mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
28ca463d13
#19963 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [X] Added/updated tests - [X] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [X] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [X] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [X] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [X] Manual QA for all new/changed functionality --- # API changes for dashboard UI changes ## Main dashboard page `GET /api/latest/fleet/host_summary?low_disk_space=32` (see `ios`/`ipados` platforms and `iOS`/`iPadOS` labels) ```json { "totals_hosts_count": 9, "online_count": 0, "offline_count": 9, "mia_count": 0, "missing_30_days_count": 0, "new_count": 0, "all_linux_count": 2, "low_disk_space_count": 3, "builtin_labels": [ { "id": 1, "name": "macOS 14+ (Sonoma+)", "description": "macOS hosts with version 14 and above", "label_type": "builtin" }, { "id": 7, "name": "All Hosts", "description": "All hosts which have enrolled in Fleet", "label_type": "builtin" }, { "id": 8, "name": "macOS", "description": "All macOS hosts", "label_type": "builtin" }, { "id": 9, "name": "Ubuntu Linux", "description": "All Ubuntu hosts", "label_type": "builtin" }, { "id": 10, "name": "CentOS Linux", "description": "All CentOS hosts", "label_type": "builtin" }, { "id": 11, "name": "MS Windows", "description": "All Windows hosts", "label_type": "builtin" }, { "id": 12, "name": "Red Hat Linux", "description": "All Red Hat Enterprise Linux hosts", "label_type": "builtin" }, { "id": 13, "name": "All Linux", "description": "All Linux distributions", "label_type": "builtin" }, { "id": 14, "name": "chrome", "description": "All Chrome hosts", "label_type": "builtin" }, { "id": 15, "name": "iOS", "description": "All iOS hosts", "label_type": "builtin" }, { "id": 16, "name": "iPadOS", "description": "All iPadOS hosts", "label_type": "builtin" } ], "platforms": [ { "platform": "darwin", "hosts_count": 3 }, { "platform": "ios", "hosts_count": 1 }, { "platform": "ipados", "hosts_count": 1 }, { "platform": "rhel", "hosts_count": 1 }, { "platform": "ubuntu", "hosts_count": 1 }, { "platform": "windows", "hosts_count": 2 } ] } ``` ## After selecting a platform `GET /api/latest/fleet/host_summary?platform=ios&low_disk_space=100` (similar with `ipados`) ```json { "totals_hosts_count": 1, "online_count": 0, "offline_count": 1, "mia_count": 0, "missing_30_days_count": 0, "new_count": 0, "all_linux_count": 0, "low_disk_space_count": 1, "builtin_labels": [ { "id": 1, "name": "macOS 14+ (Sonoma+)", "description": "macOS hosts with version 14 and above", "label_type": "builtin" }, { "id": 7, "name": "All Hosts", "description": "All hosts which have enrolled in Fleet", "label_type": "builtin" }, { "id": 8, "name": "macOS", "description": "All macOS hosts", "label_type": "builtin" }, { "id": 9, "name": "Ubuntu Linux", "description": "All Ubuntu hosts", "label_type": "builtin" }, { "id": 10, "name": "CentOS Linux", "description": "All CentOS hosts", "label_type": "builtin" }, { "id": 11, "name": "MS Windows", "description": "All Windows hosts", "label_type": "builtin" }, { "id": 12, "name": "Red Hat Linux", "description": "All Red Hat Enterprise Linux hosts", "label_type": "builtin" }, { "id": 13, "name": "All Linux", "description": "All Linux distributions", "label_type": "builtin" }, { "id": 14, "name": "chrome", "description": "All Chrome hosts", "label_type": "builtin" }, { "id": 15, "name": "iOS", "description": "All iOS hosts", "label_type": "builtin" }, { "id": 16, "name": "iPadOS", "description": "All iPadOS hosts", "label_type": "builtin" } ], "platforms": [ { "platform": "ios", "hosts_count": 1 } ] } ``` ### To populate list of MDM solutions of a selected platform `GET /api/latest/fleet/hosts/summary/mdm\?platform=ios` (similar with `ipados`) ```json { "counts_updated_at": "2024-06-27T21:56:45Z", "mobile_device_management_enrollment_status": { "enrolled_manual_hosts_count": 0, "enrolled_automated_hosts_count": 1, "pending_hosts_count": 0, "unenrolled_hosts_count": 0, "hosts_count": 1 }, "mobile_device_management_solution": [ { "id": 1, "name": "Fleet", "server_url": "https://lucas-fleet.ngrok.app/mdm/apple/mdm", "hosts_count": 1 } ] } ``` ### To populate OS versions of a selected platform `GET /api/latest/fleet/os_versions?platform=ipados` (similar with `ios`) ```json { "meta": { "has_next_results": false, "has_previous_results": false }, "count": 1, "counts_updated_at": "2024-06-27T21:36:12Z", "os_versions": [ { "os_version_id": 7, "hosts_count": 1, "name": "iPadOS 17.5.1", "name_only": "iPadOS", "version": "17.5.1", "platform": "ipados", "vulnerabilities": [] } ] } ``` ## Filtering hosts by the two new `iOS`/`iPadOS` labels Works the same as with other labels.
