fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

ABM token renewal isn't working

Open rebeccaui opened this issue 1 year ago • 6 comments

Fleet version: Observed in Fleet's dogfood environment

💥  Actual behavior

When renewing an ABM token on the Settings > Integrations > MDM > ABM page, I see an error. See comment here.

🧑‍💻  Steps to reproduce

See above

More info

@noahtalerman: We think this isn't related to the original bug that discovered that Apple now asks for a .pem (instead of .crt). During testing, we've found that uploading a .crt in Apple Business Manager works.

rebeccaui avatar Oct 16 '24 15:10 rebeccaui

Linked to Unthread ticket:

Feedback on ABM public key format requirement #3302)

JoStableford avatar Oct 16 '24 15:10 JoStableford

QA Notes:

It does appear that Apple has updated their copy and some UI elements on this page (I honestly don't remember exactly what it looked like before).

Quick test shows that I can still upload the fleet generated .crt despite ABM not listing it as a supported file format. However I am seeing some unexpected errors when renewing my ABM token in Fleet which will require additional investigation.

screenshot_2024-10-16_at_10 50 00___am_720

PezHub avatar Oct 16 '24 21:10 PezHub

Moved the original bug report here for safekeeping:

💥  Actual behavior

ABM now requires the public key in PEM or DER format, but fleet generates a CRT file. image

🧑‍💻  Steps to reproduce

  1. Follow the ABM MDM enrollment flow
  2. Issue can be found in MDM Server Settings section where a public key must be uploaded.

🕯️ More info (optional)

Customer was able to convert it with openssl x509 -in mycert.crt -out mycert.pem -outform PEM

noahtalerman avatar Oct 17 '24 16:10 noahtalerman

cc @lukeheath

georgekarrv avatar Oct 17 '24 19:10 georgekarrv

@noahtalerman Just seeing this. Reminder that the Release DRI should be tagged on any new P-rated tickets.

lukeheath avatar Oct 17 '24 19:10 lukeheath

QA Notes:

As mentioned, the original issue for uploading a fleet generated .crt will be addressed separately since we confirmed ABM will still accept the format despite not specifically calling it out on their site.

Regarding the ABM Renewal bug, the following scenarios were tested and succeeded:

On a working instance of Fleet with MDM and ABM already configured -

  • Renewed token by downloading existing one from ABM (without making any changes to the MDM server).
  • Deleted existing ABM from my instance, went thru setup from scratch:
    • Downloaded new public key from fleet, uploaded to ABM, Downloaded new token
    • Renewed from Fleet UI by uploading existing token from previous step (from downloads folder)
    • Logged back into ABM, downloaded same key and renewed in Fleet UI

Fresh instance of Fleet without MDM or ABM configured (performed a db-reset) -

  • Went thru APN and ABM setup process in Fleet UI and configured both successfully
  • Renewed token by downloading exiting one from ABM

Addiotional Testing - Wiped my MacBook Air and verified I could enroll via ADE before & after renewing tokens and certs. Confirmed it received an mdm profile as well…additional mdm tasks will be performed during smoke tests.

Summary - the fix applied now allows for successful ABM Token renewals.

PezHub avatar Oct 18 '24 22:10 PezHub

@noahtalerman Context from customer-fourier: https://fleetdm.slack.com/archives/C07RX27HW4U/p1729631157676759

ambrusps avatar Nov 01 '24 17:11 ambrusps

a few other workarounds -

  1. use chrome instead of safari
  2. drag and drop the .crt file into the browser window instead of using the upload modal

PezHub avatar Nov 01 '24 18:11 PezHub

Token renewal fails, Fleet dances with Apple's tune, Smooth as clouds, issues quelled.

fleet-release avatar Nov 12 '24 17:11 fleet-release