Closed noahtalerman closed 1 year ago
Related tools:
Other resources:
@noahtalerman Is this story still in drafting?
- [ ] Roberto: We would need to build a way to specify which profiles get installed during unboxing
- Noah: We can add a flag in the YAML that says this a profile that should be installed during unboxing (?)
Punt on this^ context is here in Slack: https://fleetdm.slack.com/archives/C02A8BRABB5/p1677794729473579
- Dave and Noah: It's up to the IT admin to get fleetd and Munki in an InstallApplications package: https://github.com/macadmins/installapplications
- All packages inside InstallApplications have to get signed
- Dave: I can create the InstallApplications package for testing
Moving this^ out the issue description so we have it tracked. It's not related to the changes we need to make
@noahtalerman Is this story still in drafting?
@lukeheath I think yes. We haven't decided how Fleet will know what package to install:
We can add a config option in YAML to point to package (?)
EDIT: It looks like we built a fleetctl apple-mdm installers
command:
I'm not sure if this allows the user to upload a package that Fleet will install during unboxing. If it does, maybe we don't have to do more work now.
Goal is to provide prospective customer with a "backdoor" (not pretty UX) way to successfully install a package during unboxing.
Roberto: This issue + #10518 estimated at an 8
@lukeheath I assigned you this issue and #10518. Can you please adds specs with the names for the config options.
@lukeheath FYI I brought this story back to drafting so that we can take proposed UI changes to design review. This story is planned for next sprint (4.30.0).
We want to draft UI changes before we start CLI/API work.
I carved these two stories out of this story:
These stories^ are in drafting and aren't planned for next sprint.
Hey @zhumo and @roperzh we talked about the requirements and UI for this issue during our "Bootstrap package UX" call today (2022-03-23)
I want to bring the UI changes to tomorrow's design review w/ Mike.
When you get the chance can you please take a look at the proposed UI (Figma link here) and CLI (wireframes are in issue description) ?
Feedback I'm looking for:
@roperzh I have a couple more technical questions for you:
InstallEnterpriseApplication
command takes in a manifest URL. What is that? https://developer.apple.com/documentation/devicemanagement/install_an_enterprise_app @noahtalerman
Can Fleet detect when the user tries to upload an unsigned package? I think we want to show an error message when the user tries to do this. This is because the package won't install during set up.
I have confirmed that we can!
I think we want the YAML to accept a relative path of a package. This way, the UX is consistent with the profiles (relative path to profile). How would this work?
For this to work, fleetctl
would have to upload the package to the Fleet server, and the server would have to store the package somewhere.
Ideally we would use a blob storage, but for the MVP we could do the same ugly thing we did for the PoC: use the database to store the installer.
Once the installer is uploaded, Fleet provides a public URL that can be accessed only if you have a token to "serve" the installer. This is the URL that the InstallEnterpriseApplication
command will use.
It looks like the InstallEnterpriseApplication command takes in a manifest URL. What is that? https://developer.apple.com/documentation/devicemanagement/install_an_enterprise_app
That is an XML with metadata about the package, we can (and IMO should) build that automagically, it's something that micromdm provides and it's already done in the PoC.
@noahtalerman an afterthought: the relative path is handy for profiles because these are plain text files and work well with source control (like git).
It's worth double checking with IT admins, because having the installer checked in source control sounds very painful (since those are "big" binary files)
TODO Noah: Make a GIF of the user going through the setup. YouTube video
During a "macOS setup problems" @zhumo @roperzh and I decided that in the team
and config
YAML document, the IT admin should supply a URL where the package lives instead of a relative path to the package.
Why?
InstallEnterpriseApplication
command requires that the package is accessible. cc @lukeheath
Do not start work on this story yet. Product is taking back ground the design process.
- TODO: @noahtalerman Remove this when ready.
Hey @lukeheath the CLI for this story is designed. I think we're ready to implement the CLI this sprint as soon as the specs are reviewed/updated. I removed the above notice from the issue description.
The UI was brought to today's design review. I'm brining the UI to another design review tomorrow for a 2nd pass. The UI is not quite ready for specs.
The plan is to implement the UI in the next sprint. Do we need a separate story for the UI?
During today's design review we decide to call the bootstrap package a "Custom setup package" in the CLI and UI.
