only show Nudge to hosts with MDM features turned on (#12588)

For #12582
2026-05-24 09:28:54 +00:00 · 2023-06-30 12:29:27 -03:00 · 2023-06-30 12:29:27 -03:00 · 4b139245cb
commit 4b139245cb
parent 83746aa130
8 changed files with 346 additions and 90 deletions
--- a/changes/12582-nudge-mdm
+++ b/changes/12582-nudge-mdm
@ -0,0 +1 @@
+* Fixed an issue that displayed Nudge to macOS hosts if MDM was configured but MDM features weren't turned on for the host
--- a/server/fleet/app.go
+++ b/server/fleet/app.go
@ -176,6 +176,14 @@ type MacOSUpdates struct {
 	Deadline optjson.String `json:"deadline"`
 }

+// EnabledForHost returns a boolean indicating if updates are enabled for the host
+func (m MacOSUpdates) EnabledForHost(h *Host) bool {
+	return m.Deadline.Value != "" &&
+		m.MinimumVersion.Value != "" &&
+		h.IsOsqueryEnrolled() &&
+		h.MDMInfo.IsFleetEnrolled()
+}
+
 func (m MacOSUpdates) Validate() error {
 	// if no settings are provided it's okay to skip further validation
 	if m.MinimumVersion.Value == "" && m.Deadline.Value == "" {
--- a/server/fleet/app_test.go
+++ b/server/fleet/app_test.go
@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/fleetdm/fleet/v4/pkg/optjson"
+	"github.com/fleetdm/fleet/v4/server/ptr"
 	"github.com/stretchr/testify/require"
 )

@ -115,6 +116,38 @@ func TestMacOSUpdatesValidate(t *testing.T) {
 	})
 }

+func TestMacOSUpdatesEnabledForHost(t *testing.T) {
+	hostWithRequirements := &Host{
+		OsqueryHostID: ptr.String("notempty"),
+		MDMInfo: &HostMDM{
+			IsServer: false,
+			Enrolled: true,
+			Name:     WellKnownMDMFleet,
+		},
+	}
+	cases := []struct {
+		version  string
+		deadline string
+		host     *Host
+		out      bool
+	}{
+		{"", "", &Host{}, false},
+		{"", "", hostWithRequirements, false},
+		{"12.3", "", hostWithRequirements, false},
+		{"", "12-03-2022", hostWithRequirements, false},
+		{"12.3", "12-03-2022", &Host{}, false},
+		{"12.3", "12-03-2022", hostWithRequirements, true},
+	}
+
+	for _, tc := range cases {
+		m := MacOSUpdates{
+			MinimumVersion: optjson.SetString(tc.version),
+			Deadline:       optjson.SetString(tc.deadline),
+		}
+		require.Equal(t, tc.out, m.EnabledForHost(tc.host))
+	}
+}
+
 func TestSSOSettingsIsEmpty(t *testing.T) {
 	require.True(t, (SSOProviderSettings{}).IsEmpty())
 	require.False(t, (SSOProviderSettings{EntityID: "fleet"}).IsEmpty())
--- a/server/service/integration_core_test.go
+++ b/server/service/integration_core_test.go
@ -6611,6 +6611,7 @@ func createOrbitEnrolledHost(t *testing.T, os, suffix string, ds fleet.Datastore
 		NodeKey:         ptr.String(name),
 		UUID:            uuid.New().String(),
 		Hostname:        fmt.Sprintf("%s.local", name),
+		HardwareSerial:  uuid.New().String(),
 		Platform:        os,
 	})
 	require.NoError(t, err)
--- a/server/service/integration_enterprise_test.go
+++ b/server/service/integration_enterprise_test.go
@ -2779,91 +2779,6 @@ func (s *integrationEnterpriseTestSuite) TestResetAutomation() {
 	require.Len(s.T(), pfs, 1)
 }

-func (s *integrationEnterpriseTestSuite) TestOrbitConfigNudgeSettings() {
-	t := s.T()
-
-	// ensure the config is empty before starting
-	s.applyConfig([]byte(`
-  mdm:
-    macos_updates:
-      deadline: ""
-      minimum_version: ""
- `))
-
-	var resp orbitGetConfigResponse
