Report MDM profile status pending when user action required for disk encryption settings (#10606)

2026-05-22 00:18:27 +00:00 · 2023-03-20 15:22:57 -05:00 · 2023-03-20 15:22:57 -05:00 · b2e35d12cf
commit b2e35d12cf
parent ce47289c0a
3 changed files with 50 additions and 7 deletions
--- a/server/fleet/hosts.go
+++ b/server/fleet/hosts.go
@ -378,6 +378,22 @@ func (d *MDMHostData) DetermineDiskEncryptionStatus(profiles []HostMDMAppleProfi
 	d.MacOSSettings = &settings
 }

+func (d *MDMHostData) ProfileStatusFromDiskEncryptionState(currStatus *MDMAppleDeliveryStatus) *MDMAppleDeliveryStatus {
+	if d.MacOSSettings == nil || d.MacOSSettings.DiskEncryption == nil {
+		return currStatus
+	}
+	switch *d.MacOSSettings.DiskEncryption {
+	case DiskEncryptionActionRequired, DiskEncryptionEnforcing, DiskEncryptionRemovingEnforcement:
+		return &MDMAppleDeliveryPending
+	case DiskEncryptionFailed:
+		return &MDMAppleDeliveryFailed
+	case DiskEncryptionApplied:
+		return &MDMAppleDeliveryApplied
+	default:
+		return currStatus
+	}
+}
+
 // Only exposed for Datastore tests, to be able to assert the rawDecryptable
 // unexported field.
 func (d *MDMHostData) TestGetRawDecryptable() *int {
--- a/server/service/hosts.go
+++ b/server/service/hosts.go
@ -804,15 +804,21 @@ func (svc *Service) getHostDetails(ctx context.Context, host *fleet.Host, opts f
 		return nil, ctxerr.Wrap(ctx, err, "get app config for host mdm profiles")
 	}
 	if ac.MDM.EnabledAndConfigured {
-		p, err := svc.ds.GetHostMDMProfiles(ctx, host.UUID)
+		profs, err := svc.ds.GetHostMDMProfiles(ctx, host.UUID)
 		if err != nil {
 			return nil, ctxerr.Wrap(ctx, err, "get host mdm profiles")
 		}
-		profiles = p

 		// determine disk encryption and action required here based on profiles and
 		// raw decryptable key status.
-		host.MDM.DetermineDiskEncryptionStatus(profiles, mobileconfig.FleetFileVaultPayloadIdentifier)
+		host.MDM.DetermineDiskEncryptionStatus(profs, mobileconfig.FleetFileVaultPayloadIdentifier)
+
+		for _, p := range profs {
+			if p.Identifier == mobileconfig.FleetFileVaultPayloadIdentifier {
+				p.Status = host.MDM.ProfileStatusFromDiskEncryptionState(p.Status)
+			}
+			profiles = append(profiles, p)
+		}
 	}
 	host.MDM.Profiles = &profiles

--- a/server/service/hosts_test.go
+++ b/server/service/hosts_test.go
@ -109,10 +109,11 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 		name       string
 		rawDecrypt *int
 		fvProf     *fleet.HostMDMAppleProfile
-		wantStatus fleet.DiskEncryptionState
+		wantState  fleet.DiskEncryptionState
 		wantAction fleet.ActionRequiredState
+		wantStatus *fleet.MDMAppleDeliveryStatus
 	}{
-		{"no profile", ptr.Int(-1), nil, "", ""},
+		{"no profile", ptr.Int(-1), nil, "", "", nil},

 		{
 			"installed profile, no key",
@ -125,6 +126,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionActionRequired,
 			fleet.ActionRequiredLogOut,
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"installed profile, unknown decryptable",
@ -137,6 +139,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"installed profile, not decryptable",
@ -149,6 +152,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionActionRequired,
 			fleet.ActionRequiredRotateKey,
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"installed profile, decryptable",
@ -161,6 +165,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionApplied,
 			"",
+			&fleet.MDMAppleDeliveryApplied,
 		},
 		{
 			"pending install, decryptable",
@ -173,6 +178,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"pending install, unknown decryptable",
@ -185,6 +191,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"pending install, no key",
@ -197,6 +204,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionEnforcing,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"failed install, no key",
@ -209,6 +217,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionFailed,
 			"",
+			&fleet.MDMAppleDeliveryFailed,
 		},
 		{
 			"failed install, not decryptable",
@ -221,6 +230,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionFailed,
 			"",
+			&fleet.MDMAppleDeliveryFailed,
 		},
 		{
 			"pending remove, decryptable",
@ -233,6 +243,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionRemovingEnforcement,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"pending remove, no key",
@ -245,6 +256,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionRemovingEnforcement,
 			"",
+			&fleet.MDMAppleDeliveryPending,
 		},
 		{
 			"failed remove, unknown decryptable",
@ -257,6 +269,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			fleet.DiskEncryptionFailed,
 			"",
+			&fleet.MDMAppleDeliveryFailed,
 		},
 		{
 			"removed profile, not decryptable",
@ -269,6 +282,7 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			},
 			"",
 			"",
+			&fleet.MDMAppleDeliveryApplied,
 		},
 	}
 	for _, c := range cases {
@ -295,11 +309,11 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 			hostDetail, err := svc.getHostDetails(test.UserContext(context.Background(), test.UserAdmin), host, opts)
 			require.NoError(t, err)

-			if c.wantStatus == "" {
+			if c.wantState == "" {
 				require.Nil(t, hostDetail.MDM.MacOSSettings.DiskEncryption)
 			} else {
 				require.NotNil(t, hostDetail.MDM.MacOSSettings.DiskEncryption)
-				require.Equal(t, c.wantStatus, *hostDetail.MDM.MacOSSettings.DiskEncryption)
+				require.Equal(t, c.wantState, *hostDetail.MDM.MacOSSettings.DiskEncryption)
 			}
 			if c.wantAction == "" {
 				require.Nil(t, hostDetail.MDM.MacOSSettings.ActionRequired)
@ -307,6 +321,13 @@ func TestHostDetailsMDMDiskEncryption(t *testing.T) {
 				require.NotNil(t, hostDetail.MDM.MacOSSettings.ActionRequired)
 				require.Equal(t, c.wantAction, *hostDetail.MDM.MacOSSettings.ActionRequired)
 			}
+			if c.wantStatus != nil {
+				require.NotNil(t, hostDetail.MDM.Profiles)
+				profs := *hostDetail.MDM.Profiles
+				require.Equal(t, c.wantStatus, profs[0].Status)
+			} else {
+				require.Nil(t, *hostDetail.MDM.Profiles)
+			}
 		})
 	}
 }