Options:
Reasoning:
cc @lukeheath @roperzh @georgekarrv @mikermcneil @zhumo
@lukeheath the UI is ready for specs. While we only carved out room for the CLI this sprint, it would be great if we can estimate and bring the UI into this sprint.
The UI is the next priority (after WIP) for MDM team.
I think it makes sense to hop on a call, after the UI is estimated, to see if we have room this sprint. What do you think?
Thanks for documenting the reasoning!
As an IT admin, I want to reinstall the custom setup package (Munki client) because it wasn't installed during setup for some reason (failed install, something else).
Hey @roperzh can the IT admin achieve this^ by running a custom InstallEnterpriseApplication
command using fleetctl mdm run-command
command? (fleetctl command spec'd here: #96433)
They would need to know the manifest URL for the package right? How would they get this?
Hey @mike-j-thomas when you get the chance, can you please help me create 2 new icons for the Fleet UI? (I used the .mobileconfig icons as placeholders below)
Icon for a PDF file (.pdf)
Icon for a package file (.pkg)
Loom video that gives more context on why we're adding the ability to add these files: https://www.loom.com/share/0e462a254c0e4bdc8077cdaf5372e632
New problem:
To run the InstallEnterpriseApplication command, we need to build an XML that contains a SHA256/MD5 checksum of the file to be installed. If the IT admin provides an URL, we could download that file and calculate the checksum, but that kind of defeats the purpose of having a checksum in the first place, right? optionally we could also ask the IT admin to provide the checksum, but that's adds burden to the IT admin.
More discussion here in Slack (internal).
@roperzh, @gillespi314 , and I just met and we decided to ask IT admin to add only a URL for where the bootstrap package lives. We can checksum configuration later as per customer request.
Reasoning:
cc @zwass @zhumo @dherder
(2023-04-04)
When we want to support checksums, we can start using the TUF tooling we already have. The Fleet server would be able to securely grab an up to date checksum and download url.
UPDATE: During today's design review we decide to call the bootstrap package a "Bootstrap package" in the CLI and UI.
This is an update from the decision to call the package a "Custom setup package." Earlier decision is documented here: https://github.com/fleetdm/fleet/issues/10213#issuecomment-1490596106
@lukeheath @roperzh @georgekarrv heads up, I updated the CLI specs in this subtask to use the new bootstrap_package
name. I think this story tracking UI/API changes might need a similar change: #10936
Reasoning:
cc @zhumo @mikermcneil
We decided to not address, as part of this story, that this feature will slow down the speed of the IT admin's CI. We will come back to this later.
cc @roperzh @georgekarrv @lukeheath
Conversation from Slack (internal) is below:
Roberto: what I'm thinking of is that CI times will be very slow even if you're not modifying the package, because we have to download the package every time
but that's something we can come back to
Noah: How slow? Like a minute on average? 5 minutes? (with good connection)
Roberto: hard to tell, will depend on the size of the bootstrap package and the upload/download network speed of the computer running fleetctl
but my gut feeling is that will make something go orders of magnitude up, eg: from 2 seconds to 5 minutes
(maybe 2 minutes?) something like that
Noah: Hmm, ok. Yeah that’s a big jump. Agree we can come back to addressing the slow CI
Hey @mike-j-thomas when you get the chance, can you please help me create 2 new icons for the Fleet UI?
Hey, @noahtalerman, I've updated the file icon component to include the new file types.
@noahtalerman, I also have a version here where the pkg is in its correct box. It becomes a little illegible at the smallest size, though. Do you think the pkg icon is still clear out of its box?
@mike-j-thomas I don't think the package is clear out of the box. I like the package in the box because it's recognizable, even at the small size. What do you think?
Bootstrap package blooms, Macs in Apple's cloud realm thrive, Fleet aids, empowers.
@noahtalerman docs for how to use bootstrap package CLI
Unboxed Macs in bloom, Custom bootstrap package gives, Ease for IT minds.
Goal
As an IT admin, I want to be able to install a custom package on new Macs in Apple Business Manager, when they're unboxed, so that I can deploy software and scripts to these Macs using my tool of choice (Munki, Chef, Puppet, etc.).
IT admins call this a "bootstrap" package.
Changes
config
andteam
YAML to point to relative path where a package lives.