Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 106

Fix polling schedule for Windows MDM (#16104)

Browse source
This commit is contained in:
Martin Angers 2024-01-16 09:05:19 -05:00 committed by GitHub
parent ab4c505f4b
commit 45cc94d9c3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 93 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changes/15408-fix-windows-mdm-poll-interval Normal file
View file

@ -0,0 +1 @@
* Fixed the Windows MDM polling interval so that enrolled devices check-in regularly with Fleet to look for pending MDM-related actions.

21
server/mdm/microsoft/syncml/syncml.go
View file

@ -248,27 +248,6 @@ const (
// The DocProvisioningVersion attributes defines the version of the provisioning document format
DocProvisioningVersion = "1.1"
// The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
DmClientCSPNumberOfFirstRetries = "8"
// The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfFirstRetries
DmClientCSPIntervalForFirstSetOfRetries = "15"
// The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server
DmClientCSPNumberOfSecondRetries = "5"
// The waiting time (in minutes) for the second set of retries as specified by the number of retries in NumberOfSecondRetries
DmClientCSPIntervalForSecondSetOfRetries = "3"
// The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server
DmClientCSPNumberOfRemainingScheduledRetries = "0"
// The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfRemainingScheduledRetries
DmClientCSPIntervalForRemainingScheduledRetries = "1560"
// It allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in
DmClientCSPPollOnLogin = "true"
// It specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
DmClientCSPEnableOmaDmKeepAliveMessage = "true"

39
server/service/microsoft_mdm.go
View file

@ -680,14 +680,37 @@ func NewDMClientProvisioningData() mdm_types.Characteristic {
newCharacteristic(syncml.DocProvisioningAppProviderID,
[]mdm_types.Param{}, []mdm_types.Characteristic{
newCharacteristic("Poll", []mdm_types.Param{
newParm("NumberOfFirstRetries", syncml.DmClientCSPNumberOfFirstRetries, syncml.DmClientIntType),
newParm("IntervalForFirstSetOfRetries", syncml.DmClientCSPIntervalForFirstSetOfRetries, syncml.DmClientIntType),
newParm("NumberOfSecondRetries", syncml.DmClientCSPNumberOfSecondRetries, syncml.DmClientIntType),
newParm("IntervalForSecondSetOfRetries", syncml.DmClientCSPIntervalForSecondSetOfRetries, syncml.DmClientIntType),
newParm("NumberOfRemainingScheduledRetries", syncml.DmClientCSPNumberOfRemainingScheduledRetries, syncml.DmClientIntType),
newParm("IntervalForRemainingScheduledRetries", syncml.DmClientCSPIntervalForRemainingScheduledRetries, syncml.DmClientIntType),
newParm("PollOnLogin", syncml.DmClientCSPPollOnLogin, syncml.DmClientBoolType),
newParm("AllUsersPollOnFirstLogin", syncml.DmClientCSPPollOnLogin, syncml.DmClientBoolType),
// AllUsersPollOnFirstLogin - enabled
// https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollalluserspollonfirstlogin
newParm("AllUsersPollOnFirstLogin", "true", syncml.DmClientBoolType),
// PollOnLogin - enabled
// https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollpollonlogin
newParm("PollOnLogin", "true", syncml.DmClientBoolType),
// NumberOfFirstRetries - 0 (meaning repeat infinitely, Second and Remaining retries will not be used)
// https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollnumberoffirstretries
//
// Note that the docs do mention:
//
// The total time for first set of retries shouldn't be more than
// a few hours. The server shouldn't set NumberOfFirstRetries to
// be 0. RemainingScheduledRetries is used for the long run
// device polling schedule.
//
// but we really want to keep polling regularly at short intervals
// and it seems like the way to do it (and they do support infinite
// retries, so...).
newParm("NumberOfFirstRetries", "0", syncml.DmClientIntType),
// IntervalForFirstSetOfRetries - 1 minute (we can't go lower than that)
// https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollintervalforfirstsetofretries
newParm("IntervalForFirstSetOfRetries", "1", syncml.DmClientIntType),
// Second and Remaining retries are disabled (0).
newParm("NumberOfSecondRetries", "0", syncml.DmClientIntType),
newParm("IntervalForSecondSetOfRetries", "0", syncml.DmClientIntType),
newParm("NumberOfRemainingScheduledRetries", "0", syncml.DmClientIntType),
newParm("IntervalForRemainingScheduledRetries", "0", syncml.DmClientIntType),
}, nil),
}),
}),