-	// missing orbit key
-	s.DoJSON("POST", "/api/fleet/orbit/config", nil, http.StatusUnauthorized, &resp)
-
-	// nudge config is empty if macos_updates is not set, and Windows MDM notifications are unset
-	h := createOrbitEnrolledHost(t, "darwin", "h", s.ds)
-	resp = orbitGetConfigResponse{}
-	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
-	require.Empty(t, resp.NudgeConfig)
-	require.False(t, resp.Notifications.NeedsProgrammaticWindowsMDMEnrollment)
-	require.Empty(t, resp.Notifications.WindowsMDMDiscoveryEndpoint)
-	require.False(t, resp.Notifications.NeedsProgrammaticWindowsMDMUnenrollment)
-
-	// set macos_updates
-	s.applyConfig([]byte(`
-  mdm:
-    macos_updates:
-      deadline: 2022-01-04
-      minimum_version: 12.1.3
- `))
-
-	resp = orbitGetConfigResponse{}
-	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
-	wantCfg, err := fleet.NewNudgeConfig(fleet.MacOSUpdates{Deadline: optjson.SetString("2022-01-04"), MinimumVersion: optjson.SetString("12.1.3")})
-	require.NoError(t, err)
-	require.Equal(t, wantCfg, resp.NudgeConfig)
-	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "2022-01-04 04:00:00 +0000 UTC")
-
-	// create a team with an empty macos_updates config
-	team, err := s.ds.NewTeam(context.Background(), &fleet.Team{
-		ID:          4827,
-		Name:        "team1_" + t.Name(),
-		Description: "desc team1_" + t.Name(),
-	})
-	require.NoError(t, err)
-
-	// add the host to the team
-	err = s.ds.AddHostsToTeam(context.Background(), &team.ID, []uint{h.ID})
-	require.NoError(t, err)
-
-	// NudgeConfig should be empty
-	resp = orbitGetConfigResponse{}
-	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
-	require.Empty(t, resp.NudgeConfig)
-	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "2022-01-04 04:00:00 +0000 UTC")
-
-	// modify the team config, add macos_updates config
-	var tmResp teamResponse
-	s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), fleet.TeamPayload{
-		MDM: &fleet.TeamPayloadMDM{
-			MacOSUpdates: &fleet.MacOSUpdates{
-				Deadline:       optjson.SetString("1992-01-01"),
-				MinimumVersion: optjson.SetString("13.1.1"),
-			},
-		},
-	}, http.StatusOK, &tmResp)
-
-	resp = orbitGetConfigResponse{}
-	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
-	wantCfg, err = fleet.NewNudgeConfig(fleet.MacOSUpdates{Deadline: optjson.SetString("1992-01-01"), MinimumVersion: optjson.SetString("13.1.1")})
-	require.NoError(t, err)
-	require.Equal(t, wantCfg, resp.NudgeConfig)
-	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "1992-01-01 04:00:00 +0000 UTC")
-
-	// create a new host, still receives the global config
-	h2 := createOrbitEnrolledHost(t, "darwin", "h2", s.ds)
-	resp = orbitGetConfigResponse{}
-	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h2.OrbitNodeKey)), http.StatusOK, &resp)
-	wantCfg, err = fleet.NewNudgeConfig(fleet.MacOSUpdates{Deadline: optjson.SetString("2022-01-04"), MinimumVersion: optjson.SetString("12.1.3")})
-	require.NoError(t, err)
-	require.Equal(t, wantCfg, resp.NudgeConfig)
-	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "2022-01-04 04:00:00 +0000 UTC")
-}
-
 // allEqual compares all fields of a struct.
 // If a field is a pointer on one side but not on the other, then it follows that pointer. This is useful for optional
 // arguments.
