Preflight clean_sync has no effect when no rules are sent.
#1255
Comments
|
Correct if a sync server sends zero rules we simply return out of the function without deleting the rules in the database. If you look at the lines below that check you'll see that we start a database transaction. It's in that transaction that we delete the rules from the database. Can you elaborate on what you're looking to do that would require sending zero rules? As you pointed out if you wanted to achieve this you could send a In general sending zero rules could be especially troublesome in lockdown mode as the client would effectively only be able to run critical system binaries or any static rules it has. |
|
The only use-case is for the test devices that are always being re-enrolled. The risks clearly outweigh the benefits. This is why I suggested maybe just adding a warning in the docs. |
|
Agreed this needs to be better documented. But wanted to make sure we weren't precluding a specific use case. |
|
This is addressed via #1259. Marking as closed. |
See:
santa/Source/santad/DataLayer/SNTRuleTable.m
Lines 408 to 411 in 2e69370
I think I understand the logic behind this. If there is a bug in the sync server, we do not want to wipe all the rules. It is also easy to fix on the server by just adding a single rule. It might be just a documentation issue ?
The text was updated successfully, but these errors were encountered: