diff --git a/cmd/fleet/serve.go b/cmd/fleet/serve.go index 826b700d989f..d6a43bbb317d 100644 --- a/cmd/fleet/serve.go +++ b/cmd/fleet/serve.go @@ -553,8 +553,8 @@ the way that the Fleet server works. wstepCertManager microsoft_mdm.CertManager ) - // Configuring WSTEP certs if Windows MDM feature flag is enabled - if configpkg.IsMDMFeatureFlagEnabled() && config.MDM.IsMicrosoftWSTEPSet() { + // Configuring WSTEP certs + if config.MDM.IsMicrosoftWSTEPSet() { _, crtPEM, keyPEM, err := config.MDM.MicrosoftWSTEP() if err != nil { initFatal(err, "validate Microsoft WSTEP certificate and key") diff --git a/cmd/fleetctl/apply_test.go b/cmd/fleetctl/apply_test.go index 0b0056c23056..6e8dc0913be8 100644 --- a/cmd/fleetctl/apply_test.go +++ b/cmd/fleetctl/apply_test.go @@ -14,7 +14,6 @@ import ( "path/filepath" "sort" "strconv" - "strings" "sync" "testing" "time" @@ -820,8 +819,6 @@ func mobileconfigForTest(name, identifier string) []byte { } func TestApplyAsGitOps(t *testing.T) { - t.Setenv("FLEET_DEV_MDM_ENABLED", "1") - enqueuer := new(nanomdm_mock.Storage) license := &fleet.LicenseInfo{Tier: fleet.TierPremium, Expiration: time.Now().Add(24 * time.Hour)} @@ -2998,17 +2995,6 @@ spec: `, macSetupFile), wantErr: `macOS MDM isn't turned on.`, }, - { - desc: "app config enable windows mdm without feature flag", - spec: ` -apiVersion: v1 -kind: config -spec: - mdm: - windows_enabled_and_configured: true -`, - wantErr: `422 Validation Failed: cannot enable Windows MDM without the feature flag explicitly enabled`, - }, { desc: "app config enable windows mdm without WSTEP", spec: ` @@ -3030,12 +3016,6 @@ spec: license := &fleet.LicenseInfo{Tier: fleet.TierPremium, Expiration: time.Now().Add(24 * time.Hour)} for _, c := range cases { t.Run(c.desc, func(t *testing.T) { - // bit hacky, but since the env var is temporary while Windows MDM is in beta, - // didn't want to add a field to the test cases just for this. - if strings.Contains(c.desc, "WSTEP") { - t.Setenv("FLEET_DEV_MDM_ENABLED", "1") - } - _, ds := runServerWithMockedDS(t, &service.TestServerOpts{License: license}) setupDS(ds) filename := writeTmpYml(t, c.spec) diff --git a/server/config/config.go b/server/config/config.go index 62254ba4f176..58f520cd0719 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -1741,13 +1741,3 @@ func SetTestMDMConfig(t testing.TB, cfg *FleetConfig, cert, key []byte, appleBMT t.Fatal(err) } } - -// Undocumented feature flag for Windows MDM, used to determine if the Windows -// MDM feature is visible in the UI and can be enabled. More details here: -// https://github.com/fleetdm/fleet/issues/12257 -// -// TODO: remove this flag once the Windows MDM feature is ready for -// release. -func IsMDMFeatureFlagEnabled() bool { - return os.Getenv("FLEET_DEV_MDM_ENABLED") == "1" -} diff --git a/server/fleet/app.go b/server/fleet/app.go index 98580abad39e..4f62e24713b3 100644 --- a/server/fleet/app.go +++ b/server/fleet/app.go @@ -172,10 +172,7 @@ type MDM struct { // AtLeastOnePlatformEnabledAndConfigured returns true if at least one supported platform // (macOS or Windows) has MDM enabled and configured. func (m MDM) AtLeastOnePlatformEnabledAndConfigured() bool { - // explicitly check for the feature flag to account for the edge case of: - // 1. FF enabled, windows is turned on - // 2. FF disabled on server restart - return m.EnabledAndConfigured || (config.IsMDMFeatureFlagEnabled() && m.WindowsEnabledAndConfigured) + return