--- a/server/service/integration_mdm_test.go
+++ b/server/service/integration_mdm_test.go
@ -26,6 +26,7 @@ import (

 	"github.com/fleetdm/fleet/v4/pkg/file"
 	"github.com/fleetdm/fleet/v4/pkg/mdm/mdmtest"
+	"github.com/fleetdm/fleet/v4/pkg/optjson"
 	"github.com/fleetdm/fleet/v4/server/config"
 	"github.com/fleetdm/fleet/v4/server/datastore/mysql"
 	"github.com/fleetdm/fleet/v4/server/datastore/redis/redistest"
@ -5348,6 +5349,116 @@ func (s *integrationMDMTestSuite) TestGetPoliciesRequestWithNotElegibleHost() {
 	require.True(t, s.isXMLTagContentPresent("s:text", resSoapMsg))
 }

+func (s *integrationMDMTestSuite) TestOrbitConfigNudgeSettings() {
+	t := s.T()
+
+	// ensure the config is empty before starting
+	s.applyConfig([]byte(`
+  mdm:
+    macos_updates:
+      deadline: ""
+      minimum_version: ""
+ `))
+
+	var resp orbitGetConfigResponse
+	// missing orbit key
+	s.DoJSON("POST", "/api/fleet/orbit/config", nil, http.StatusUnauthorized, &resp)
+
+	// nudge config is empty if macos_updates is not set, and Windows MDM notifications are unset
+	h := createOrbitEnrolledHost(t, "darwin", "h", s.ds)
+	resp = orbitGetConfigResponse{}
+	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
+	require.Empty(t, resp.NudgeConfig)
+	require.False(t, resp.Notifications.NeedsProgrammaticWindowsMDMEnrollment)
+	require.Empty(t, resp.Notifications.WindowsMDMDiscoveryEndpoint)
+	require.False(t, resp.Notifications.NeedsProgrammaticWindowsMDMUnenrollment)
+
+	// set macos_updates
+	s.applyConfig([]byte(`
+  mdm:
+    macos_updates:
+      deadline: 2022-01-04
+      minimum_version: 12.1.3
+ `))
+
+	// still empty if MDM is turned off for the host
+	resp = orbitGetConfigResponse{}
+	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
+	require.Empty(t, resp.NudgeConfig)
+
+	// turn on MDM features
+	mdmDevice := mdmtest.NewTestMDMClientDirect(mdmtest.EnrollInfo{
+		SCEPChallenge: s.fleetCfg.MDM.AppleSCEPChallenge,
+		SCEPURL:       s.server.URL + apple_mdm.SCEPPath,
+		MDMURL:        s.server.URL + apple_mdm.MDMPath,
+	})
+	mdmDevice.SerialNumber = h.HardwareSerial
+	mdmDevice.UUID = h.UUID
+	err := mdmDevice.Enroll()
+	require.NoError(t, err)
+
+	resp = orbitGetConfigResponse{}
+	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
+	wantCfg, err := fleet.NewNudgeConfig(fleet.MacOSUpdates{Deadline: optjson.SetString("2022-01-04"), MinimumVersion: optjson.SetString("12.1.3")})
+	require.NoError(t, err)
+	require.Equal(t, wantCfg, resp.NudgeConfig)
+	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "2022-01-04 04:00:00 +0000 UTC")
+
+	// create a team with an empty macos_updates config
+	team, err := s.ds.NewTeam(context.Background(), &fleet.Team{
+		ID:          4827,
+		Name:        "team1_" + t.Name(),
+		Description: "desc team1_" + t.Name(),
+	})
+	require.NoError(t, err)
+
+	// add the host to the team
+	err = s.ds.AddHostsToTeam(context.Background(), &team.ID, []uint{h.ID})
+	require.NoError(t, err)
+
+	// NudgeConfig should be empty
+	resp = orbitGetConfigResponse{}
+	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
+	require.Empty(t, resp.NudgeConfig)
+	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "2022-01-04 04:00:00 +0000 UTC")
