Solutions
Device management
Remotely manage, and protect laptops and mobile devices.
Orchestration
Automate tasks across devices, from app installs to scripts.
Software management
Inventory, patch, and manage installed software.
Extend Fleet
Integrate your favorite tools with Fleet.
Customers
Stripe + Fleet
Stripe consolidates multiple tools with Fleet.
Foursquare + Fleet
Foursquare quickly migrates to Fleet for device management.
What people are saying
Stories from the Fleet community.
Pricing
More
Sysadmin diaries: restoring fleetd
{{articleSubtitle}}
JD Strong
Docs
REST API
Guides
Get a demo
Suggest an edit
Sysadmin diaries: restoring fleetd
{{articleSubtitle}}
JD Strong
Sysadmin diaries: restoring fleetd
As a sysadmin, unexpected challenges are part of the job. In our last diary installment, we discussed the methods of device enrollment. Today, we tackle a new challenge: a surly employee has deleted the fleetd files from their device. What happens next? Can we restore the fleetd agent using Mobile Device Management (MDM) commands? In this post, we’ll explore various methods to tackle this situation and ensure your fleet of devices remains secure and compliant.
What is fleetd and why it matters
Fleetd is a suite of agents Fleet provides to collect and manage information about your devices. It includes osquery, Orbit, Fleet Desktop, and the fleetd Chrome extension. These tools help you maintain visibility and control over your device fleet.
Scenario: the surly employee deletion
Imagine a disgruntled employee deleting the fleetd files from their device. This disruptive act can hinder your ability to manage the device and potentially compromise security. Fortunately, you can reinstall the fleetd agent and restore order with the right MDM commands. It's important to note that ADE (Automated Device Enrollment) enrollment ensures we can maintain control of the laptop and still send MDM commands to the host, such as remote lock or wipe.
Solutions and commands
There are several approaches to reinstall the fleetd agent using MDM commands:
1. Resending the fleetd configuration profile
One potential solution is to resend the fleetd configuration profile. The new feature for resending profiles makes this easy to accomplish through the MDM interface.
2. Wipe the device
A more extreme method is wiping the device, which performs an Erase All Contents and Settings (EACS). This wipes and resets the laptop by erasing the user-data volume, returning the device to an "out-of-box" experience. This process avoids reinstalling macOS, making it a quick and efficient solution but probably an aggressive action.
3. Sending the install command
By default, the install profile is not sent after the first enrollment. However, you can manually send a command to reinstall fleetd. Here is the XML command for macOS:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>ManifestURL</key>
<string>https://download.fleetdm.com/fleetd-base-manifest.plist</string>
<key>RequestType</key>
<string>InstallEnterpriseApplication</string>
</dict>
<key>CommandUUID</key>
<string>adc1bc23-abec-4499-b57f-c8755c7ffe3c</string>
</dict>
</plist>To run this command, use the following fleetctl command:
fleetctl mdm run-command --hosts=HOST_IDENTIFIER --payload=path/to/file.xmlFor Windows, the process involves two steps. First, add the profile using gitops or the UI:
<Add>
<CmdID>addCommandUUID</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7BA427C0AA-E2D5-40DF-ACE8-0D726A6BE096%7D/DownloadInstall</LocURI>
</Target>
</Item>
</Add>Then, execute the command using fleetctl:
<Exec>
<CmdID>execCommandUUID</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7BA427C0AA-E2D5-40DF-ACE8-0D726A6BE096%7D/DownloadInstall</LocURI>
</Target>
<Data>
<MsiInstallJob id="{A427C0AA-E2D5-40DF-ACE8-0D726A6BE096}">
<Product Version="1.0.0.0">
<Download>
<ContentURLList>
<ContentURL>https://download.fleetdm.com/fleetd-base.msi</ContentURL>
</ContentURLList>
</Download>
<Validation>
<FileHash>9F89C57D1B34800480B38BD96186106EB6418A82B137A0D56694BF6FFA4DDF1A</FileHash>
</Validation>
<Enforcement>
<CommandLine>/quiet FLEET_URL="REPLACE_WITH_FLEET_URL_HERE" FLEET_SECRET="REPLACE_WITH_FLEET_SECRET_HERE"</CommandLine>
<TimeOut>10</TimeOut>
<RetryCount>1</RetryCount>
<RetryInterval>5</RetryInterval>
</Enforcement>
</Product>
</MsiInstallJob>
</Data>
<Meta>
<Type xmlns="syncml:metinf">text/plain</Type>
<Format xmlns="syncml:metinf">xml</Format>
</Meta>
</Item>
</Exec>
Success story and experiment results
Recently, we conducted an experiment to test these methods. After executing the commands, we observed the device coming back online, confirming the effectiveness of these solutions. This successful experiment highlights the practicality of using MDM commands to restore the fleetd agent.
Conclusion
Dealing with the deletion of fleetd files by a surly employee can be a challenge. However, using MDM commands to resend configuration profiles, utilize the EACS, or manually send the install command can efficiently restore functionality and ensure device security. Documenting these processes further strengthens your device management capabilities and prepares you for any future disruptions.
SOC2 Type 2