120
tools/mdm/windows/poc-mdm-server/README.md
View file

@ -7,7 +7,7 @@ This project uses the protocols:
- [MS-MDE](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-mde/d9e18701-cd4c-4fdb-8a3e-c1ddd33b1307)
- [MS-MDM](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f)
- [MS-WSTEP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea)
- [MS-WSTEP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea)
- [MS-XCEP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210)
- [OMA Device Management Protocol](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf)
@ -22,7 +22,9 @@ This code is MIT licensed and it was forked from [here](https://github.com/oscar
## Usage
On the server side, you just need to run the project using the already provided cert and keys. So go to the project folder and run.
On the server side, you just need to run the project using the already provided cert and keys. The certificate is in `.pfx` file format, so you need to extract the certificate and key first, see https://stackoverflow.com/a/59120388/1094941.
Next go to the project folder and run.
```bash
go run .
@ -31,11 +33,11 @@ go run .
On the Windows client side, you need to import a custom CA certificate to the certificate store, and populate the `hosts` file before running the Windows Enrollment. The certificate to import is on the certs directory and it is called `dev_cert_mdmwindows_com.pfx`. You need to copy this certificate to the client machine and run the powershell command below. This is required because the project uses a local dev https endpoint.
1) Import certificate to Trusted CAs repository (be sure to update the path to the pfx certificate)
powershell -ep bypass "$mypwd = ConvertTo-SecureString -String 'testpassword' -Force -AsPlainText ; Import-PfxCertificate -FilePath c:\path\to\dev_cert_mdmwindows_com.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $mypwd"
2) Add mdmwindows.com to the list of static DNS
echo <server_ip> mdmwindows.com >> %SystemRoot%\System32\drivers\etc\hosts
echo <server_ip> autodiscovery.mdmwindows.com >> %SystemRoot%\System32\drivers\etc\hosts
echo <server_ip> enterpriseenrollment.mdmwindows.com >> %SystemRoot%\System32\drivers\etc\hosts
@ -55,19 +57,19 @@ Below is the raw https exchange of the MS-MDE and MS-MDM protocols when run usin
Cache-Control: no-cache
Pragma: no-cache
User-Agent: ENROLLClient
----------- Empty Input Body -----------
=========================================================================
============================= Output Response =============================
----------- Response Header -----------
HTTP/1.1 200 OK
Connection: close
----------- Empty Response Body -----------
=========================================================================
@ -78,10 +80,10 @@ Below is the raw https exchange of the MS-MDE and MS-MDM protocols when run usin
Content-Length: 1042
Content-Type: application/soap+xml; charset=utf-8
User-Agent: ENROLLClient
----------- Input Body -----------
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover</a:Action>
@ -108,20 +110,20 @@ Below is the raw https exchange of the MS-MDE and MS-MDM protocols when run usin
</s:Body>
</s:Envelope>
=========================================================================
============================= Output Response =============================
----------- Response Header -----------
HTTP/1.1 200 OK
Content-Length: 1107
Content-Type: application/soap+xml; charset=utf-8
----------- Response Body -----------
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
@ -239,7 +241,7 @@ Content-Type: application/soap+xml; charset=utf-8
### MDM Certificate Enrollment Extensions Flow (MS-WSTEP)
### MDM Certificate Enrollment Extensions Flow (MS-WSTEP)
============================= Input Request =============================
@ -249,10 +251,10 @@ Content-Type: application/soap+xml; charset=utf-8
Content-Length: 4295
Content-Type: application/soap+xml; charset=utf-8
User-Agent: ENROLLClient
----------- Input Body -----------
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
@ -333,20 +335,20 @@ Content-Type: application/soap+xml; charset=utf-8
</s:Body>
</s:Envelope>
=========================================================================
============================= Output Response =============================
----------- Response Header -----------
HTTP/1.1 200 OK
Content-Length: 8598
Content-Type: application/soap+xml; charset=utf-8
----------- Response Body -----------
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
@ -399,10 +401,10 @@ Content-Type: application/soap+xml; charset=utf-8
Content-Type: application/vnd.syncml.dm+xml
Ms-Cv: a/tCeBgffEqA5408.0.0.0
User-Agent: MSFT OMA DM Client/1.2.0.1
----------- Input Body -----------
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncHdr>
<VerDTD>1.2</VerDTD>
@ -468,19 +470,19 @@ Content-Type: application/soap+xml; charset=utf-8
</SyncBody>
</SyncML>
=========================================================================
============================= Output Response =============================
----------- Response Header -----------
HTTP/1.1 200 OK
Content-Length: 1736
Content-Type: application/vnd.syncml.dm+xml
----------- Response Body -----------
<?xml version="1.0" encoding="UTF-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncHdr>
@ -554,11 +556,11 @@ Content-Type: application/soap+xml; charset=utf-8
</SyncBody>
</SyncML>
=========================================================================
192.168.8.10 - - [30/Dec/2022:16:59:44 -0300] "POST /ManagementServer/MDM.svc?mode=Maintenance&Platform=WoA HTTP/2.0" 200 1400
============================= Input Request =============================
----------- Input Header -----------
POST /ManagementServer/MDM.svc?mode=Maintenance&Platform=WoA HTTP/2.0
@ -570,10 +572,10 @@ Content-Type: application/soap+xml; charset=utf-8
Content-Type: application/vnd.syncml.dm+xml
Ms-Cv: a/tCeBgffEqA5408.0.0.0
User-Agent: MSFT OMA DM Client/1.2.0.1
----------- Input Body -----------
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncHdr>
<VerDTD>1.2</VerDTD>
@ -613,19 +615,19 @@ Content-Type: application/soap+xml; charset=utf-8
</SyncBody>
</SyncML>
=========================================================================
============================= Output Response =============================
----------- Response Header -----------
HTTP/1.1 200 OK
Content-Type: application/vnd.syncml.dm+xml
Content-Length: 0
----------- Response Body -----------
=========================================================================