+
+	// modify the team config, add macos_updates config
+	var tmResp teamResponse
+	s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/teams/%d", team.ID), fleet.TeamPayload{
+		MDM: &fleet.TeamPayloadMDM{
+			MacOSUpdates: &fleet.MacOSUpdates{
+				Deadline:       optjson.SetString("1992-01-01"),
+				MinimumVersion: optjson.SetString("13.1.1"),
+			},
+		},
+	}, http.StatusOK, &tmResp)
+
+	resp = orbitGetConfigResponse{}
+	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h.OrbitNodeKey)), http.StatusOK, &resp)
+	wantCfg, err = fleet.NewNudgeConfig(fleet.MacOSUpdates{Deadline: optjson.SetString("1992-01-01"), MinimumVersion: optjson.SetString("13.1.1")})
+	require.NoError(t, err)
+	require.Equal(t, wantCfg, resp.NudgeConfig)
+	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "1992-01-01 04:00:00 +0000 UTC")
+
+	// create a new host, still receives the global config
+	h2 := createOrbitEnrolledHost(t, "darwin", "h2", s.ds)
+	mdmDevice = mdmtest.NewTestMDMClientDirect(mdmtest.EnrollInfo{
+		SCEPChallenge: s.fleetCfg.MDM.AppleSCEPChallenge,
+		SCEPURL:       s.server.URL + apple_mdm.SCEPPath,
+		MDMURL:        s.server.URL + apple_mdm.MDMPath,
+	})
+	mdmDevice.SerialNumber = h2.HardwareSerial
+	mdmDevice.UUID = h2.UUID
+	err = mdmDevice.Enroll()
+	require.NoError(t, err)
+	resp = orbitGetConfigResponse{}
+	s.DoJSON("POST", "/api/fleet/orbit/config", json.RawMessage(fmt.Sprintf(`{"orbit_node_key": %q}`, *h2.OrbitNodeKey)), http.StatusOK, &resp)
+	wantCfg, err = fleet.NewNudgeConfig(fleet.MacOSUpdates{Deadline: optjson.SetString("2022-01-04"), MinimumVersion: optjson.SetString("12.1.3")})
+	require.NoError(t, err)
+	require.Equal(t, wantCfg, resp.NudgeConfig)
+	require.Equal(t, wantCfg.OSVersionRequirements[0].RequiredInstallationDate.String(), "2022-01-04 04:00:00 +0000 UTC")
+}
+
 // ///////////////////////////////////////////////////////////////////////////
 // Common helpers

--- a/server/service/orbit.go
+++ b/server/service/orbit.go
@ -248,9 +248,9 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro
 		}

 		var nudgeConfig *fleet.NudgeConfig
-		if mdmConfig != nil &&
-			mdmConfig.MacOSUpdates.Deadline.Value != "" &&
-			mdmConfig.MacOSUpdates.MinimumVersion.Value != "" {
+		if appConfig.MDM.EnabledAndConfigured &&
+			mdmConfig != nil &&
+			mdmConfig.MacOSUpdates.EnabledForHost(host) {
 			nudgeConfig, err = fleet.NewNudgeConfig(mdmConfig.MacOSUpdates)
 			if err != nil {
 				return fleet.OrbitConfig{Notifications: notifs}, err
@ -274,8 +274,8 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro
 	}

 	var nudgeConfig *fleet.NudgeConfig
-	if appConfig.MDM.MacOSUpdates.Deadline.Value != "" &&
-		appConfig.MDM.MacOSUpdates.MinimumVersion.Value != "" {
+	if appConfig.MDM.EnabledAndConfigured &&
+		appConfig.MDM.MacOSUpdates.EnabledForHost(host) {
 		nudgeConfig, err = fleet.NewNudgeConfig(appConfig.MDM.MacOSUpdates)
 		if err != nil {
 			return fleet.OrbitConfig{Notifications: notifs}, err
--- a/server/service/orbit_test.go
+++ b/server/service/orbit_test.go
@ -0,0 +1,187 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/fleetdm/fleet/v4/pkg/optjson"
