Hi all! Is there a way to leverage osquery to see ...
# fleetb
Billy H
02/24/2025, 4:21 PMHi all! Is there a way to leverage osquery to see when/why a MacOS device had it's MDM profiles removed? I had a device this morning un-enroll itself from the Fleet MDM profile it had configured and I can't find out why. There is no log in Fleet of MDM being disabled that I can tell
r
Rebecca Cowart
02/24/2025, 4:31 PM@Billy H Was the device offline for a long span of time?
b
Billy H
02/24/2025, 4:34 PMMaybe 48 hours from the weekend but otherwise nope! User was online and working just fine last week
Billy H
02/24/2025, 4:35 PMThe only reason we noticed was because his EDR solution showed a bunch of alerts that it didn't have proper permissions when he booted up this morning. (not alerts of intrusion or anything like that)
Billy H
02/24/2025, 4:36 PMAnd users are not admins so I don't think the user removed it themself
r
Rebecca Cowart
02/24/2025, 7:31 PM@Billy H Is there anything in the global Activity Feed that relates to this enrollment removal?
b
Billy H
02/24/2025, 7:34 PMNope! I can see where we added it back in
r
Rebecca Cowart
02/24/2025, 7:34 PM@Billy H Do you have anything set in your Agent Options that would adjust the host_expiry_settings, specifically the
host_expiry_windowb
Billy H
02/24/2025, 7:34 PMLemme check
Billy H
02/24/2025, 7:35 PMI do not!
r
Rebecca Cowart
02/24/2025, 7:47 PM@Billy H What version of Fleet are you running? What version of OS did the device update to?
b
Billy H
02/24/2025, 7:48 PMDevice updated to 15.3 but I'm not 100% sure that happened over the weekend. I'm on version 4.62.2
r
Rebecca Cowart
02/25/2025, 5:26 PM@Billy H Can you share the fleetd logs and see if there are any relevant errors?
b
Billy H
02/25/2025, 6:00 PMUnfortunately, it seems that the fleetd logs for the machine only catch the re-enrollment. Nothing before the re-enrollment
Billy H
02/25/2025, 6:10 PMWait I'm sorry I was reading the log incorrectly
Billy H
03/03/2025, 9:25 PMSorry for the delay, this error showed up a lot over the weekend that the MDM was removed
The application cannot be opened for an unexpected reason, error=*Error* Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x60000175cbd0 {*Error* Domain=OSLaunchdErrorDomain Code=112 "Could not find specified domain" UserInfo={NSLocalizedFailureReason=Could not find specified domain}}}Billy H
03/03/2025, 9:26 PMOtherwise I don't see anything else in the log that would be related to this
r
Rebecca Cowart
03/06/2025, 4:55 PM@Billy H Have you rebooted Fleet since this error first started?
What OS version are you on?
2 Views