diff --git a/ee/tools/puppet/fleetdm/README.md b/ee/tools/puppet/fleetdm/README.md
index f7d9cf9f1f..d2ef8a657f 100644
--- a/ee/tools/puppet/fleetdm/README.md
+++ b/ee/tools/puppet/fleetdm/README.md
@@ -54,7 +54,7 @@ define profiles using the custom resource type `fleetdm::profile`:
```pp
node default {
fleetdm::profile { 'com.apple.universalaccess':
- template => 'xml template',
+ template => template('fleetdm/profile-template.mobileconfig.erb'),
group => 'workstations',
}
}
@@ -66,7 +66,12 @@ If your DEP profile had `await_device_configured` set to `true`, you can use the
```
$host_uuid = $facts['system_profiler']['hardware_uuid']
-fleetdm::release_device($host_uuid)
+$response = fleetdm::release_device($host_uuid)
+$err = $response['error']
+
+if $err != '' {
+ notify { "error releasing device: ${err}": }
+}
```
## Limitations
diff --git a/ee/tools/puppet/fleetdm/examples/multiple-teams.pp b/ee/tools/puppet/fleetdm/examples/multiple-teams.pp
index 405869766e..bfeb583ded 100644
--- a/ee/tools/puppet/fleetdm/examples/multiple-teams.pp
+++ b/ee/tools/puppet/fleetdm/examples/multiple-teams.pp
@@ -1,10 +1,11 @@
node default {
- fleetdm::profile { 'com.apple.universalaccess':
- template => 'xml template',
- group => 'workstations',
+ fleetdm::profile { 'cis.macOSBenchmark.section2.BluetoothSharing':
+ template => template('fleetdm/automatic_updates.mobileconfig.erb'),
+ group => 'base',
}
- fleetdm::profile { 'com.apple.homescreenlayout':
- template => 'xml template',
+ fleetdm::profile { 'com.apple.SoftwareUpdate':
+ template => template('fleetdm/disable_bluetooth_file_sharing.mobileconfig.erb'),
+ group => 'workstations',
}
}
diff --git a/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/preassign_profile.rb b/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/preassign_profile.rb
index 878aa38d0b..fd1e9ca303 100644
--- a/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/preassign_profile.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/preassign_profile.rb
@@ -4,15 +4,24 @@ require 'puppet/util/fleet_client'
Puppet::Functions.create_function(:"fleetdm::preassign_profile") do
dispatch :preassign_profile do
- param 'String', :uuid
+ param 'String', :profile_identifier
+ param 'String', :host_uuid
param 'String', :template
optional_param 'String', :group
end
- def preassign_profile(uuid, template, group = 'default')
+ def preassign_profile(profile_identifier, host_uuid, template, group = 'default')
host = call_function('lookup', 'fleetdm::host')
token = call_function('lookup', 'fleetdm::token')
client = Puppet::Util::FleetClient.new(host, token)
- client.preassign_profile(uuid, template, group)
+ response = client.preassign_profile(host_uuid, template, group)
+
+ if response['error'].empty?
+ Puppet.info("successfully pre-assigned profile #{profile_identifier}")
+ else
+ Puppet.err("error pre-assigning profile #{profile_identifier}: #{response['error']} \n\n #{template}")
+ end
+
+ response
end
end
diff --git a/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/release_device.rb b/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/release_device.rb
index f125be67c7..7cc7da580f 100644
--- a/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/release_device.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/functions/fleetdm/release_device.rb
@@ -32,6 +32,14 @@ Puppet::Functions.create_function(:"fleetdm::release_device") do
host = call_function('lookup', 'fleetdm::host')
token = call_function('lookup', 'fleetdm::token')
client = Puppet::Util::FleetClient.new(host, token)
- client.send_mdm_command(uuid, command_xml)
+ response = client.send_mdm_command(uuid, command_xml)
+
+ if response['error'].empty?