+	"github.com/fleetdm/fleet/v4/server/fleet"
+	"github.com/fleetdm/fleet/v4/server/mock"
+	"github.com/fleetdm/fleet/v4/server/ptr"
+	"github.com/fleetdm/fleet/v4/server/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetOrbitConfigNudge(t *testing.T) {
+	t.Run("missing values in AppConfig", func(t *testing.T) {
+		ds := new(mock.Store)
+		license := &fleet.LicenseInfo{Tier: fleet.TierPremium}
+		svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{License: license, SkipCreateTestUsers: true})
+		appCfg := &fleet.AppConfig{MDM: fleet.MDM{EnabledAndConfigured: true}}
+		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
+			return appCfg, nil
+		}
+		ctx = test.HostContext(ctx, &fleet.Host{
+			OsqueryHostID: ptr.String("test"),
+			MDMInfo: &fleet.HostMDM{
+				IsServer:         false,
+				InstalledFromDep: true,
+				Enrolled:         true,
+				Name:             fleet.WellKnownMDMFleet,
+			}})
+
+		cfg, err := svc.GetOrbitConfig(ctx)
+		require.NoError(t, err)
+		require.Empty(t, cfg.NudgeConfig)
+		require.True(t, ds.AppConfigFuncInvoked)
+		ds.AppConfigFuncInvoked = false
+
+		appCfg.MDM.MacOSUpdates.Deadline = optjson.SetString("2022-04-01")
+		cfg, err = svc.GetOrbitConfig(ctx)
+		require.NoError(t, err)
+		require.Empty(t, cfg.NudgeConfig)
+		require.True(t, ds.AppConfigFuncInvoked)
+		ds.AppConfigFuncInvoked = false
+
+		appCfg.MDM.MacOSUpdates.MinimumVersion = optjson.SetString("2022-04-01")
+		cfg, err = svc.GetOrbitConfig(ctx)
+		require.NoError(t, err)
+		require.NotEmpty(t, cfg.NudgeConfig)
+		require.True(t, ds.AppConfigFuncInvoked)
+		ds.AppConfigFuncInvoked = false
+	})
+
+	t.Run("missing values in TeamConfig", func(t *testing.T) {
+		ds := new(mock.Store)
+		license := &fleet.LicenseInfo{Tier: fleet.TierPremium}
+		svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{License: license, SkipCreateTestUsers: true})
+		appCfg := &fleet.AppConfig{MDM: fleet.MDM{EnabledAndConfigured: true}}
+		appCfg.MDM.MacOSUpdates.MinimumVersion = optjson.SetString("2022-04-01")
+		appCfg.MDM.MacOSUpdates.Deadline = optjson.SetString("2022-04-01")
+		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
+			return appCfg, nil
+		}
+
+		team := fleet.Team{ID: 1}
+		teamMDM := fleet.TeamMDM{}
+		ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {
+			require.Equal(t, team.ID, teamID)
+			return &teamMDM, nil
+		}
+		ds.TeamAgentOptionsFunc = func(ctx context.Context, id uint) (*json.RawMessage, error) {
+			return ptr.RawMessage(json.RawMessage(`{}`)), nil
+		}
+
+		ctx = test.HostContext(ctx, &fleet.Host{
+			OsqueryHostID: ptr.String("test"),
+			TeamID:        ptr.Uint(team.ID),
+			MDMInfo: &fleet.HostMDM{
+				IsServer:         false,
+				InstalledFromDep: true,
+				Enrolled:         true,
+				Name:             fleet.WellKnownMDMFleet,
+			}})
+
+		cfg, err := svc.GetOrbitConfig(ctx)
+		require.NoError(t, err)
+		require.Empty(t, cfg.NudgeConfig)
+		require.True(t, ds.AppConfigFuncInvoked)
+		require.True(t, ds.TeamMDMConfigFuncInvoked)
+		ds.AppConfigFuncInvoked = false
+		ds.TeamMDMConfigFuncInvoked = false
+
+		teamMDM.MacOSUpdates.Deadline = optjson.SetString("2022-04-01")
+		cfg, err = svc.GetOrbitConfig(ctx)
