Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turning off Windows MDM fails to unenroll existing devices #24209

Open
mna opened this issue Nov 27, 2024 · 0 comments
Open

Turning off Windows MDM fails to unenroll existing devices #24209

mna opened this issue Nov 27, 2024 · 0 comments
Labels
~backend Backend-related issue. bug Something isn't working as documented #g-mdm MDM product group :incoming New issue in triage process. ~released bug This bug was found in a stable release.

Comments

@mna
Copy link
Member

mna commented Nov 27, 2024

Fleet version:
4.59

Web browser and operating system:
N/A

💥  Actual behavior

Turning off Windows MDM should unenroll devices from Fleet's MDM. As part of my test for Windows migration, I noticed that it failed to do so.

🧑‍💻  Steps to reproduce

  1. Enable Windows MDM
  2. Enroll a Windows device, wait for it to be fully enrolled in MDM
  3. Turn off Windows MDM
  4. Check if the device is unenrolled, look at the Fleet server logs for errors

You should see logs like this:

level=info ts=2024-11-26T20:54:47.753080855Z component=http path=/api/mdm/microsoft/management err="MDM features aren't turned on in Fleet. For more information about setting up MDM, please visit https://fleetdm.com/docs/using-fleet"

🕯️ More info (optional)

This is likely because the Windows MDM management endpoints are wrapped in a middleware that checks if Windows MDM is enabled, but at the point in time when hosts try to unenroll, Windows MDM has been turned off so the fleet server rejects the request due to MDM not being enabled:

fleet/server/service/handler.go

Lines 929 to 950 in 317b94b

// These endpoint are used by Microsoft devices during MDM device enrollment phase
neWindowsMDM := ne.WithCustomMiddleware(mdmConfiguredMiddleware.VerifyWindowsMDM())
// Microsoft MS-MDE2 Endpoints
// This endpoint is unauthenticated and is used by Microsoft devices to discover the MDM server endpoints
neWindowsMDM.POST(microsoft_mdm.MDE2DiscoveryPath, mdmMicrosoftDiscoveryEndpoint, SoapRequestContainer{})
// This endpoint is unauthenticated and is used by Microsoft devices to retrieve the opaque STS auth token
neWindowsMDM.GET(microsoft_mdm.MDE2AuthPath, mdmMicrosoftAuthEndpoint, SoapRequestContainer{})
// This endpoint is authenticated using the BinarySecurityToken header field
neWindowsMDM.POST(microsoft_mdm.MDE2PolicyPath, mdmMicrosoftPolicyEndpoint, SoapRequestContainer{})
// This endpoint is authenticated using the BinarySecurityToken header field
neWindowsMDM.POST(microsoft_mdm.MDE2EnrollPath, mdmMicrosoftEnrollEndpoint, SoapRequestContainer{})
// This endpoint is unauthenticated for now
// It should be authenticated through TLS headers once proper implementation is in place
neWindowsMDM.POST(microsoft_mdm.MDE2ManagementPath, mdmMicrosoftManagementEndpoint, SyncMLReqMsgContainer{})
// This endpoint is unauthenticated and is used by to retrieve the MDM enrollment Terms of Use
neWindowsMDM.GET(microsoft_mdm.MDE2TOSPath, mdmMicrosoftTOSEndpoint, MDMWebContainer{})

@mna mna added bug Something isn't working as documented :reproduce Involves documenting reproduction steps in the issue :incoming New issue in triage process. ~backend Backend-related issue. ~released bug This bug was found in a stable release. #g-mdm MDM product group and removed :reproduce Involves documenting reproduction steps in the issue labels Nov 27, 2024
@mna mna mentioned this issue Nov 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
~backend Backend-related issue. bug Something isn't working as documented #g-mdm MDM product group :incoming New issue in triage process. ~released bug This bug was found in a stable release.
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mna