Wait for CERT_INSTALL delegation to be available before attempting certificate enrollment

[getvictor]

Related issue: Resolves #43064

Checklist for submitter

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Summary by CodeRabbit

Release Notes

• New Features

  • Certificate enrollment now verifies system delegation availability before attempting installation, preventing unnecessary failures.

• Bug Fixes

  • Enhanced error messages to include specific certificate alias and delegation status information for better troubleshooting.
  • Improved handling of system state exceptions during the enrollment process.

[getvictor]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[Copilot]

Pull request overview

This PR addresses Android certificate enrollment failures that occur immediately after fresh MDM enrollment by waiting for the CERT_INSTALL delegated scope to be available before starting SCEP/certificate installation, and by improving installation failure diagnostics.

Changes:

• Gate CertificateEnrollmentWorker execution on CERT_INSTALL delegation availability (retry before any SCEP work).
• Add a defensive delegation check in AndroidCertificateInstaller and improve install failure logging/messages with alias/scopes context.
• Add an Android changes entry documenting the fix.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
android/changes/42853-cert-install-delegation-gate	Release note for delegation gate + improved failure messages.
android/app/src/main/java/com/fleetdm/agent/CertificateEnrollmentWorker.kt	Adds worker-level delegation gate to retry before any enrollment work.
android/app/src/main/java/com/fleetdm/agent/CertificateOrchestrator.kt	Adds installer-level delegation verification and improves install failure logging.
android/app/src/main/java/com/fleetdm/agent/CertificateEnrollmentHandler.kt	Improves failure messaging and adds handling for IllegalStateException from installer/system state.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Walkthrough

The pull request implements a multi-layered gating mechanism for Android certificate enrollment based on CERT_INSTALL delegation scope availability. Changes include adding a pre-enrollment delegation check in CertificateEnrollmentWorker that retries if the scope is unavailable, a defensive delegation check in CertificateOrchestrator before certificate installation, enhanced failure messages that include the target alias and delegation status, and IllegalStateException handling in CertificateEnrollmentHandler for system state issues. The implementation defers enrollment until the required delegation becomes available, preventing permanent enrollment failure in scenarios where fresh MDM enrollment precedes delegation application.

Possibly related PRs

• Android app: add worker mutex #39297: Modifies CertificateEnrollmentWorker control flow with mutex serialization, directly intersecting with this PR's new pre-enrollment delegation gate logic
• Remove certificates from device when missing from managed config #37198: Updates certificate enrollment and installation flow across CertificateEnrollmentWorker and CertificateOrchestrator, the same files modified in this PR
• Install Fleet android agent on device enrollment. #36050: Implements AMAPI policy configuration to grant CERT_INSTALL delegation scope, which this PR depends upon to gate enrollment

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	⚠️ Warning	The PR description is incomplete and lacks most required sections from the template, including validation, timeouts/retries, database considerations, and fleetd compatibility verification.	Complete the PR description by filling out all applicable checklist items, documenting testing approach, validation/security measures, timeout/retry implementation, and fleetd compatibility verification.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: implementing a gate to wait for CERT_INSTALL delegation before certificate enrollment, which directly addresses the core issue.
Linked Issues check	✅ Passed	All three requirements from issue #43064 are addressed: (1) enrollment flow is gated on delegation in CertificateEnrollmentWorker, (2) defensive check added in AndroidCertificateInstaller, (3) failure messages enhanced with alias and delegation details.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: the three files modified implement the exact fixes specified in #43064, and the change note documents the user-visible impact.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch victor/43064-cert-install

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@android/app/src/main/java/com/fleetdm/agent/CertificateEnrollmentHandler.kt`:
- Around line 79-81: The catch block in CertificateEnrollmentHandler.kt that
handles IllegalStateException currently returns EnrollmentResult.Failure with
isRetryable = false; change it to treat delegation/state IllegalStateException
as retryable by returning EnrollmentResult.Failure("Certificate installation
failed: ${e.message}", e, isRetryable = true) in the catch for
IllegalStateException inside the method that performs certificate installation
(look for the catch handling IllegalStateException in
CertificateEnrollmentHandler).

In `@android/app/src/main/java/com/fleetdm/agent/CertificateEnrollmentWorker.kt`:
- Around line 35-42: The CERT_INSTALL delegation check in
CertificateEnrollmentWorker currently returns Result.retry() unconditionally and
bypasses your MAX_RETRY_ATTEMPTS limit; modify the early-return logic in the
CertificateEnrollmentWorker (where dpm/getDelegatedScopes and
DevicePolicyManager.DELEGATION_CERT_INSTALL are checked) to first examine the
worker's runAttemptCount (getRunAttemptCount()) and only return Result.retry()
if runAttemptCount < MAX_RETRY_ATTEMPTS, otherwise return Result.failure() (or a
non-retry terminal result) so the MAX_RETRY_ATTEMPTS cap is honored.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ecbd1513-ac73-474f-87a3-0ad5fd6d87d2

📥 Commits

Reviewing files that changed from the base of the PR and between 1e24ead and ec28ebf.

📒 Files selected for processing (4)

• android/app/src/main/java/com/fleetdm/agent/CertificateEnrollmentHandler.kt
• android/app/src/main/java/com/fleetdm/agent/CertificateEnrollmentWorker.kt
• android/app/src/main/java/com/fleetdm/agent/CertificateOrchestrator.kt
• android/changes/42853-cert-install-delegation-gate

[codecov]

Codecov Report

❌ Patch coverage is 41.17647% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.84%. Comparing base (1b95a58) to head (d456da9).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
...a/com/fleetdm/agent/CertificateEnrollmentWorker.kt	40.00%	3 Missing and 3 partials ⚠️
.../java/com/fleetdm/agent/CertificateOrchestrator.kt	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #43065      +/-   ##
==========================================
- Coverage   66.84%   66.84%   -0.01%     
==========================================
  Files        2578     2578              
  Lines      206869   206883      +14     
  Branches     9283     9287       +4     
==========================================
- Hits       138291   138281      -10     
- Misses      56006    56032      +26     
+ Partials    12572    12570       -2     

Flag	Coverage Δ
android	46.95% <41.17%> (-1.09%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}