fix: force client logging on when any mdm is configured

Signed-off-by: Michael Nahkies <michael@nahkies.co.nz>

Author: mnahkies

android/src/main/java/com/tailscale/ipn/App.kt

@@ -706,6 +706,13 @@ open class UninitializedApp : Application() {
   }
 
   fun getIsClientLoggingEnabled(): Boolean {
+
+    // Force client logging to be enabled, when the device is managed by MDM
+    // Later this could become a dedicated MDMSetting / restriction.
+    if (MDMSettings.isMDMConfigured) {
+      return true
+    }
+
     return getUnencryptedPrefs().getBoolean(IS_CLIENT_LOGGING_ENABLED_KEY, true)
   }
 

android/src/main/java/com/tailscale/ipn/mdm/MDMSettings.kt

@@ -22,6 +22,11 @@ object MDMSettings {
   // MDM restriction keys
   const val KEY_HARDWARE_ATTESTATION = "HardwareAttestation"
 
+  // We default this to true, so that stricter behavior is used during initialization,
+  // prior to receiving MDM restrictions.
+  var isMDMConfigured = true
+    private set
+
   val forceEnabled = BooleanMDMSetting("ForceEnabled", "Force Enabled Connection Toggle")
 
   // Handled on the backed
@@ -130,6 +135,7 @@ object MDMSettings {
   fun loadFrom(preferences: Lazy<SharedPreferences>, restrictionsManager: RestrictionsManager?) {
     val bundle = restrictionsManager?.applicationRestrictions
     allSettings.forEach { it.setFrom(bundle, preferences) }
+    isMDMConfigured = bundle?.isEmpty == true
   }
 
   fun update(app: App, restrictionsManager: RestrictionsManager?) {

android/src/main/java/com/tailscale/ipn/mdm/MDMSettingsChangedReceiver.kt

@@ -16,7 +16,16 @@ class MDMSettingsChangedReceiver : BroadcastReceiver() {
       TSLog.d("syspolicy", "MDM settings changed")
       val restrictionsManager =
           context?.getSystemService(Context.RESTRICTIONS_SERVICE) as RestrictionsManager
+
+      val previouslyIsMDMEnabled = MDMSettings.isMDMConfigured
+
       MDMSettings.update(App.get(), restrictionsManager)
+
+      if (MDMSettings.isMDMConfigured && !previouslyIsMDMEnabled) {
+        // async MDM settings updated from disabled -> enabled. restart to ensure
+        // correctly applied (particularly forcing client logs on).
+        // TODO: actually restart
+      }
     }
   }
 }

android/src/main/java/com/tailscale/ipn/ui/view/SettingsView.kt

@@ -111,8 +111,13 @@ fun SettingsView(
           Lists.ItemDivider()
           Setting.Switch(
               R.string.client_remote_logging_enabled,
-              subtitle = stringResource(R.string.client_remote_logging_enabled_subtitle),
+              subtitle =
+                  stringResource(
+                      if (MDMSettings.isMDMConfigured)
+                          R.string.client_remote_logging_enabled_subtitle_mdm
+                      else R.string.client_remote_logging_enabled_subtitle),
               isOn = isClientRemoteLoggingEnabled,
+              enabled = !MDMSettings.isMDMConfigured,
               onToggle = { viewModel.toggleIsClientRemoteLoggingEnabled() })
 
           if (!AndroidTVUtil.isAndroidTV()) {

android/src/main/res/values/strings.xml

@@ -356,6 +356,7 @@
     <string name="subnet_routing">Subnet routing</string>
     <string name="client_remote_logging_enabled">Remote client logging</string>
     <string name="client_remote_logging_enabled_subtitle">Whether debug logs are uploaded to Tailscale support. When disabled no support or network flow logs.\nChanges require restarting the app to take effect.</string>
+    <string name="client_remote_logging_enabled_subtitle_mdm">Client logging is always enabled for devices under remote management.</string>
     <string name="specifies_a_device_name_to_be_used_instead_of_the_automatic_default">Specifies a device name to be used instead of the automatic default.</string>
     <string name="hostname">Hostname</string>
     <string name="failed_to_save">Failed to save</string>