+ Puppet.info('successfully released device')
+ else
+ Puppet.err("error releasing device: #{response['error']}")
+ end
+
+ response
end
end
diff --git a/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb b/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
index e46b1d4826..140a743bc4 100644
--- a/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/reports/fleetdm.rb
@@ -8,7 +8,8 @@ Puppet::Reports.register_report(:fleetdm) do
def process
return if noop
- node = Puppet::Node.new(Puppet[:node_name_value])
+ node_name = Puppet[:node_name_value]
+ node = Puppet::Node.new(node_name)
compiler = Puppet::Parser::Compiler.new(node)
scope = Puppet::Parser::Scope.new(compiler)
lookup_invocation = Puppet::Pops::Lookup::Invocation.new(scope, {}, {}, nil)
@@ -18,7 +19,10 @@ Puppet::Reports.register_report(:fleetdm) do
client = Puppet::Util::FleetClient.new(host, token)
response = client.match_profiles
- return unless response[:status] >= 400 && response[:status] < 600
- Puppet.err _('Unable to match profiles to Fleet [%{code}] %{message}') % { code: response[:status], message: response[:body] }
+ if response['error'].empty?
+ Puppet.info("successfully matched #{node_name} with a team containing configuration profiles")
+ else
+ Puppet.err("error matching node #{node_name} with a team containing configuration profiles: #{response['error']}")
+ end
end
end
diff --git a/ee/tools/puppet/fleetdm/lib/puppet/util/fleet_client.rb b/ee/tools/puppet/fleetdm/lib/puppet/util/fleet_client.rb
index ff9699019a..1ca293e5a0 100644
--- a/ee/tools/puppet/fleetdm/lib/puppet/util/fleet_client.rb
+++ b/ee/tools/puppet/fleetdm/lib/puppet/util/fleet_client.rb
@@ -59,7 +59,7 @@ module Puppet::Util
#
# I couldn't find a built-in Ruby function to do raw encoding, so we're
# removing the padding manually instead.
- 'command' => Base64.strict_encode64(command_xml).gsub(/[\n=]/, ""),
+ 'command' => Base64.strict_encode64(command_xml).gsub(%r{[\n=]}, ''),
'device_ids' => [uuid],
})
end
@@ -71,6 +71,7 @@ module Puppet::Util
# @param headers [Hash] (optional) Additional headers to include in the request.
# @return [Hash] The response status code, headers, and body.
def post(path, body = nil, headers = {})
+ out = { 'error' => '' }
uri = URI.parse("#{@host}#{path}")
http = Net::HTTP.new(uri.host, uri.port)
@@ -82,23 +83,45 @@ module Puppet::Util
headers.each { |key, value| request[key] = value }
request.body = body.to_json if body
- response = http.request(request)
- parse_response(response)
+ begin
+ response = http.request(request)
+ out = parse_response(response)
+ rescue => e
+ out['error'] = e
+ end
+
+ out
end
private
def parse_response(response)
- {
- status: response.code.to_i,
- headers: response.to_hash,
- body: response.body ? JSON.parse(response.body) : nil,
+ out = {
+ 'status' => response.code.to_i,
+ 'error' => ''
}
+
+ if (400...600).cover?(response.code.to_i)
+ message = 'server returned a non-ok status code without an error'
+
+ if response.body
+ body = JSON.parse(response.body)
+ message = body['message']
+
+ unless body['errors'].nil?
+ error_messages = body['errors'].map { |e| "#{e['name']} #{e['reason']}" }
+ message = [message, *error_messages].join(': ')
+ end
+ end
+
+ out['error'] = message
+ end
+
+ out
rescue JSON::ParserError => e
{
- status: response.code.to_i,
- headers: response.to_hash,
- error: "Failed to parse response body: #{e.message}"
+ 'status' => response.code.to_i,
+ 'error' => "Failed to parse response body: #{e.message}"
}
end
end
diff --git a/ee/tools/puppet/fleetdm/manifests/profile.pp b/ee/tools/puppet/fleetdm/manifests/profile.pp
