https://github.com/osquery/osquery logo
Join Slack
Powered by
Quick question, finally got MDM set up on Fleet, a...
# fleet
m
Quick question, finally got MDM set up on Fleet, and was wondering if being Hybrid joined with Entra will cause issues? We don't have an Intune subscription yet, and I notice that when you see MDM status it says (automatic) for me but shows my fleet URL.
r
Thanks for reaching out, let me find someone from the MDM team to clarify.
b
Hello. We are working on improving the validation that governs how Windows MDM enrollments are displayed. If what you are seeing seems incorrect it's most likely because Windows computers can be enrolled in multipile MDM servers simultaneously (unlike Apple computers which can only be associated to one MDM server.) So, all that to say I doubt this will cause a problem with hybrid-join. But, keep us posted please!
m
I put a simple ScreenLock.xml to test the MDM, and of my 40-ish hosts so far, the first 6 have failed. How can I start troubleshooting and tracking down what the issue might be? Is there an FAQ with 'Common Issues' or 'Troubleshooting steps'?
b
Can you share the device profile you're using?
m
2024-03-14_ScreenLock.xml
2024-03-14_ScreenLock.xml
Oh, I already see the issue. The LocURI. I assume that would be the cause.
b
Not sure but I can test it as well.
m
@Brock Walters is there documentation that says the requirements for a machine to be MDM enrolled? I see a host is currently online, but MDM status says 'Off' while others do say they are 'On' and point at my Fleet instance. Is there also a command I can run (even if its on host) to determine if the xml can apply, and if MDM took?
b
https://fleetdm.com/guides/windows-mdm-setup#microsoft-azure-active-directory-ad Hard to say about the different status results. Woudl have to to look at logs because there are possible explanations for all of it. There isn't anything I know of for Windows that validates the device profile (it totally may exist.) For Mac I might suggest Low Profile for that. I am going to test your profile & see if I can talk to someone in engineering about it if it's not working.
m
I just did a test with a known good one, and it seemed to have finally picked up on some devices. Its probably the failed config that did that. It would be nice if there was something that was more transparent that said 'config is not valid'. I didn't see any clear spots that listed out the errors either. I clicked on the failed hosts entry and I saw nothing.
I appreciate all your help, you got me to the point that I realized it was my fault haha.
b
Agree. There are status types for the profiles & I think we can do better at surfacing those
m
I saw that, but it called out specifically InTune licensing which we don't have or (ideally) want to use. We hope to leverage a combination of Fleet, GPOs and Chef to get machines to do what we want.
b
The codes are the same values regardless.
Would you mind posting the one that worked?
m
2024-03-13_ScreenLock.xml
2024-03-13_ScreenLock.xml
Coming back to this, it seems that all my hosts have decided they don't want to be MDM enrolled anymore. I only see 3 hosts, when before I had over 50 enrolled and validated. Under the Fleet MDM provider on Windows, I am able to sync, but from the UI, it says no MDM. Is there any other trick I can do? I do have Chef if I need to push out a new MSI, but aside from the MDM, the hosts are doing just fine in Fleet.
To add to the above, I just added a new host to Fleet via the same installer, and it enrolled in MDM perfectly fine. Shows in Web UI and everything. Any insight would be most appreciated.
8 Views
Open in Slack
PreviousNext
Powered by