Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include Linux disk encryption status in configuration profiles aggregate status response when applicable, fix disk encryption/MDM configuration order-of-operations issues, add integration tests for LUKS #24114

Merged
merged 11 commits into from
Nov 25, 2024
Merged

Include Linux disk encryption status in configuration profiles aggregate status response when applicable, fix disk encryption/MDM configuration order-of-operations issues, add integration tests for LUKS #24114

Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
702d6b1
update UI to call newer endpoint
Nov 23, 2024
c037277
wire up linux DE summary to aggregate endpoint
Nov 23, 2024
5f7f1ac
only include Linux DE counts in aggregate for premium users
Nov 23, 2024
047d549
Use MDM config profiles return type, gate Linux disk encryption visib…
iansltx Nov 23, 2024
b63b725
Confirm that config profiles summary is no longer behind MDM wall
iansltx Nov 21, 2024
f748190
Start Linux disk encryption enterprise test, don't touch macOS FileVa…
iansltx Nov 23, 2024
1a716f5
Test configuration profile visibility for Linux disk encryption
iansltx Nov 23, 2024
986d069
Require server private key only when disk encryption enforcement is t…
iansltx Nov 23, 2024
7be62b0
If Mac MDM setup is completed after disk encryption enforcement is co…
iansltx Nov 24, 2024
e1cfd02
Skip FilveVault escrow setup if Mac MDM was already configured on APN…
iansltx Nov 24, 2024
259fcad
Finish building integration test for LUKS encryption, add OS platform…
iansltx Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 44 additions & 2 deletions server/service/mdm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2612,10 +2612,52 @@ func (svc *Service) UploadMDMAppleAPNSCert(ctx context.Context, cert io.ReadSeek
return ctxerr.Wrap(ctx, err, "retrieving app config")
}

wasEnabledAndConfigured := appCfg.MDM.EnabledAndConfigured
appCfg.MDM.EnabledAndConfigured = true
// TODO for each team (or no-team) set up for disk encryption, enable FileVault
err = svc.ds.SaveAppConfig(ctx, appCfg)
if err != nil {
return ctxerr.Wrap(ctx, err, "saving app config")
}

return svc.ds.SaveAppConfig(ctx, appCfg)
// Disk encryption can be enabled prior to Apple MDM being configured, but we need MDM to be set up to escrow
// FileVault keys. We handle the other order of operations elsewhere (on encryption enable, after checking to see
// if Mac MDM is already enabled). We skip this step if we were just re-uploading an APNs cert when MDM was already
// enabled.
if wasEnabledAndConfigured {
return nil
}

// Enable FileVault escrow if no-team already has disk encryption enforced
if appCfg.MDM.EnableDiskEncryption.Value {
if err := svc.EnterpriseOverrides.MDMAppleEnableFileVaultAndEscrow(ctx, nil); err != nil {
return ctxerr.Wrap(ctx, err, "enable no-team FileVault escrow")
}
if err := svc.NewActivity(ctx, authz.UserFromContext(ctx), fleet.ActivityTypeEnabledMacosDiskEncryption{}); err != nil {
return ctxerr.Wrap(ctx, err, "create activity for enabling no-team macOS disk encryption")
}
}
// Enable FileVault escrow for teams that already have disk encryption enforced
// For later: add a data store method to avoid making an extra query per team to check whether encryption is enforced
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think ListTeams is used in a few places to list all teams along with their config? E.g. here:

fleet/server/cron/calendar_cron.go

Lines 76 to 82 in b6c5113

teams, err := ds.ListTeams(
ctx, fleet.TeamFilter{
User: &fleet.User{
GlobalRole: ptr.String(fleet.RoleAdmin),
},
}, fleet.ListOptions{},
)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. Considered that but it pulls way more data so it wasn't clear that it was better than an N+1 here, so will leave this as is.

teams, err := svc.ds.TeamsSummary(ctx)
if err != nil {
return ctxerr.Wrap(ctx, err, "listing teams")
}
for _, team := range teams {
isEncryptionEnforced, err := svc.ds.GetConfigEnableDiskEncryption(ctx, &team.ID)
if err != nil {
return ctxerr.Wrap(ctx, err, "retrieving encryption enforcement status for team")
}
if isEncryptionEnforced {
if err := svc.EnterpriseOverrides.MDMAppleEnableFileVaultAndEscrow(ctx, &team.ID); err != nil {
return ctxerr.Wrap(ctx, err, "enable FileVault escrow for team")
}
if err := svc.NewActivity(ctx, authz.UserFromContext(ctx), fleet.ActivityTypeEnabledMacosDiskEncryption{TeamID: &team.ID, TeamName: &team.Name}); err != nil {
return ctxerr.Wrap(ctx, err, "create activity for enabling macOS disk encryption for team")
}
}
}

return nil
}

////////////////////////////////////////////////////////////////////////////////
Expand Down
Loading