Ticket: 251633 - Critical Bug: Bulk Assignment in Security -> Active Rules not applying properly.

Status	Submitted By	Submitted On	Last Updated	Discussion Thread
Success	BiosPlus	2023-11-17	2023-11-23	Link

Ticket Summary / Initial Message:

Heyo team,

I’ve found a rather critical bug in the application/assignment of active security rules.

A few months ago I found that there were many rules which were not applying to our whole fleet, not a problem because the assignment/scope was to half of our fleet as was desired by the previous team caretaking the MDM. However at the time I used the Bulk Assignment function to reassign them to ‘All Current and Future Devices’.

A few months on I’ve found that those rules while saying they’re scoped to All Current and Future Devices, are actually still only applying/being tracked against the previous assignment.

Here are a list of the rules where this effect can be observed (on my tenancy):

Disable accounts after 35 days of inactivity
Disable Root login
Enable ‘Show Wi-Fi status in menu bar’
Enable Auto Update
Enable Library Validation
Enable Signed System Volume
Enable system security update installs
Enable time synchronization daemon (timed)
Enable to download new updates when available
Enforce screen saver at login window
Password: Don’t allow simple value.
Set Sudo timeout to 0
System Integrity Protection (SIP) is Enabled
Validate Install.log is retained for 365 days

For clarity, each of these state they are scoped to all devices, but are only being checked against ~46 out of the 98 total in our fleet. Please feel free to jump into our instance and take a look. Not concerned about fixing them as I’ve tested that going into a rule with this issue can be remediated by going back into the assignment and doing a save, more concerned if there are other customers who may be experiencing the same without knowing.

Updates

2023-11-23

Mosyle resolved the matter and updated their assignment functionality to address the issue. Solved!