_BITLOCKER_PIN_OPTION=true NODE_ENV=development yarn run webpack --progress --watch
```
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
Changelog will be added when feature is complete.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
Could use some help testing this end-to-end. I was able to test the
banners showing up correctly, but testing the Disk Encryption table
requires some Windows-MDM-fu (I just get all zeroes).
## Database migrations
- [X] Checked table schema to confirm autoupdate
- [X] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [X] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [X] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
2025-08-05 16:23:27 +00:00
|
|
|
case "action_required":
|
2023-10-12 15:57:39 +00:00
|
|
|
return true;
|
|
|
|
|
default:
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2023-10-06 22:04:33 +00:00
|
|
|
};
|
2023-09-18 17:25:49 +00:00
|
|
|
|
Linux disk encryption: frontend changes, backend missing private key errors, remove disk encryption endpoints dependence on MDM being enabled (#23714)
## Addresses #22702, #23713, #23756, #23746, #23747, and #23876
_-Note that much of this code as is will render as expected only once
integrated with the backend or if manipulated manually for testing
purposes_
**Frontend**:
- Update banners on my device page, tests
- Build new logic for calling endpoint to trigger linux key escrow on
clicking `Create key`
- Add `CreateLinuxKeyModal` to inform user of next steps after clicking
`Create key`
- Update banners on host details page, tests
- Update the Controls > OS settings section with new logic related to
linux disk encryption
- Expect and include counts of Linux hosts in aggregate disk encryption
stats UI
- Add "Linux" column to the disk encryption table
- Show disk encryption related UI for supported Linux platforms
- TODO: confirm platform string matching functionality in manual e2e
testing
- Expand capabilities of `SectionHeader` component, apply to new UI
- Flash "missing private key" error, with clickable link, when trying to
update disk encryption enabled while no server private key is present.
- TODO: QA this once other endpoints on Controls > Disk encryption are
enabled even when MDM not turned on
- Update Disk encryption key modal copy
-Other TODO:
- Confirm when integrated with API:
- Aggregate disk encryption counts
- Disk encryption table Linux column
- Show disk encryption key action on host details page when expected
- Opens Disk encryption key modal, displays key as expected
**Backend**:
- For "No team" and teams, error when trying to update disk encryption
enabled while no server private key is present.
- Remove requirement of mdm being enabled for use of various endpoints
related to Linux disk encryption
- Update tests
_________
**Host details and my device page banners**
**Create key modal**
<img width="1799" alt="create-key-modal"
src="https://github.com/user-attachments/assets/81a55ccb-b6b9-4eb6-b2ff-a463c60724c0">
**Enabling disk encryption**
**Disk encryption: Fleet free**
<img width="1912" alt="free"
src="https://github.com/user-attachments/assets/9f9cace3-8955-47c2-87d9-24ff9387ac1a">
**Custom settings: turn on MDM**
<img width="1912" alt="turn on mdm"
src="https://github.com/user-attachments/assets/4d3ad47b-4035-4d93-86f0-dc2691b38bb4">
**Device status indicators**
**Encryption key action and modal**
- [x] Changes file added for user-visible changes in `changes/`
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
- [ ] Full e2e testing to do when integrated with backend
---------
Co-authored-by: Jacob Shandling <jacob@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2024-11-20 19:58:47 +00:00
|
|
|
export type LinuxDiskEncryptionStatus = Extract<
|
|
|
|
|
DiskEncryptionStatus,
|
|
|
|
|
"verified" | "failed" | "action_required"
|
|
|
|
|
>;
|
|
|
|
|
|
|
|
|
|
export const isLinuxDiskEncryptionStatus = (
|
|
|
|
|
status: DiskEncryptionStatus
|
|
|
|
|
): status is LinuxDiskEncryptionStatus =>
|
|
|
|
|
["verified", "failed", "action_required"].includes(status);
|
|
|
|
|
|
2023-06-05 15:52:57 +00:00
|
|
|
export const FLEET_FILEVAULT_PROFILE_DISPLAY_NAME = "Disk encryption";
|
|
|
|
|
|
2023-04-27 12:43:20 +00:00
|
|
|
export interface IMdmSSOReponse {
|
|
|
|
|
url: string;
|
|
|
|
|
}
|
2023-04-27 15:10:41 +00:00
|
|
|
|
|
|
|
|
export interface IBootstrapPackageMetadata {
|
|
|
|
|
name: string;
|
|
|
|
|
team_id: number;
|
|
|
|
|
sha256: string;
|
|
|
|
|
token: string;
|
|
|
|
|
created_at: string;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export interface IBootstrapPackageAggregate {
|
|
|
|
|
installed: number;
|
|
|
|
|
pending: number;
|
|
|
|
|
failed: number;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export enum BootstrapPackageStatus {
|
|
|
|
|
INSTALLED = "installed",
|
|
|
|
|
PENDING = "pending",
|
|
|
|
|
FAILED = "failed",
|
|
|
|
|
}
|
2024-07-16 17:16:57 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* IMdmCommandResult is the shape of an mdm command result object
|
|
|
|
|
* returned by the Fleet API.
|
|
|
|
|
*/
|
|
|
|
|
export interface IMdmCommandResult {
|
|
|
|
|
host_uuid: string;
|
|
|
|
|
command_uuid: string;
|
|
|
|
|
/** Status is the status of the command. It can be one of Acknowledged, Error, or NotNow for
|
|
|
|
|
// Apple, or 200, 400, etc for Windows. */
|
|
|
|
|
status: string;
|
|
|
|
|
updated_at: string;
|
|
|
|
|
request_type: string;
|
|
|
|
|
hostname: string;
|
|
|
|
|
/** Payload is a base64-encoded string containing the MDM command request */
|
|
|
|
|
payload: string;
|
|
|
|
|
/** Result is a base64-enconded string containing the MDM command response */
|
|
|
|
|
result: string;
|
|
|
|
|
}
|
2025-07-23 10:53:23 +00:00
|
|
|
|
|
|
|
|
export const isEnrolledInMdm = (
|
|
|
|
|
hostMdmEnrollmentStatus: MdmEnrollmentStatus | null
|
|
|
|
|
): hostMdmEnrollmentStatus is MdmEnrollmentStatus => {
|
|
|
|
|
if (!hostMdmEnrollmentStatus) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return ["On (automatic)", "On (manual)", "On (personal)"].includes(
|
|
|
|
|
hostMdmEnrollmentStatus
|
|
|
|
|
);
|
|
|
|
|
};
|
2025-07-31 17:07:38 +00:00
|
|
|
|
|
|
|
|
/** determines if the host enrolled in mdm is a personal device */
|
|
|
|
|
export const isPersonalEnrollmentInMdm = (
|
|
|
|
|
enrollmentStatus: MdmEnrollmentStatus | null
|
|
|
|
|
) => {
|
|
|
|
|
return enrollmentStatus === "On (personal)";
|
|
|
|
|
};
|