index 5644bc83eb..bc51c86b8d 100644
--- a/ee/tools/puppet/fleetdm/manifests/profile.pp
+++ b/ee/tools/puppet/fleetdm/manifests/profile.pp
@@ -36,6 +36,15 @@ define fleetdm::profile (
}
$host_uuid = $facts['system_profiler']['hardware_uuid']
- fleetdm::preassign_profile($host_uuid, $template, $group)
+ $response = fleetdm::preassign_profile($name, $host_uuid, $template, $group)
+ $err = $response['error']
+
+ if $err != '' {
+ notify { "error pre-assigning profile ${$name}: ${$err}":
+ loglevel => 'err',
+ }
+ } else {
+ notify { "successfully pre-assigned profile ${$name}": }
+ }
}
}
diff --git a/ee/tools/puppet/fleetdm/metadata.json b/ee/tools/puppet/fleetdm/metadata.json
index 7380550e0f..981040646b 100644
--- a/ee/tools/puppet/fleetdm/metadata.json
+++ b/ee/tools/puppet/fleetdm/metadata.json
@@ -1,6 +1,6 @@
{
"name": "root-fleetdm",
- "version": "0.1.0",
+ "version": "0.1.1",
"author": "Fleet Device Management Inc",
"summary": "",
"license": "proprietary",
diff --git a/ee/tools/puppet/fleetdm/templates/automatic_updates.mobileconfig.erb b/ee/tools/puppet/fleetdm/templates/automatic_updates.mobileconfig.erb
new file mode 100644
index 0000000000..1cbeb11241
--- /dev/null
+++ b/ee/tools/puppet/fleetdm/templates/automatic_updates.mobileconfig.erb
@@ -0,0 +1,57 @@
+
+
+
+
+ PayloadContent
+
+
+ AllowPreReleaseInstallation
+
+ AutomaticCheckEnabled
+
+ AutomaticDownload
+
+ AutomaticallyInstallAppUpdates
+
+ AutomaticallyInstallMacOSUpdates
+
+ ConfigDataInstall
+
+ CriticalUpdateInstall
+
+ PayloadDescription
+ Configures Software Update settings
+ PayloadDisplayName
+ Software Update
+ PayloadIdentifier
+ com.github.erikberglund.ProfileCreator.BEBA0740-4DDB-4AC4-85DC-BA48B96C0DC8.com.apple.SoftwareUpdate.A8B97032-7645-4068-B457-01DE5C6B33F7
+ PayloadOrganization
+
+ PayloadType
+ com.apple.SoftwareUpdate
+ PayloadUUID
+ A8B97032-7645-4068-B457-01DE5C6B33F7
+ PayloadVersion
+ 1
+
+
+ PayloadDescription
+ Enables automatic updates
+ PayloadDisplayName
+ Turn on automatic updates
+ PayloadIdentifier
+ com.github.erikberglund.ProfileCreator.BEBA0740-4DDB-4AC4-85DC-BA48B96C0DC8
+ PayloadOrganization
+ FleetDM
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ BEBA0740-4DDB-4AC4-85DC-BA48B96C0DC8
+ PayloadVersion
+ 1
+
+
diff --git a/ee/tools/puppet/fleetdm/templates/disable_bluetooth_file_sharing.mobileconfig.erb b/ee/tools/puppet/fleetdm/templates/disable_bluetooth_file_sharing.mobileconfig.erb
new file mode 100644
index 0000000000..08cde7dbf5
--- /dev/null
+++ b/ee/tools/puppet/fleetdm/templates/disable_bluetooth_file_sharing.mobileconfig.erb
@@ -0,0 +1,60 @@
+
+
+
+
+
+ PayloadDescription
+ This profile configuration is designed to apply the CIS Benchmark for macOS 10.14 (v2.0.0), 10.15 (v2.0.0), 11.0 (v2.0.0), and 12.0 (v1.0.0)
+ PayloadDisplayName
+ Disable Bluetooth sharing
+ PayloadEnabled
+
+ PayloadIdentifier
+ cis.macOSBenchmark.section2.BluetoothSharing
+ PayloadScope
+ System
+ PayloadType
+ Configuration
+ PayloadUUID
+ 5CEBD712-28EB-432B-84C7-AA28A5A383D8
+ PayloadVersion
+ 1
+ PayloadRemovalDisallowed
+
+ PayloadContent
+
+
+ PayloadContent
+
+ com.apple.Bluetooth
+
+ Forced
+
+
+ mcx_preference_settings
+
+ PrefKeyServicesEnabled
+
+
+
+
+
+
+ PayloadDescription
+ Disables Bluetooth Sharing
+ PayloadDisplayName
+ Custom
+ PayloadEnabled
+
+ PayloadIdentifier
+ 0240DD1C-70DC-4766-9018-04322BFEEAD1
+ PayloadType
+ com.apple.ManagedClient.preferences
+ PayloadUUID
+ 0240DD1C-70DC-4766-9018-04322BFEEAD1
+ PayloadVersion
+ 1
+
+
+
+