Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 106
fleet/pkg/mdm/ota_enroll.go
Magnus Jensen 9a859736c2
IdP Authentication before BYOD (#32017) 
fixes: #29222 

This is a feature branch that was completed last week, but did not get
merged in time.

All pr's going in was approved, and reviewed.

I will after this is merged, do a cherry pick onto the RC 4.73 branch,
and initiate the FR merge process.

---------

Co-authored-by: Martin Angers <martin.n.angers@gmail.com>
Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
Co-authored-by: Gabriel Hernandez <ghernandez345@gmail.com>
2025-08-18 18:31:53 +02:00

38 lines
1.3 KiB
Go
Raw Blame History

package mdm
import (
"context"
"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
"github.com/fleetdm/fleet/v4/server/fleet"
)
// We take in the AndroidDatastore here, so it can also be called from the android package until https://github.com/fleetdm/fleet/issues/31218 is done
func RequiresEnrollOTAAuthentication(ctx context.Context, ds fleet.AndroidDatastore, enrollSecret string, noTeamIdPEnabled bool) (bool, error) {
secret, err := ds.VerifyEnrollSecret(ctx, enrollSecret)
if err != nil && !fleet.IsNotFound(err) {
return false, ctxerr.Wrap(ctx, err, "verify enroll secret")
}
if secret == nil {
// enroll secret is invalid, check if any team has IdP enabled for setup
// experience and if so require authentication before going through (we
// enforce the failure due to the enroll secret being invalid only when the
// enrollment profile is installed).
ids, err := ds.TeamIDsWithSetupExperienceIdPEnabled(ctx)
if err != nil {
return false, ctxerr.Wrap(ctx, err, "get team IDs with setup experience IdP enabled")
}
return len(ids) > 0, nil
}
if secret.TeamID == nil { // enroll in "no team"
return noTeamIdPEnabled, nil
}
tm, err := ds.Team(ctx, *secret.TeamID)
if err != nil {
return false, ctxerr.Wrap(ctx, err, "get team for settings")
}
return tm.Config.MDM.MacOSSetup.EnableEndUserAuthentication, nil
}
Reference in a new issue View git blame Copy permalink