Reminder for APNs and ABM renewal

[noahtalerman]

Goal

User story
As a Fleet user,
I want to know when my Apple Push Notification service (APNs) certificate and Apple Business Manager (ABM) token are about to expire (starting 30 days before)
so that I can renew these certificates before MDM features stop working.

Changes

Product

• [x] UI changes: Figma link
• [x] CLI changes: Figma link
• [x] REST API changes: No API changes. Plan is to use the existing API endpoints:
  • APNs: https://fleetdm.com/docs/rest-api/rest-api#get-apple-push-notification-service-apns
  • ABM: https://fleetdm.com/docs/rest-api/rest-api#get-apple-business-manager-abm
• [x] Outdated documentation changes: #16919
• [x] Other changes:
  • Redirects for renewing ABM and APNs docs: #16873
  • UPDATE: Above PR was closed but the redirect was added (noahtalerman 2024-06-18)

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[zwass]

I think this is very important to prioritize before any of our customers get to the renewal dates for their certs. The linked issue https://github.com/fleetdm/confidential/issues/4479 is an example of this going wrong for us internally.

[noahtalerman]

@roperzh are we able to find the APNs, ABM, and SCEP renewal dates for our managed cloud MDM customers?

This way, we can manually send a reminder.

We still plan on having the feature built at least 1 month prior to macOS MDM launch but would be good to notify customers ahead of time as well.

cc @zayhanlon

[roperzh]

@noahtalerman I think we should be able to. To be 100% sure I think we should spend a bit of time with Robert doing a trial with one customer at least.

[noahtalerman]

Heads up @zwass @lukeheath and @roperzh this request was discussed during feature fest last week and didn't make it into the current design sprint.

[noahtalerman]

Hey @marko-lisica I recorded some feedback on UI changes in this Loom video here.

[noahtalerman]

Hey @marko-lisica here are the issues that have the CLI designs for cert expiration:

• APNs: https://github.com/fleetdm/fleet/issues/7456
• ABM: https://github.com/fleetdm/fleet/issues/7515

I just verified that we built these warnings:

• APNs: https://github.com/fleetdm/fleet/blob/main/cmd/fleetctl/get.go#L1388
• ABM: https://github.com/fleetdm/fleet/blob/main/cmd/fleetctl/get.go#L1442

Maybe we can borrow similar copy for the UI? Looks like we might need to update the copy for APNs error to be clearer about the consequences: all end users will have to take some action to turn MDM off and back on.

[marko-lisica]

Hey @georgekarrv moving story to "Settled". As we talked about during the Design review, I'm passing the notifications API endpoint design to you.

[noahtalerman]

Plan is to make this a frontend only story and use the following endpoints:

• https://fleetdm.com/docs/rest-api/rest-api#get-apple-push-notification-service-apns
• https://fleetdm.com/docs/rest-api/rest-api#get-apple-business-manager-abm

cc @marko-lisica

[marko-lisica]

During design review today, we decided to cut the scope for this feature. We won't implement new Notifications API. For now it will be UI change.

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @ghernandez345 @gillespi314

[RachelElysia]

@marko-lisica / @noahtalerman

Where does the Fleet license expiring fit on this hierarchy? Because it's a global banner, I'm thinking after 3 but before 4. That's what I built, but just wanted to confirm. I was also thinking, before 1 sounded reasonable as well.

[marko-lisica]

Where does the Fleet license expiring fit on this hierarchy? Because it's a global banner, I'm thinking after 3 but before 4. That's what I built, but just wanted to confirm. I was also thinking before 1 sounded reasonable as well.

Hey @RachelElysia, I would say on the global level it should be 4th, and on the host level as well 4th before "warning to turn on MDM". Do you know what's the consequence of an expiring license? Maybe it's more dangerous than ABM token expiration, so I would put it higher in that case.

[noahtalerman]

Do you know what's the consequence of an expiring license? Maybe it's more dangerous than ABM token expiration, so I would put it higher in that case.

@RachelElysia and @marko-lisica IIRC expired licenses have no consequences. We just show a undismissible banner.

So, I agree with Marko's suggestion. I think that's what you were saying too Rachel?

[noahtalerman]

Hey @zayhanlon heads up, this customer request was shipped in Fleet 4.51 🎉

[fleet-release]

Renewal reminders bloom, Like cherry blossoms in spring, Peace in the workflow.