fleetdm · jahzielv · Aug 16, 2024 · Aug 2, 2024 · Aug 6, 2024 · Aug 8, 2024
diff --git a/.github/workflows/test-packaging.yml b/.github/workflows/test-packaging.yml
@@ -12,16 +12,16 @@ on:
       - prepare-*
   pull_request:
     paths:
-      - 'cmd/fleetctl/**.go'
-      - 'pkg/**.go'
-      - 'server/service/**.go'
-      - 'server/context/**.go'
-      - 'orbit/**.go'
-      - 'ee/fleetctl/**.go'
-      - 'tools/fleetctl-docker/**'
-      - 'tools/wix-docker/**'
-      - 'tools/bomutils-docker/**'
-      - '.github/workflows/test-packaging.yml'
+      - "cmd/fleetctl/**.go"
+      - "pkg/**.go"
+      - "server/service/**.go"
+      - "server/context/**.go"
+      - "orbit/**.go"
+      - "ee/fleetctl/**.go"
+      - "tools/fleetctl-docker/**"
+      - "tools/wix-docker/**"
+      - "tools/bomutils-docker/**"
+      - ".github/workflows/test-packaging.yml"
   workflow_dispatch: # Manual
 
 # This allows a subsequently queued workflow run to interrupt previous runs
@@ -47,87 +47,86 @@ jobs:
         # `macos-latest` uses arm64 by default now, so please be careful when
         # updating this version.
         os: [ubuntu-latest, macos-13]
-        go-version: ['${{ vars.GO_VERSION }}']
+        go-version: ["${{ vars.GO_VERSION }}"]
     runs-on: ${{ matrix.os }}
 
     steps:
-
-    - name: Harden Runner
-      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-      with:
-        egress-policy: audit
-
-    - name: Pull fleetdm/wix
-      # Run in background while other steps complete to speed up the workflow
-      run: docker pull fleetdm/wix:latest &
-
-    - name: Run Colima
-      if: startsWith(matrix.os, 'macos')
-      timeout-minutes: 10
-      # notes:
-      # - docker to install the docker CLI and interact with the Colima
-      #   container runtime
-      # - colima is pre-installed in macos-12 runners, but not in macos-13 or
-      #   macos-14 runners
-      run: |
-        brew install docker
-        # The runners come with an old version of [email protected] that fails to upgrade
-        # when python gets pulled in as a dep through the chain
-        # colima -> lima -> qemu -> glibc -> [email protected]
-        # Force upgrade it for now, remove once the problem is fixed
-        brew install --overwrite [email protected]
-        brew install colima
-        colima start --mount $TMPDIR:w
-
-    - name: Install Go
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-      with:
-        go-version: ${{ matrix.go-version }}
-
-    - name: Checkout Code
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-
-    - name: Install wine and wix
-      if: startsWith(matrix.os, 'macos')
-      run: |
-        ./scripts/macos-install-wine.sh -n
-        wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
-        mkdir wix
-        unzip wix.zip -d wix
-        rm -f wix.zip
-        echo wix installed at $(pwd)/wix
-
-      # It seems faster not to cache Go dependencies
-    - name: Install Go Dependencies
-      run: make deps-go
-
-    - name: Build fleetctl
-      run: make fleetctl
-
-    - name: Build DEB
-      run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build DEB with Fleet Desktop
-      run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build RPM
-      run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build RPM with Fleet Desktop
-      run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build MSI
-      run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build MSI with Fleet Desktop
-      run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build PKG
-      run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
-
-    - name: Build PKG with Fleet Desktop
-      run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
-
-    - name: Build MSI (using local Wix)
-      if: startsWith(matrix.os, 'macos')
-      run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Pull fleetdm/wix
+        # Run in background while other steps complete to speed up the workflow
+        run: docker pull fleetdm/wix:latest &
+
+      - name: Run Colima
+        if: startsWith(matrix.os, 'macos')
+        timeout-minutes: 10
+        # notes:
+        # - docker to install the docker CLI and interact with the Colima
+        #   container runtime
+        # - colima is pre-installed in macos-12 runners, but not in macos-13 or
+        #   macos-14 runners
+        run: |
+          brew install docker
+          # The runners come with an old version of [email protected] that fails to upgrade
+          # when python gets pulled in as a dep through the chain
+          # colima -> lima -> qemu -> glibc -> [email protected]
+          # Force upgrade it for now, remove once the problem is fixed
+          brew install --overwrite [email protected]
+          brew install colima
+          colima start --mount $TMPDIR:w
+
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Checkout Code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: Install wine and wix
+        if: startsWith(matrix.os, 'macos')
+        run: |
+          ./scripts/macos-install-wine.sh -n
+          wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
+          mkdir wix
+          unzip wix.zip -d wix
+          rm -f wix.zip
+          echo wix installed at $(pwd)/wix
+
+        # It seems faster not to cache Go dependencies
+      - name: Install Go Dependencies
+        run: make deps-go
+
+      - name: Build fleetctl
+        run: make fleetctl
+
+      - name: Build DEB
+        run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build DEB with Fleet Desktop
+        run: ./build/fleetctl package --type deb --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build RPM
+        run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build RPM with Fleet Desktop
+        run: ./build/fleetctl package --type rpm --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build MSI
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build MSI with Fleet Desktop
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build PKG
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080
+
+      - name: Build PKG with Fleet Desktop
+        run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
+
+      - name: Build MSI (using local Wix)
+        if: startsWith(matrix.os, 'macos')
+        run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix
diff --git a/changes/20310-update-my-device-copy b/changes/20310-update-my-device-copy
@@ -0,0 +1 @@
+- update copy on for automica enrollment modal on my device page.
diff --git a/changes/20311-migrations b/changes/20311-migrations
@@ -0,0 +1,3 @@
+- Adds ability for MDM migrations if the host is manually enrolled to a 3rd party MDM.
+- Adds an offline screen to the macOS MDM migration flow.
+- Updates the instructions on "My device" for MDM migrations on pre-Sonoma macOS hosts.
@@ -62,7 +62,12 @@ func (svc *Service) TriggerMigrateMDMDevice(ctx context.Context, host *fleet.Hos
 		return ctxerr.Wrap(ctx, err, "fetching host mdm info")
 	}
 
