I've placed the cert and key on the server and upd...
# fleetb
Brad Johnson
07/11/2024, 3:09 PMI've placed the cert and key on the server and updated the configuration file. I've successfully turned on the MDM. However, my one and only client says that MDM Status is "off" and the "MDM Server URL" is blank on the client. What am I missing? On another note, I was able to successfully turn on the Apple MDM, so I'm not certain what the issue is. Thanks for any guidance.
d
Dale Ribeiro
07/11/2024, 6:31 PMHey @Brad Johnson, so the host is otherwise communicating with the Fleet server? Updating vitals and all that?
b
Brad Johnson
07/11/2024, 6:49 PMYes, that's correct. The host is listed as online, I can see that it was last "fetched" one hour ago, etc.
d
Dale Ribeiro
07/11/2024, 6:50 PMOn the host itself, if you navigate to Settings > Accounts > Access work or school do you see if it says Connected to Fleet MDM?
b
Brad Johnson
07/11/2024, 7:11 PMIt does not. I'm only connected to Active Directory locally, and I've also got an Azure account listed on that screen, however I/we do not use Azure as an MDM.
Brad Johnson
07/11/2024, 7:15 PMI have tried creating the key and crt on Windows using openssl, and I've also created them on Ubuntu, and neither seems to have made a difference. In my Ubuntu fleet.config file, located at /etc/fleet/ I added a section for mdm as follows:
Brad Johnson
07/11/2024, 7:15 PMmdm:
Brad Johnson
07/11/2024, 7:16 PMwindows_wstep_identity_cert: /etc/fleet/NameOfCert.crt
Brad Johnson
07/11/2024, 7:16 PMwindows_wstep_identity_key: /etc/fleet/NameOfKey.key
d
Dale Ribeiro
07/12/2024, 4:32 PMWhat version of Windows is this host running?
b
Brad Johnson
07/12/2024, 5:10 PMI actually have two hosts with the agent installed; one is Windows 10, the other is Windows 11. Neither one of them are show up as MDM-enabled.
d
Dale Ribeiro
07/12/2024, 6:00 PMHmm... let's take a step back. Have you tried to pass the bytes of the certificate and key directly into your configuration by adding _bytes to the end of the key in your configuration?
b
Brad Johnson
07/12/2024, 6:46 PMI've not. I'm not sure how to do that necessarily. I created my config file by hand in Ubuntu. My file is fleet.config and here are the contents:
mysql:
address: 127.0.0.1:3306
database: fleet
username: *******
password: *******
redis:
address127.0.0.16379
server:
address: 0.0.0.0:4443
cert: /etc/letsencrypt/live/NameOfMyServer/fullchain.pem
key: /etc/letsencrypt/live/NameOfMyServer/privkey.pem
websockets_allow_unsafe_origin: true
private_key: **************
mdm:
windows_wstep_identity_cert: /etc/fleet/fleet-mdm-win-wstep.crt
windows_wstep_identity_key: /etc/fleet/fleet-mdm-win-wstep.key
Brad Johnson
07/12/2024, 6:46 PMWhen I tried with the _bytes added to the end, and pasted my key into the file, my nginx and/or fleet would not start.
d
Dale Ribeiro
07/12/2024, 9:26 PMOk, and before you made that change you were able to turn on Windows MDM in the UI and not get an error message?
Dale Ribeiro
07/12/2024, 9:28 PMIn Settings > Integrations > Mobile device management > Turn on Windows MDM
b
Brad Johnson
07/12/2024, 9:39 PMHi Dale, yes. Prior to that change I was able to turn on MDM and not get an error message.
k
Kathy Satterlee
07/12/2024, 9:47 PMWhat version of Fleet are you running?
Kathy Satterlee
07/12/2024, 9:50 PMWhen I tried with the _bytes added to the end, and pasted my key into the file, my nginx and/or fleet would not start.What errors did you see when Fleet would not start?
b
Brad Johnson
07/13/2024, 3:21 PMNo errors from the Ubuntu command prompt environment; the web interface (MyServer:9443) shows 502 Bad Gateway, nginx/1.24.0 (Ubuntu) . I am running fleet 4.53.1
Brad Johnson
07/14/2024, 5:06 PM@Dale Ribeiro @Kathy Satterlee Ok, I generated new certificates, I updated the fleet.config file and appear to have successfully passed in the _bytes for both the crt and the key. I generated a new agent, which included fleet desktop, enable-scripts, and included the fleet.pem certificate using the --fleet-certificate argument. I installed the agent on my test machine, and Fleet states that I still have no MDM agent. Any thoughts on what to try next?
Brad Johnson
07/15/2024, 2:05 AMOk, I made some progress. I attempted to install the agent on a non-domain joined computer. This computer also had my "work account" Office 365 account logged in (I only use office, we don't have any MDM features available/enabled.) I removed this account from the computer and I was then able to install the fleet agent and it does show up in my fleetdm server instance with the MDM status "On" as well as shows the URL for my MDM server. So it appears that my issue is either related to being domain-joined, and/or the work account Office 365 login.
15 Views