fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Add the option to `undo` or `renable` previous mdm secrets when MDM is turned OFF

Open PezHub opened this issue 1 year ago • 2 comments

Problem

With the new APNs & ABM certificates workflow, users can now Turn OFF MDM from the UI which (soft) deletes all of their existing mdm secrets. An Admin may do this in error or simply want to revert back to the old config to avoid having to manually reenroll their hosts.

Potential solutions

It would be great to add an undo or renable option that would bring the old config back

This happened recently with our QA Wolf instance where they accidentally turned off MDM which then generated new certs and forced us to reenroll all of their hosts.

Scenario:

  1. Turn on MDM in the UI
  2. Turn on MDM on the hosts
  3. Turn off MDM in the UI
  4. Turn on MDM again in the UI

Note: this warning is in place when admins turn off MDM but mistakes still happen... Screenshot 2024-06-04 at 5 13 10 PM

PezHub avatar Jun 06 '24 01:06 PezHub

Thanks for tracking this @PezHub!

This happened recently with our QA Wolf instance where they accidentally turned off MDM which then generated new certs and forced us to reenroll all of their hosts.

I'm glad someone ran into this scenario. Was the warning correct? Did QA wolf have to upload a new APNs certificate and turn MDM off and back on for all hosts? Did they have to do anything else?

If the warning isn't correct we should fix that quickly and separately from this feature request.

noahtalerman avatar Jun 06 '24 13:06 noahtalerman

Warning is correct, humans just have a tendency to ignore them even when warned in RED BOLD letters and asked to confirm action ;)

Correct, new certs were needed and MDM had to be turned back on for the hosts

PezHub avatar Jun 06 '24 16:06 PezHub