Custom setup panes for each team via CLI

[noahtalerman]

Goal

As an IT admin, I want to specify different setup settings for each Fleet team so that my MacBooks show different macOS Setup Assistant panes than my Mac minis.

Requirements

• Fleet Premium only
• Fleet admins and maintainers (global and team) can override the default automatic enrollment (DEP) profile for each team (and "No team") with a custom profile
• If IT admin removes the custom profile from a team, Fleet uses the default automatic enrollment profile for that team
• If a host is transferred to a not-default team before it automatically enrolls, it uses the profile for the not-default team when it automatically enrolls
• Activity feed items for when an IT admin adds/deletes automatic enrollment profile for a team or "No team"
• Notes for QA: Does transferring a host result in the expected behavior (covered above)? Does changing the default team result in the expected behavior?

Changes

UI

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=14984-195772

[lukeheath]

Merged with #10213

[fleet-release]

Softly blooming flowers, Unboxing tailored to teams; Smooth onboarding bliss.

[noahtalerman]

Reopening this issue because we broke the "Bootstrap package" and "Different unboxing settings for each team" into 2 stories. Here's the "Bootstrap package" story: #10213

[noahtalerman]

@roperzh @zhumo during the "macOS setup problems" call we discussed the problem of having enrollment gated by auth for some hosts and not gated for others.

The options discussed were...

1. Have an option (UI/CLI) to enable/disable auth per team
2. Have different IdP integrations per team. If no IdP is specified, auth is disabled.

@roperzh and I decided that we should go with option 1 because it matches customer needs, provides better UX, and doesn't make it more difficult to add different IdPs per team later.

Customers with 1,000+ hosts use the same IdP to gate enrollment. Some of these customers just need the option to bypass auth for certain hosts.

With the option to enable/disable auth per team, the IT admin only needs to provide IdP credentials once, for all teams, and then choose if enrollment should be gates by auth for each team.

[noahtalerman]

During today's design review (MDM), we decided to allow the IT to supply any JSON file (w/ valid) JSON as an automatic enrollment (DEP) profile.

Fleet won't validate the profile's keys to make sure that they are valid keys that Apple supports.

This way, when Apple releases new features (keys), IT admins don't have to wait for a Fleet release to support these features.

@dherder @ksatter I anticipate this will increase the amount of work for solutions architecture and customer experience teams. Fleet will be flexible at the cost of users potentially shooting themselves in the foot.

I think we should recommend that users create a test (canary team) to test changes to their automatic enrollment profile. This way, they can use a test machine to test the changes. I think IT admins are used to this "test machine" workflow.

What do you think?

cc @mikermcneil @roperzh @georgekarrv @zhumo

[zhumo]

@noahtalerman Are these json files doable in iMazing?

[noahtalerman]

@zhumo good question. Unfortunately no.

I think we can rely on IT admin (they're technical at large orgs) creating one in their text editor. We document our default .json and point to Apple docs.

What do you think?

[noahtalerman]

@zhumo related to the iMazing question above:

iMazing does have a Setup Assistant section to make a .mobileconfig version of these settings:

My guess is that.mobileconfig works if we guarantee it's installed before the user advances to Setup Assistant. @roperzh is that right? Currently, we're not doing this.

More importantly, .mobileconfig doesn't support the auto_advance_setup option that a Fleet customer needs.

Since we want the IT admin to use a .json file on the macOS setup page, I propose that we add a case for .mobileconfig upload on the macOS settings page: error if the user tries to upload a .mobileconfig with Setup Assistant settings (similar to the FileVault error):

[noahtalerman]

Hey @xpkoala heads up, I added the following QA note to the requirements section in the issue description:

• Notes for QA: Does transferring a host result in the expected behavior (covered above)? Does changing the default team result in the expected behavior?

I want to make sure we cover these cases during QA. If it's helpful, I'm happy to hop on a call to walk through the expected behavior.

cc @lukeheath @georgekarrv

[noahtalerman]

Hey @mna as part of this story can you please add some kind of example JSON that IT admins can pull from when using this feature?

I think adding this somewhere in the fleet repo makes sense (publicly accessible). the mdm_profiles/ directory could be a good place: https://github.com/fleetdm/fleet/tree/main/mdm_profiles

[xpkoala]

@noahtalerman I don't believe this currently includes a panel for the macOS setup assistant. Is this intentional? I do believe this can still be set via the CLI, which I am currently testing.

[noahtalerman]

I don't believe this currently includes a panel for the macOS setup assistant.

@xpkoala do you mean a page in the Fleet UI that allows you to upload the DEP profile? If yes, this is coming as part of a separate story in the next sprint: #10996

[zhumo]

@georgekarrv Also not seeing documentation here https://fleetdm.com/docs/using-fleet/mdm-macos-setup#macos-setup-assistant

[zhumo]

C&C: @noahtalerman needs docs

[noahtalerman]

needs docs

Docs addressed in this PR: #12812

[fleet-release]

Custom profiles bloom, MacBooks, minis, their own tune, In Fleet's cloud room.