-	if !fleet.IsEligibleForDEPMigration(host, mdmInfo, connected) {
+	manualMigrationEligible, err := fleet.IsEligibleForManualMigration(host, mdmInfo, connected)
+	if err != nil {
+		return ctxerr.Wrap(ctx, err, "checking manual migration eligibility")
+	}
+
+	if !fleet.IsEligibleForDEPMigration(host, mdmInfo, connected) && !manualMigrationEligible {
 		bre.InternalErr = ctxerr.New(ctx, "host not eligible for macOS migration")
 	}
 
@@ -139,9 +144,15 @@ func (svc *Service) GetFleetDesktopSummary(ctx context.Context) (fleet.DesktopSu
 			sum.Notifications.RenewEnrollmentProfile = true
 		}
 
-		if fleet.IsEligibleForDEPMigration(host, mdmInfo, connected) {
+		manualMigrationEligible, err := fleet.IsEligibleForManualMigration(host, mdmInfo, connected)
+		if err != nil {
+			return sum, ctxerr.Wrap(ctx, err, "checking manual migration eligibility")
+		}
+
+		if fleet.IsEligibleForDEPMigration(host, mdmInfo, connected) || manualMigrationEligible {
 			sum.Notifications.NeedsMDMMigration = true
 		}
+
 	}
 
 	// organization information

@@ -23,6 +23,57 @@ const AutoEnrollMdmModal = ({
       .map((s) => parseInt(s, 10));
     isMacOsSonomaOrLater = major >= 14;
   }
+
+  const preSonomaBody = (
+    <>
+      <p className={`${baseClass}__description`}>
+        To turn on MDM, Apple Inc. requires you to follow the steps below.
+      </p>
+      <ol>
+        <li>
+          Open your Mac&apos;s notification center by selecting the date and
+          time in the top right corner of your screen.
+        </li>
+        <li>
+          Select the <b>Device Enrollment</b> notification. This will open{" "}
+          <b>System Settings</b>. Select <b>Allow</b>.
+        </li>
+        <li>
+          Enter your password, and select <b>Enroll</b>.
+        </li>
+        <li>
+          Select <b>Done</b> to close this window and select Refetch on your My
+          device page to tell your organization that MDM is on.
+        </li>
+      </ol>
+    </>
+  );
+
+  const sonomaAndAboveBody = (
+    <>
+      <p className={`${baseClass}__description`}>
+        To turn on MDM, Apple Inc. requires that you install a profile.
+      </p>
+      <ol>
+        <li>
+          From the Apple menu in the top left corner of your screen, select{" "}
+          <b>System Settings</b> or <b>System Preferences</b>.
+        </li>
+        <li>
+          In the sidebar menu, select <b>Enroll in Remote Management</b>, and
+          select <b>Enroll</b>.
+        </li>
+        <li>
+          Enter your password, and select <b>Enroll</b>.
+        </li>
+        <li>
+          Close this window and select <b>Refetch</b> on your My device page to
+          tell your organization that MDM is on.
+        </li>
+      </ol>
+    </>
+  );
+
   return (
     <Modal
       title="Turn on MDM"
@@ -31,35 +82,7 @@ const AutoEnrollMdmModal = ({
       width="xlarge"
     >
       <div>
-        <p className={`${baseClass}__description`}>
-          To turn on MDM, Apple Inc. requires that you install a profile.
-        </p>
-        <ol>
-          <li>
-            From the Apple menu in the top left corner of your screen, select{" "}
-            <b>System Settings</b> or <b>System Preferences</b>.
-          </li>
-          <li>
-            {isMacOsSonomaOrLater ? (
-              <>
-                In the sidebar menu, select <b>Enroll in Remote Management</b>,
-                and select <b>Enroll</b>.
-              </>
-            ) : (
-              <>
-                In the search bar, type “Profiles.” Select <b>Profiles</b>, find
-                and select <b>Enrollment Profile</b>, and select <b>Install</b>.
-              </>
-            )}
-          </li>
-          <li>
-            Enter your password, and select <b>Enroll</b>.
-          </li>
-          <li>
-            Close this window and select <b>Refetch</b> on your My device page
-            to tell your organization that MDM is on.
-          </li>
-        </ol>
+        {isMacOsSonomaOrLater ? sonomaAndAboveBody : preSonomaBody}
         <div className="modal-cta-wrap">
           <Button type="button" onClick={onCancel} variant="brand">
             Done

@@ -0,0 +1 @@
+- Adds ability for MDM migrations if the host is manually enrolled to a 3rd party MDM.