Don't expire iOS devices prematurely #25436
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #25436 +/- ##
==========================================
+ Coverage 63.57% 63.59% +0.01%
==========================================
Files 1619 1619
Lines 154836 154992 +156
Branches 3994 3994
==========================================
+ Hits 98436 98562 +126
- Misses 48638 48660 +22
- Partials 7762 7770 +8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
lucasmrod
reviewed
Jan 16, 2025
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
lucasmrod
approved these changes
Jan 16, 2025
dantecatalfamo
added a commit
that referenced
this pull request
Jan 17, 2025
#25406 The `last_seen_times` table is only updates when osquery hits one of its authenticated endpoints, meaning it isn't updated when devices without osquery, like iphones, are enrolled. I've left a [comment](#25406 (comment)) on the original issue explaining how this happens. Originally, if there was no `last_seen_time`, the fallback value would be the `created_at` value on the `hosts` table, so ios devices would always get deleted once they were added X number of days ago. In its place, I've added the `detail_updated_at` column on the `hosts` table as the fallback value, and only use `created_at` if that is also empty. `detail_updated_at` is updated every time a full detail refetch completes. In the case of ios/ipados, [this is done using MDM](https://github.com/fleetdm/fleet/blob/cd5c0e8aed10664458f597b5d9600dd20bf3fdac/server/service/apple_mdm.go#L3101). `detail_updated_at` is updated less frequently than `last_seen_times`, only once every hour or so instead of every 30 seconds, but since expiration policies are set on the scale of days instead of hours, this should be fine. The way I've QA'd this is by adding an iOS device to my fleet instance, waited 24 hours, and set the expiration policy to 24 hours.
lukeheath
pushed a commit
that referenced
this pull request
Jan 17, 2025
#25406 The `last_seen_times` table is only updates when osquery hits one of its authenticated endpoints, meaning it isn't updated when devices without osquery, like iphones, are enrolled. I've left a [comment](#25406 (comment)) on the original issue explaining how this happens. Originally, if there was no `last_seen_time`, the fallback value would be the `created_at` value on the `hosts` table, so ios devices would always get deleted once they were added X number of days ago. In its place, I've added the `detail_updated_at` column on the `hosts` table as the fallback value, and only use `created_at` if that is also empty. `detail_updated_at` is updated every time a full detail refetch completes. In the case of ios/ipados, [this is done using MDM](https://github.com/fleetdm/fleet/blob/cd5c0e8aed10664458f597b5d9600dd20bf3fdac/server/service/apple_mdm.go#L3101). `detail_updated_at` is updated less frequently than `last_seen_times`, only once every hour or so instead of every 30 seconds, but since expiration policies are set on the scale of days instead of hours, this should be fine. The way I've QA'd this is by adding an iOS device to my fleet instance, waited 24 hours, and set the expiration policy to 24 hours.
lukeheath
pushed a commit
that referenced
this pull request
Jan 17, 2025
#25406 The `last_seen_times` table is only updates when osquery hits one of its authenticated endpoints, meaning it isn't updated when devices without osquery, like iphones, are enrolled. I've left a [comment](#25406 (comment)) on the original issue explaining how this happens. Originally, if there was no `last_seen_time`, the fallback value would be the `created_at` value on the `hosts` table, so ios devices would always get deleted once they were added X number of days ago. In its place, I've added the `detail_updated_at` column on the `hosts` table as the fallback value, and only use `created_at` if that is also empty. `detail_updated_at` is updated every time a full detail refetch completes. In the case of ios/ipados, [this is done using MDM](https://github.com/fleetdm/fleet/blob/cd5c0e8aed10664458f597b5d9600dd20bf3fdac/server/service/apple_mdm.go#L3101). `detail_updated_at` is updated less frequently than `last_seen_times`, only once every hour or so instead of every 30 seconds, but since expiration policies are set on the scale of days instead of hours, this should be fine. The way I've QA'd this is by adding an iOS device to my fleet instance, waited 24 hours, and set the expiration policy to 24 hours.
lukeheath
pushed a commit
that referenced
this pull request
Jan 17, 2025
#25406 The `last_seen_times` table is only updates when osquery hits one of its authenticated endpoints, meaning it isn't updated when devices without osquery, like iphones, are enrolled. I've left a [comment](#25406 (comment)) on the original issue explaining how this happens. Originally, if there was no `last_seen_time`, the fallback value would be the `created_at` value on the `hosts` table, so ios devices would always get deleted once they were added X number of days ago. In its place, I've added the `detail_updated_at` column on the `hosts` table as the fallback value, and only use `created_at` if that is also empty. `detail_updated_at` is updated every time a full detail refetch completes. In the case of ios/ipados, [this is done using MDM](https://github.com/fleetdm/fleet/blob/cd5c0e8aed10664458f597b5d9600dd20bf3fdac/server/service/apple_mdm.go#L3101). `detail_updated_at` is updated less frequently than `last_seen_times`, only once every hour or so instead of every 30 seconds, but since expiration policies are set on the scale of days instead of hours, this should be fine. The way I've QA'd this is by adding an iOS device to my fleet instance, waited 24 hours, and set the expiration policy to 24 hours.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#25406
The
last_seen_timestable is only updates when osquery hits one of its authenticated endpoints, meaning it isn't updated when devices without osquery, like iphones, are enrolled. I've left a comment on the original issue explaining how this happens. Originally, if there was nolast_seen_time, the fallback value would be thecreated_atvalue on thehoststable, so ios devices would always get deleted once they were added X number of days ago.In its place, I've added the
detail_updated_atcolumn on thehoststable as the fallback value, and only usecreated_atif that is also empty.detail_updated_atis updated every time a full detail refetch completes. In the case of ios/ipados, this is done using MDM.detail_updated_atis updated less frequently thanlast_seen_times, only once every hour or so instead of every 30 seconds, but since expiration policies are set on the scale of days instead of hours, this should be fine.The way I've QA'd this is by adding an iOS device to my fleet instance, waited 24 hours, and set the expiration policy to 24 hours.
Big thanks to @gillespi314 for helping me navigate the MDM internals!
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements)