Adding in check to disable recovery lock on personal macos since it doesn't have the required permissions#48598
Conversation
…oesn't have the required permissions
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
There was a problem hiding this comment.
Warning
- Copilot's review of this pull request may be incomplete because some of the changed files are excluded by your Copilot content exclusion settings. See Excluding content from Copilot for details.
Pull request overview
This PR prevents Fleet from attempting to set or clear macOS Recovery Lock on personally-owned (BYOD) MDM enrollments, where Apple strips DeviceLock/DeviceErase access rights and the command is rejected (per #48594).
Changes:
- Exclude
host_mdm.is_personal_enrollment=1hosts from eligibility for Recovery Lock set and clear selection queries. - Add datastore tests to ensure personally-owned enrollments are not selected/claimed for these Recovery Lock operations.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| server/datastore/mysql/apple_mdm.go | Adds hm.is_personal_enrollment = 0 filter to Recovery Lock set/clear host-selection SQL queries and documents rationale. |
| server/datastore/mysql/apple_mdm_test.go | Adds coverage ensuring BYOD/personal-enrollment hosts are not eligible for set, and not claimed for clear. |
| changes/48594-recovery-lock-byod-personal-enrollment | Release-note entry (content excluded by policy; not reviewed). |
Files excluded by content exclusion policy (1)
- changes/48594-recovery-lock-byod-personal-enrollment
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
WalkthroughThis change excludes personally-owned (BYOD) macOS/iOS/iPadOS hosts from recovery-lock password enforcement. SQL queries in Changes
Sequence Diagram(s)Not applicable — this change is a query filtering fix without significant new control flow. Related issues
Possibly related PRs
Suggested reviewers
Poem 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #48598 +/- ##
=======================================
Coverage 68.01% 68.01%
=======================================
Files 3678 3678
Lines 233758 233760 +2
Branches 12453 12453
=======================================
+ Hits 158981 158988 +7
+ Misses 60475 60474 -1
+ Partials 14302 14298 -4
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
JordanMontgomery
left a comment
There was a problem hiding this comment.
Approved conditionally - PR template still needs to be used. But code looks good
|
QA'd locally. Looks good. The failing test is unrelated |
|
#48601 cherry pick into 89 |
…oesn't have the required permissions (#48598) <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #48594 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] Timeouts are implemented and retries are limited to avoid infinite loops - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [x] QA'd all new/changed functionality manually For unreleased bug fixes in a release candidate, one of: - [x] Confirmed that the fix is not expected to adversely impact load test results - [x] Alerted the release DRI if additional load testing is needed <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Recovery-lock password checks now skip personally owned (BYOD) Apple devices, avoiding failures on eligible hosts. * Recovery-lock clear actions are no longer applied to personally owned enrollments. * **Tests** * Added coverage to verify BYOD devices are excluded from both recovery-lock enforcement and clear workflows. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Related issue: Resolves #48594
Checklist for submitter
If some of the following don't apply, delete the relevant line.
Changes file added for user-visible changes in
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
Input data is properly validated,
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.Timeouts are implemented and retries are limited to avoid infinite loops
If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes
Testing
Added/updated automated tests
Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)
QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
Summary by CodeRabbit
Bug Fixes
Tests