128 lines
5.8 KiB
Go
128 lines
5.8 KiB
Go
package apple_mdm
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mdm"
|
|
)
|
|
|
|
// Profile verification is a set of related processes that run on the Fleet server to ensure that
|
|
// the MDM profiles installed on a host are the ones expected by the Fleet server. Expected profiles
|
|
// comprise the profiles that belong to the host's assigned team (or no
|
|
// team, as applicable).
|
|
//
|
|
// The Fleet server enqueues commands to install profiles on hosts via the MDM
|
|
// protocol. The Fleet server periodically runs a cron that enqueues install profile
|
|
// commands for host profiles that do not have a verification status (i.e. status is null).
|
|
// Install profile commands may be enqueued as a result of a variety of events, such as when a host
|
|
// enrolls in Fleet, when a host's team membership changes, when a new profile is uploaded, when an
|
|
// existing profile is modified, or when a failed profile is retried.
|
|
//
|
|
// Verification status of a host profile can change in the following ways:
|
|
//
|
|
// - When an install profile command is enqueued by the server, the verification status is set to "pending".
|
|
//
|
|
// - When the results of an install profile command are reported via the MDM protocol, the Fleet server
|
|
// parses the results and updates the host's verification status for the applicable profile. If the
|
|
// command was acknowledged, the verification status is set to "verifying". If the command resulted
|
|
// in an error, the server determines if the profile should be retried (in which case, a new install profile
|
|
// command will be enqueued by the server) or marked as "failed" and updates the datastore accordingly.
|
|
//
|
|
// - When host details are reported via osquery, the Fleet server ingests a list of installed
|
|
// profiles and compares the reported profiles with the list of profiles expected to be
|
|
// installed on the host. Expected profiles comprise the profiles that belong to the host's assigned
|
|
// team (or no team, as applicable). If an expected profile is found, the verification status is
|
|
// set to "verified". If an expected profile is missing from the reported results, the server determines
|
|
// if the profile should be retried (in which case, a new install profile command will be enqueued by the server)
|
|
// or marked as "failed" and updates the datastore accordingly.
|
|
|
|
// VerifyHostMDMProfiles performs the verification of the MDM profiles installed on a host and
|
|
// updates the verification status in the datastore. It is intended to be called by Fleet osquery
|
|
// service when the Fleet server ingests host details.
|
|
func VerifyHostMDMProfiles(ctx context.Context, ds fleet.ProfileVerificationStore, host *fleet.Host, installed map[string]*fleet.HostMacOSProfile) error {
|
|
expected, err := ds.GetHostMDMProfilesExpectedForVerification(ctx, host)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
missing := make([]string, 0, len(expected))
|
|
verified := make([]string, 0, len(expected))
|
|
for key, ep := range expected {
|
|
withinGracePeriod := ep.IsWithinGracePeriod(host.DetailUpdatedAt)
|
|
ip, ok := installed[key]
|
|
if !ok {
|
|
// expected profile is missing from host
|
|
if !withinGracePeriod {
|
|
missing = append(missing, key)
|
|
}
|
|
continue
|
|
}
|
|
if ip.InstallDate.Before(ep.EarliestInstallDate) {
|
|
// installed profile is outdated
|
|
if !withinGracePeriod {
|
|
missing = append(missing, key)
|
|
}
|
|
continue
|
|
}
|
|
verified = append(verified, key)
|
|
}
|
|
|
|
toFail := make([]string, 0, len(missing))
|
|
toRetry := make([]string, 0, len(missing))
|
|
if len(missing) > 0 {
|
|
counts, err := ds.GetHostMDMProfilesRetryCounts(ctx, host)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
retriesByProfileIdentifier := make(map[string]uint, len(counts))
|
|
for _, r := range counts {
|
|
retriesByProfileIdentifier[r.ProfileIdentifier] = r.Retries
|
|
}
|
|
for _, key := range missing {
|
|
if retriesByProfileIdentifier[key] < mdm.MaxProfileRetries {
|
|
// if we haven't hit the max retries, we set the host profile status to nil (which
|
|
// causes an install profile command to be enqueued the next time the profile
|
|
// manager cron runs) and increment the retry count
|
|
toRetry = append(toRetry, key)
|
|
} else {
|
|
// otherwise we set the host profile status to failed
|
|
toFail = append(toFail, key)
|
|
}
|
|
}
|
|
}
|
|
|
|
return ds.UpdateHostMDMProfilesVerification(ctx, host, verified, toFail, toRetry)
|
|
}
|
|
|
|
// HandleHostMDMProfileInstallResult ingests the result of an install profile command reported via
|
|
// the MDM protocol and updates the verification status in the datastore. It is intended to be
|
|
// called by the Fleet MDM checkin and command service install profile request handler.
|
|
func HandleHostMDMProfileInstallResult(ctx context.Context, ds fleet.ProfileVerificationStore, hostUUID string, cmdUUID string, status *fleet.MDMDeliveryStatus, detail string) error {
|
|
if status != nil && *status == fleet.MDMDeliveryFailed {
|
|
// Here we set the host.Platform to "darwin" but it applies to iOS/iPadOS too.
|
|
// The logic in GetHostMDMProfileRetryCountByCommandUUID and UpdateHostMDMProfilesVerification
|
|
// is the exact same when platform is "darwin", "ios" or "ipados".
|
|
host := &fleet.Host{UUID: hostUUID, Platform: "darwin"}
|
|
m, err := ds.GetHostMDMProfileRetryCountByCommandUUID(ctx, host, cmdUUID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if m.Retries < mdm.MaxProfileRetries {
|
|
// if we haven't hit the max retries, we set the host profile status to nil (which
|
|
// causes an install profile command to be enqueued the next time the profile
|
|
// manager cron runs) and increment the retry count
|
|
return ds.UpdateHostMDMProfilesVerification(ctx, host, nil, nil, []string{m.ProfileIdentifier})
|
|
}
|
|
}
|
|
|
|
// otherwise update status and detail as usual
|
|
return ds.UpdateOrDeleteHostMDMAppleProfile(ctx, &fleet.HostMDMAppleProfile{
|
|
CommandUUID: cmdUUID,
|
|
HostUUID: hostUUID,
|
|
Status: status,
|
|
Detail: detail,
|
|
OperationType: fleet.MDMOperationTypeInstall,
|
|
})
|
|
}
|