+		require.NoError(t, err)
+		require.Empty(t, cfg.NudgeConfig)
+		require.True(t, ds.AppConfigFuncInvoked)
+		require.True(t, ds.TeamMDMConfigFuncInvoked)
+		ds.AppConfigFuncInvoked = false
+		ds.TeamMDMConfigFuncInvoked = false
+
+		teamMDM.MacOSUpdates.MinimumVersion = optjson.SetString("2022-04-01")
+		cfg, err = svc.GetOrbitConfig(ctx)
+		require.NoError(t, err)
+		require.NotEmpty(t, cfg.NudgeConfig)
+		require.True(t, ds.AppConfigFuncInvoked)
+		require.True(t, ds.TeamMDMConfigFuncInvoked)
+		ds.AppConfigFuncInvoked = false
+		ds.TeamMDMConfigFuncInvoked = false
+	})
+
+	t.Run("non-elegible MDM status", func(t *testing.T) {
+		ds := new(mock.Store)
+		license := &fleet.LicenseInfo{Tier: fleet.TierPremium}
+		svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{License: license, SkipCreateTestUsers: true})
+		appCfg := &fleet.AppConfig{MDM: fleet.MDM{EnabledAndConfigured: true}}
+		appCfg.MDM.MacOSUpdates.Deadline = optjson.SetString("2022-04-01")
+		appCfg.MDM.MacOSUpdates.MinimumVersion = optjson.SetString("2022-04-01")
+		ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
+			return appCfg, nil
+		}
+
+		team := fleet.Team{ID: 1}
+		teamMDM := fleet.TeamMDM{}
+		teamMDM.MacOSUpdates.Deadline = optjson.SetString("2022-04-01")
+		teamMDM.MacOSUpdates.MinimumVersion = optjson.SetString("12.1")
+		ds.TeamMDMConfigFunc = func(ctx context.Context, teamID uint) (*fleet.TeamMDM, error) {
+			require.Equal(t, team.ID, teamID)
+			return &teamMDM, nil
+		}
+		ds.TeamAgentOptionsFunc = func(ctx context.Context, id uint) (*json.RawMessage, error) {
+			return ptr.RawMessage(json.RawMessage(`{}`)), nil
+		}
+
+		checkEmptyNudgeConfig := func(h *fleet.Host) {
+			ctx := test.HostContext(ctx, h)
+			cfg, err := svc.GetOrbitConfig(ctx)
+			require.NoError(t, err)
+			require.Empty(t, cfg.NudgeConfig)
+			require.True(t, ds.AppConfigFuncInvoked)
+			ds.AppConfigFuncInvoked = false
+		}
+
+		checkHostVariations := func(h *fleet.Host) {
+			// host uses another MDM
+			h.MDMInfo.Name = fleet.WellKnownMDMIntune
+			checkEmptyNudgeConfig(h)
+
+			// host has MDM turned off
+			h.MDMInfo.Name = fleet.WellKnownMDMFleet
+			h.MDMInfo.Enrolled = false
+			checkEmptyNudgeConfig(h)
+
+			// host has MDM turned on but is not enrolled
+			h.MDMInfo.Enrolled = true
+			h.OsqueryHostID = nil
+			checkEmptyNudgeConfig(h)
+
+			// mdminfo is nil
+			h.MDMInfo = nil
+			checkEmptyNudgeConfig(h)
+		}
+
+		// global host
+		checkHostVariations(&fleet.Host{
+			OsqueryHostID: ptr.String("test"),
+			MDMInfo: &fleet.HostMDM{
+				IsServer:         false,
+				InstalledFromDep: true,
+				Enrolled:         true,
+				Name:             fleet.WellKnownMDMFleet,
+			}})
+
+		// team host
+		checkHostVariations(&fleet.Host{
+			OsqueryHostID: ptr.String("test"),
+			TeamID:        ptr.Uint(team.ID),
+			MDMInfo: &fleet.HostMDM{
+				IsServer:         false,
+				InstalledFromDep: true,
+				Enrolled:         true,
+				Name:             fleet.WellKnownMDMFleet,
+			}})
+
+	})
+}
				`@ -0,0 +1 @@`
				`* Fixed an issue that displayed Nudge to macOS hosts if MDM was configured but MDM features weren't turned on for the host`