From 34db806d5610381feffb59d5b0de4fb7e6c8a427 Mon Sep 17 00:00:00 2001 From: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Date: Thu, 4 Dec 2025 00:25:02 +0100 Subject: [PATCH] Explain behavior of unmanaged profiles (#36416) Related to: - #34879 --- articles/custom-os-settings.md | 25 +++++++++++++++---------- website/config/routes.js | 2 +- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/articles/custom-os-settings.md b/articles/custom-os-settings.md index bd2b33cdfe..16b6191ca9 100644 --- a/articles/custom-os-settings.md +++ b/articles/custom-os-settings.md @@ -10,7 +10,6 @@ For Windows hosts, copy this [Windows configuration profile template](https://fl For Android hosts, copy this [Android configuration profile template](https://fleetdm.com/learn-more-about/example-android-profile) and update the profile using the options available in [Android Management API](https://developers.google.com/android/management/reference/rest/v1/enterprises.policies#resource:-policy). To learn how, watch [this video](https://youtu.be/Jk4Zcb2sR1w). - ## Enforce You can enforce OS settings using the Fleet UI, Fleet API, or [Fleet's best practice GitOps](https://github.com/fleetdm/fleet-gitops). @@ -65,14 +64,6 @@ In versions older than 4.71.0, Fleet always delivered configuration profiles to If you want to make sure the profile stays device-scoped, update `PayloadScope` to `System` or remove `PayloadScope` entirely. The default scope in Fleet is `System`. -#### Broken profiles - -If one or more labels included in the profile's scope are deleted, the profile will not apply to new hosts that enroll. - -On macOS, iOS, iPadOS, and Windows, a broken profile will not remove the enforcement of the OS settings applied to existing hosts. To enforce the OS setting on new hosts, delete it and upload it again. - -On Android hosts, a broken profile will remove the enforcement of the OS settings for existing hosts. To enforce the OS setting on existing and new hosts, delete it and upload it again. - ## See status In the Fleet UI, head to the **Controls > OS settings** tab. @@ -109,7 +100,21 @@ To verify that the OS setting is applied, run the following osquery query: SELECT data FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\Software\Policies\employee\Attributes\Subteam'; ``` -#### Partial failure (Android profiles) +### Broken profiles + +If one or more labels included in the profile's scope are deleted, the profile will not apply to new hosts that enroll. + +On macOS, iOS, iPadOS, and Windows, a broken profile will not remove the enforcement of the OS settings applied to existing hosts. To enforce the OS setting on new hosts, delete it and upload it again. + +On Android hosts, a broken profile will remove the enforcement of the OS settings for existing hosts. To enforce the OS setting on existing and new hosts, delete it and upload it again. + +### Unmanaged profiles (macOS, iOS, and iPadOS) + +Profiles installed manually by the end user aren't managed by Fleet. They're not visible and can't be removed from the host via Fleet. Additionally, if a backup is migrated to a new host using [Apple's Migration Assistant](https://support.apple.com/en-us/102613) and it contains configuration profiles, those profiles aren't managed. + +To manually remove unmanaged profiles, ask the end user to go to **System Settings > General > Device Management**, select the profile, and select the **- (minus)** button at the bottom of the list. + +### Partial failure (Android) On Android, if some settings from the profile fail (e.g. incompatible device), other settings from the profile will still be applied. Failed settings will be surfaced on **Host > OS settings**. Also, some settings from the profile might be overridden by another configuration profile, which means if multiple profiles include the same setting, the profile that is delivered most recently will be applied. diff --git a/website/config/routes.js b/website/config/routes.js index d8ad351e32..918b4d5586 100644 --- a/website/config/routes.js +++ b/website/config/routes.js @@ -1019,7 +1019,7 @@ module.exports.routes = { 'GET /learn-more-about/arch-linux-rolling-release': 'https://wiki.archlinux.org/title/Arch_Linux', 'GET /learn-more-about/google-play-store': 'https://play.google.com/store/apps', 'GET /learn-more-about/managed-lost-mode': 'https://support.apple.com/en-gb/guide/security/secc46f3562c/web', - 'GET /learn-more-about/android-profile-errors': '/guides/custom-os-settings#partial-failure-android-profiles', + 'GET /learn-more-about/android-profile-errors': '/guides/custom-os-settings#partial-failure-android', 'GET /learn-more-about/how-to-craft-android-profile': '/guides/custom-os-settings#create-configuration-profile', 'GET /learn-more-about/example-android-profile': 'https://gist.github.com/marko-lisica/45ee31f6850e1f002141c1b5b43ce519', 'GET /learn-more-about/manual-enrollment-profile': '/docs/rest-api/rest-api#get-manual-enrollment-profile',