m.EnabledAndConfigured || m.WindowsEnabledAndConfigured } // versionStringRegex is used to validate that a version string is in the x.y.z diff --git a/server/fleet/app_test.go b/server/fleet/app_test.go index 79ac1847fa6f..c37a09e14f93 100644 --- a/server/fleet/app_test.go +++ b/server/fleet/app_test.go @@ -233,75 +233,36 @@ func TestAtLeastOnePlatformEnabledAndConfigured(t *testing.T) { name string macOSEnabledAndConfigured bool windowsEnabledAndConfigured bool - isMDMFeatureFlagEnabled bool expectedResult bool }{ { - name: "None enabled, feature flag disabled", + name: "None enabled", macOSEnabledAndConfigured: false, windowsEnabledAndConfigured: false, - isMDMFeatureFlagEnabled: false, expectedResult: false, }, { - name: "MacOS enabled, feature flag disabled", + name: "MacOS enabled", macOSEnabledAndConfigured: true, windowsEnabledAndConfigured: false, - isMDMFeatureFlagEnabled: false, expectedResult: true, }, { - name: "Windows enabled, feature flag disabled", - macOSEnabledAndConfigured: false, - windowsEnabledAndConfigured: true, - isMDMFeatureFlagEnabled: false, - expectedResult: false, - }, - { - name: "Both enabled, feature flag disabled", + name: "Both enabled", macOSEnabledAndConfigured: true, windowsEnabledAndConfigured: true, - isMDMFeatureFlagEnabled: false, - expectedResult: true, - }, - { - name: "None enabled, feature flag enabled", - macOSEnabledAndConfigured: false, - windowsEnabledAndConfigured: false, - isMDMFeatureFlagEnabled: true, - expectedResult: false, - }, - { - name: "MacOS enabled, feature flag enabled", - macOSEnabledAndConfigured: true, - windowsEnabledAndConfigured: false, - isMDMFeatureFlagEnabled: true, expectedResult: true, }, { - name: "Windows enabled, feature flag enabled", + name: "Windows enabled", macOSEnabledAndConfigured: false, windowsEnabledAndConfigured: true, - isMDMFeatureFlagEnabled: true, - expectedResult: true, - }, - { - name: "Both enabled, feature flag enabled", - macOSEnabledAndConfigured: true, - windowsEnabledAndConfigured: true, - isMDMFeatureFlagEnabled: true, expectedResult: true, }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { - if test.isMDMFeatureFlagEnabled { - t.Setenv("FLEET_DEV_MDM_ENABLED", "1") - } else { - t.Setenv("FLEET_DEV_MDM_ENABLED", "0") - } - mdm := MDM{ EnabledAndConfigured: test.macOSEnabledAndConfigured, WindowsEnabledAndConfigured: test.windowsEnabledAndConfigured, diff --git a/server/service/appconfig.go b/server/service/appconfig.go index 97dbdb24d17d..2cedcfc60fc1 100644 --- a/server/service/appconfig.go +++ b/server/service/appconfig.go @@ -17,7 +17,6 @@ import ( "github.com/fleetdm/fleet/v4/pkg/rawjson" "github.com/fleetdm/fleet/v4/server" "github.com/fleetdm/fleet/v4/server/authz" - "github.com/fleetdm/fleet/v4/server/config" authz_ctx "github.com/fleetdm/fleet/v4/server/contexts/authz" "github.com/fleetdm/fleet/v4/server/contexts/ctxerr" "github.com/fleetdm/fleet/v4/server/contexts/license" @@ -50,17 +49,6 @@ type appConfigResponseFields struct { // SandboxEnabled is true if fleet serve was ran with server.sandbox_enabled=true SandboxEnabled bool `json:"sandbox_enabled,omitempty"` Err error `json:"error,omitempty"` - - // MDMEnabled is true if fleet serve was started with - // FLEET_DEV_MDM_ENABLED=1. - // - // Undocumented feature flag for Windows MDM, used to determine if the - // Windows MDM feature is visible in the UI and can be enabled. More details - // here: