Add real-time device enrollment notifications via AMAPI Pub/Sub.#129
Add real-time device enrollment notifications via AMAPI Pub/Sub.#129simonkagwi wants to merge 5 commits intomainfrom
Conversation
Co-authored-by: Simon Kagwi <skagwi@caktusgroup.com>
simonkagwi
force-pushed
the
116-android-mdm-notifications
branch
from
46baa41 to
74eeb85
Compare
simonkagwi
requested review from
copelco and
tobiasmcnulty
and removed request for
tobiasmcnulty
tobiasmcnulty
left a comment
tobiasmcnulty
left a comment
There was a problem hiding this comment.
Hi @simonkagwi , thanks for your quick work on this! I got through partially testing and had some questions, which I'll leave below. Happy to sync up on a meet sometime too if that's easier.
| logger = structlog.getLogger(__name__) | ||
|
|
||
|
|
||
| class Command(BaseCommand): |
There was a problem hiding this comment.
Nice management command! I got as far as running this and confirming it was set up, but I ran out of time and wasn't able to test enrolling a device.
Thinking ahead to multi-enterprise support, I wonder if we could separate the "admin-type" privileges to some CLI commands that a developer user needs to execute in the documentation (potentially from their own machine), and then have the PATCH on the enterprise happen elsewhere (even automatically) in the code. What do you think?
I also wasn't clear if it would be better unique topics for each local dev environment and/or deployed environment...as I understand, this creates a single topic, but "off topic" notifications (as per the shared secret) are simply ignored?
There was a problem hiding this comment.
Yes, we create a single topic and subscription, then off-topic notifications (not of type "ENROLLMENT" or "STATUS_REPORT", or device name does not start with the configured enterprise name) are ignored. For requests without the correct shared secret we return a 403.
For multi-enterprise support, we can keep the management command and have it do only the first 3 steps which are not enterprise-specific (create a topic and subscription, maybe with settings.ENVIRONMENT appended to their names, and grant Android Device Policy permission to publish to the topic). Then once the self-service enrollment PR is merged, we can automatically patch the enterprise when its enrollment is completed in the enterprise_callback view, and update the view that handles notifications to create an AndroidEnterprise object based on the device name. Something like this:
device_name = device_data.get("name", "")
enterprise_name = "/".join(device_name.split("/")[:2])
account = AndroidEnterpriseAccount.objects.filter(enterprise_name=enterprise_name).first()
mdm = get_active_mdm_instance(organization=account.organization)There was a problem hiding this comment.
I've made these changes in 906bbdd. For now, to patch the enterprise resource after running the management command, run this in a Django shell:
from apps.mdm.mdms import AndroidEnterprise
AndroidEnterprise().patch_enterprise_pubsub()When multi-enterprise support is added, we can run patch_enterprise_pubsub() in the enterprise_callback view after successful enterprise enrollment.
This PR adds real-time notifications for device enrollments when using the Android Enterprise MDM. When a new device is enrolled, Publish MDM will get a notification via Google Pub/Sub, and a
Devicewill be created in the database, and a device-specific policy will be created if the device's fleet has a default app user.