fleetdm
Windows and Linux Lock Command should output details of script execution, not just 204
-
customer-pingali: No Gong snippet at this point - this was just passed as a MDM requirements doc forcustomer-pingali - @noahtalerman: User requested this because the customer wants to be sure that the host is locked or will be locked when it comes online. Which one is it? The
204response code from the lock host API is unclear. I can't follow up w/ a call to the get script results API b/c I don't know what theexecution_idis.- @allenhouchins: At large enterprises it's likely the confirmation that the host was locked needs to be automated. For example, there might be another tool in which IT is responsible for tracking whether a lock happened successfully.
- @allenhouchins: Real world example: for compliance reasons, my procedure might I need to prove that I send the lock command at 5p before the employee's last day. To do this I would send the response from the lock command (locked, pending, etc.) to my SIEM. Ideally the response would update automatically in my SIEM so that when we come back during an audit we know which Macs we have to hunt down.
- @noahtalerman: In the interim the user can head to the Host details page to see if the host was locked.
- @noahtalerman: Eventually TODO
- @allenhouchins: At large enterprises it's likely the confirmation that the host was locked needs to be automated. For example, there might be another tool in which IT is responsible for tracking whether a lock happened successfully.
Problem
Check if a specified device has received and successfully processed a lock/wipe command - must not rely on logs to determine this
This is easily surface-able for MacOS as you can look at the List MDM commands through the API and see
"status": "Acknowledged",
For Windows and Linux, a script is ran that executes the lock but when you use the API only a 204 is returned. It would be ideal if the output of that script was returned in the API so we can confirm the action was ran on the endpoint. Like such:
All local non-administrative users have been logged out and their accounts disabled. Logging in with other Microsoft accounts has been disabled Cached Logins have been disabled, disable the MDM-Enroled account to prevent further logins Shutting down in 15 seconds
What have you tried?
Can grab script output through the UI in the Activity page in Fleet. Cannot use the script status API because we don't have the execution_id
Potential solutions
Adjust the payload returned when a lock command is sent through the API.
What is the expected workflow as a result of your proposal?
When a lock command is sent through the API, the returned payload should include the output of the script ran to verify that it has in fact actually ran.
customer-pingali: No Gong snippet at this point - this was just passed as a MDM requirements doc forcustomer-pingali
@harrisonravazzolo when you get the chance, can you please bring this one up on a call so we can capture a Gong snippet? Thanks!
Hey @harrisonravazzolo just following up here w/ a ping! During the next call w/ pingali can you please bring this one up so we can capture a Gong snippet?
This one has unfortunately not come up in a call yet. I will try to bring it up in next weeks sync.
User requested this because the customer wants to be sure that the host is locked or will be locked when it comes online. Which one is it? The 204 response code from the lock host API is unclear. I can't follow up w/ a call to the get script results API b/c I don't know what the execution_id is.
Hey @harrisonravazzolo, I don't think we need a Gong snippet for this one. I think we understand the problem (see above). Please let me know if our understanding is wrong.
Problem
Check if a specified device has received and successfully processed a lock/wipe command - must not rely on logs to determine this
This is easily surface-able for MacOS as you can look at the List MDM commands through the API and see
"status": "Acknowledged",
For Windows and Linux, a script is ran that executes the lock but when you use the API only a 204 is returned. It would be ideal if the output of that script was returned in the API so we can confirm the action was ran on the endpoint. Like such:
All local non-administrative users have been logged out and their accounts disabled. Logging in with other Microsoft accounts has been disabled Cached Logins have been disabled, disable the MDM-Enroled account to prevent further logins Shutting down in 15 seconds
What have you tried?
Can grab script output through the UI in the Activity page in Fleet. Cannot use the script status API because we don't have the execution_id
Potential solutions
Adjust the payload returned when a lock command is sent through the API.
What is the expected workflow as a result of your proposal?
When a lock command is sent through the API, the returned payload should include the output of the script ran to verify that it has in fact actually ran.
Hey @harrisonravazzolo heads up, we peeled this user story off of this request.
Keep in mind that the user story likely won't address the entire request. It will be a small piece.
@Patagonia121 we shipped an improvement (user story here) for this request in Fleet 4.64.
We think this improvement satisfies this pingali request. Can you please show pingali and ask if Fleet is missing anything?
Docs for the Lock host API endpoint are here: https://fleetdm.com/docs/rest-api/rest-api#lock-host
Up to you on whether we can close this request: https://fleetdm.com/handbook/customer-success#communicate-feedback-on-prioritized-customer-requests
Hey @noahtalerman - Closing this one out for Jason since there was no feedback
Locking hosts with ease, API clarity brings peace. Trust in code's release.