https://github.com/fleetdm/fleet/issues/12257 - // - // TODO: remove this flag once the Windows MDM feature is ready for - // release. - MDMEnabled bool `json:"mdm_enabled,omitempty"` } // UnmarshalJSON implements the json.Unmarshaler interface to make sure we serialize @@ -185,7 +173,6 @@ func getAppConfigEndpoint(ctx context.Context, request interface{}, svc fleet.Se Logging: loggingConfig, Email: emailConfig, SandboxEnabled: svc.SandboxEnabled(), - MDMEnabled: config.IsMDMFeatureFlagEnabled(), }, } return response, nil @@ -242,9 +229,8 @@ func modifyAppConfigEndpoint(ctx context.Context, request interface{}, svc fleet response := appConfigResponse{ AppConfig: *appConfig, appConfigResponseFields: appConfigResponseFields{ - License: license, - Logging: loggingConfig, - MDMEnabled: config.IsMDMFeatureFlagEnabled(), + License: license, + Logging: loggingConfig, }, } @@ -732,12 +718,6 @@ func (svc *Service) validateMDM( } // Windows validation - if !config.IsMDMFeatureFlagEnabled() { - if mdm.WindowsEnabledAndConfigured { - invalid.Append("mdm.windows_enabled_and_configured", "cannot enable Windows MDM without the feature flag explicitly enabled") - return - } - } if !svc.config.MDM.IsMicrosoftWSTEPSet() { if mdm.WindowsEnabledAndConfigured { invalid.Append("mdm.windows_enabled_and_configured", "Couldn't turn on Windows MDM. Please configure Fleet with a certificate and key pair first.") diff --git a/server/service/integration_core_test.go b/server/service/integration_core_test.go index 8e7bbef5184c..b5b4488d657e 100644 --- a/server/service/integration_core_test.go +++ b/server/service/integration_core_test.go @@ -4977,7 +4977,6 @@ func (s *integrationTestSuite) TestAppConfig() { assert.Equal(t, "free", acResp.License.Tier) assert.Equal(t, "FleetTest", acResp.OrgInfo.OrgName) // set in SetupSuite assert.False(t, acResp.MDM.AppleBMTermsExpired) - assert.False(t, acResp.MDMEnabled) // set the apple BM terms expired flag, and the enabled and configured flags, // we'll check again at the end of this test to make sure they weren't @@ -5006,7 +5005,6 @@ func (s *integrationTestSuite) TestAppConfig() { }`), http.StatusOK, &acResp) assert.Equal(t, "test", acResp.OrgInfo.OrgName) assert.True(t, acResp.MDM.AppleBMTermsExpired) - assert.False(t, acResp.MDMEnabled) // the global agent options were not modified by the last call, so the // corresponding activity should not have been created. @@ -5198,13 +5196,13 @@ func (s *integrationTestSuite) TestAppConfig() { "mdm": { "apple_bm_default_team": "xyz" } }`), http.StatusUnprocessableEntity, &acResp) - // try to enable Windows MDM, impossible without the feature flag + // try to enable Windows MDM, impossible without the WSTEP certs // (only set in mdm integrations tests) res = s.Do("PATCH", "/api/latest/fleet/config", json.RawMessage(`{ "mdm": { "windows_enabled_and_configured": true } }`), http.StatusUnprocessableEntity) errMsg = extractServerErrorText(res.Body) - assert.Contains(t, errMsg, "cannot enable Windows MDM without the feature flag explicitly enabled") + assert.Contains(t, errMsg, "Please configure Fleet with a certificate and key pair first.") // verify that the Apple BM terms expired flag was never modified acResp = appConfigResponse{} diff --git a/server/service/integration_mdm_test.go b/server/service/integration_mdm_test.go index e83932e40a56..195f6d978680 100644 --- a/server/service/integration_mdm_test.go +++ b/server/service/integration_mdm_test.go @@ -63,8 +63,6 @@ import ( ) func TestIntegrationsMDM(t *testing.T) { - t.Setenv("FLEET_DEV_MDM_ENABLED", "1") - testingSuite := new(integrationMDMTestSuite) testingSuite.s = &testingSuite.Suite suite.Run(t, testingSuite) @@ -2493,16 +2491,9 @@ func (s *integrationMDMTestSuite) TestDiskEncryptionSharedSetting() { s.Do("POST", "/api/latest/fleet/spec/teams", teamSpecs, http.StatusOK) } - // 1. disable both windows and mac mdm - // 2. turn off windows feature flag + // disable both windows and mac mdm // we should get an error setMDMEnabled(false, false) - t.Setenv("FLEET_DEV_MDM_ENABLED", "0") - checkConfigSetErrors() - - // turn on windows feature flag - // we should get an error - t.Setenv("FLEET_DEV_MDM_ENABLED", "1") checkConfigSetErrors() // enable windows mdm, no errors @@ -6646,7 +6637,6 @@ func (s *integrationMDMTestSuite) TestAppConfigWindowsMDM() { // the feature flag is enabled for the MDM test suite var acResp appConfigResponse s.DoJSON("GET", "/api/latest/fleet/config", nil, http.StatusOK, &acResp) - assert.True(t, acResp.MDMEnabled) assert.False(t, acResp.MDM.WindowsEnabledAndConfigured) // create a couple teams @@ -6694,7 +6684,6 @@ func (s *integrationMDMTestSuite) TestAppConfigWindowsMDM() { "mdm": { "windows_enabled_and_configured": true } }`), http.StatusOK, &acResp) assert.True(t, acResp.MDM.WindowsEnabledAndConfigured) - assert.True(t, acResp.MDMEnabled) s.lastActivityOfTypeMatches(fleet.ActivityTypeEnabledWindowsMDM{}.ActivityName(), `{}`, 0) // get the orbit config for each host, verify that only the expected ones diff --git a/server/service/orbit.go b/server/service/orbit.go index 017b530a2f2c..b4b1f63244ed 100644 --- a/server/service/orbit.go +++ b/server/service/orbit.go @@ -8,7 +8,6 @@ import ( "time" "github.com/fleetdm/fleet/v4/server" - "github.com/fleetdm/fleet/v4/server/config" "github.com/fleetdm/fleet/v4/server/contexts/ctxerr" hostctx "github.com/fleetdm/fleet/v4/server/contexts/host" "github.com/fleetdm/fleet/v4/server/contexts/license" @@ -218,7 +217,7 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro notifs.NeedsProgrammaticWindowsMDMEnrollment = true } } - if config.IsMDMFeatureFlagEnabled() && !appConfig.MDM.WindowsEnabledAndConfigured { + if !appConfig.MDM.WindowsEnabledAndConfigured { if host.IsEligibleForWindowsMDMUnenrollment() { notifs.NeedsProgrammaticWindowsMDMUnenrollment = true } @@ -271,8 +270,7 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro } } - if config.IsMDMFeatureFlagEnabled() && - mdmConfig.EnableDiskEncryption && + if mdmConfig.EnableDiskEncryption && host.IsEligibleForBitLockerEncryption() { notifs.EnforceBitLockerEncryption = true } @@ -308,7 +306,6 @@ func (svc *Service) GetOrbitConfig(ctx context.Context) (fleet.OrbitConfig, erro } if appConfig.MDM.WindowsEnabledAndConfigured && - config.IsMDMFeatureFlagEnabled() && appConfig.MDM.EnableDiskEncryption.Value && host.IsEligibleForBitLockerEncryption() { notifs.EnforceBitLockerEncryption = true diff --git a/terraform/addons/mdm/outputs.tf b/terraform/addons/mdm/outputs.tf index 90dbc56a28de..485b3f3e9fed 100644 --- a/terraform/addons/mdm/outputs.tf +++ b/terraform/addons/mdm/outputs.tf @@ -1,3 +1,4 @@ +// TODO: the feature flag here should also be removed, maybe in a distinct PR (reviewed by infra) output "extra_environment_variables" { value = merge(var.enable_apple_mdm == false ? {} : { FLEET_MDM_APPLE_SERVER_ADDRESS = var.public_domain_name