Set up Windows MDM for "non-Autopilot" setup

[noahtalerman]

Goal

User story
As an IT admin,
I want to setup Fleet to run non-Autopilot enrollment
so that I can automatically enroll my Windows laptops and workstations.

Requirements

• Setup Azure Active directory (AD) in Fleet UI
• End user sees the Fleet default end user license agreement (EULA) during the non-Autopilot flow
  • Creating this default EULA is currently in progress. Tracked in GitHub here (internal)
  • While building this feature you can use this sample EULA PDF here: https://drive.google.com/file/d/1U34XpQNV8JB5WPrgneH5wtG9hH4176Z_/view?usp=drive_link
  • NOTE: We won't call this story done until the default EULA is added.
• Host automatically enrolls to "No team" via non-Autopilot flows
• Host gets fleetd automatically installed on it
• The host cannot be unenrolled by the end user (either in UI or programmatically)
• Event is tracked in audit feed

Changes

UI

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?type=design&node-id=17222-213545&mode=design

[noahtalerman]

Hey @marko-lisica and @marcosd4h below is my understand of the next steps that came out of our discussion during today's product design review.

What do you think? Am I missing anything?

TODO Marko: What should the information architecture (IA) look like in the Fleet UI for setting up Windows MDM?

• For now, let's assume that the IT admin will have to write Fleet URL's into Azure manually.
• For now, let's assume that the IT admin will choose the "On premise" option
• For now, let's address listing the Autopilot hosts in the Fleet UI as part of a separate story later (soon). Let's include instructions on how to upload the CSV you get from the vendor

TODO Marcos: Can we write Fleet information (URLs) into Azure programmatically? Are there APIs that allow for this?

TODO Marcos: How would we apply for a "Fleet" application showing up in Azure? What do we have to build? What do we have to build to support the "On premise" option?

[noahtalerman]

@marko-lisica on the Automatic enrollment page in Fleet (linking to our dogfood instance here), we have Team (under Apple Business Manager), End user authentication, and End user license agreement.

I think we'll want to support this same functionality for Windows.

Also, on the Dashboard page (linking to our dogfood instance here) we have a report for hosts that are automatically enrolled v. manually enrolled.

For Windows in the Fleet UI, I think it makes sense to call user drive enrollment => “manual enrollment” and Autopilot enrollment => “automatic enrollment.” I think it's simpler for users for Mac and Windows to share enrollment language. I think to the user, they mean similar things on Mac and Windows.

I talk through the above in a Loom video here: https://www.loom.com/share/57896312112f4556a1ff415fd652a280

[marko-lisica]

@marko-lisica on the Automatic enrollment page in Fleet (linking to our dogfood instance here), we have Team (under Apple Business Manager), End user authentication, and End user license agreement.

I think we'll want to support this same functionality for Windows.

Also, on the Dashboard page (linking to our dogfood instance here) we have a report for hosts that are automatically enrolled v. manually enrolled.

For Windows in the Fleet UI, I think it makes sense to call user drive enrollment => “manual enrollment” and Autopilot enrollment => “automatic enrollment.” I think it's simpler for users for Mac and Windows to share enrollment language. I think to the user, they mean similar things on Mac and Windows.

I talk through the above in a Loom video here: https://www.loom.com/share/57896312112f4556a1ff415fd652a280

I have some questions, regarding OS agnostic settings.

1. Are there some configurations,policies, queries or anything else that should be different on Windows? If we put all devices in the same Team, we can't have different configurations?
2. What exactly mean when MDM is turned on manually? On the macOS side, it would mean that IT admin can't prevent end-user to unenroll( turn mdm off), which can be prevented when automatically enrolled through DEP. Is there any other difference from automatic enrollment?
3. On the Windows side, I think we misunderstood this "user-driven enrollment", which is actually Autopilot enrollment. User-driven means that end-user must authorize to enroll the device to MDM and to get device configured. You can check Microsoft Docs. I think in this case user-driven enrollment would be automatic enrollment in Fleet. What is the equivalent of manual enrollment?

[marcosd4h]

TODO Marcos: Can we write Fleet information (URLs) into Azure programmatically? Are there APIs that allow for this?

[Marcos] I've been looking into the Azure REST API reference here, and it seems this is not possible. I'm going to spend some more time today to keep looking to double check this

TODO Marcos: How would we apply for a "Fleet" application showing up in Azure? What do we have to build? What do we have to build to support the "On premise" option?

[Marcos] I'm going to look at this today

[noahtalerman]

@marcosd4h @marko-lisica here's our Google doc w/ notes and action items we discussed during today's (2023-05-25 ) call: https://docs.google.com/document/d/1O7jMhRi3W-xwr_8wowwAKn_bzqESsedpknV64IxyiC8/edit#heading=h.fdn2a4gmpks0

The call was also recorded in Gong because I added the gong assistant. Here's the link: https://us-65885.app.gong.io/call?id=9145677102777577085

[noahtalerman]

Hey folks, I tested the Windows automatic enrollment (non-Autopilot) experience and recorded several videos that you can find here in Loom: https://www.loom.com/spaces/All-Fleet-67132/folders/Intune-1db88dafed064975b4c5aaa18ba655d6

Some key findings and follow up research:

• Automatic enrollment only works for Windows 10/11 Pro. Automatic enrollment isn’t available for Windows 10/11 Home.
  • Needs research: Windows 10/11 Enterprise. Given the name, I assume automatic enrollment works for enterprise.
• Automatic enrollment (non-Autopilot) to Intune doesn’t require the end user to have Intune license. Automatic enrollment works if the end user has an Azure Premium P1 license.
  • Needs research: What does end user UX look like if they don’t have a P1 license?
  • UPDATE: Automatic enrollment doesn’t work if the user doesn’t have a P1 license. The end user runs into an error when they sign on with their work account.
  • Needs research: Does automatic enrollment with Autopilot features require an Intune license?

[noahtalerman]

• End user sees the Fleet default end user license agreement (EULA) during the non-Autopilot flow
  • Creating this default EULA is currently in progress. Tracked in GitHub here (internal)
  • While building this feature you can use this sample EULA PDF here: https://drive.google.com/file/d/1U34XpQNV8JB5WPrgneH5wtG9hH4176Z_/view?usp=drive_link
  • NOTE: We won't call this story done until the default EULA is added.

As noted above, we won't call this story done until the Fleet default EULA Is added. I added the above to the "requirements" section so that all folks on the team aligned on what we expect to ship.

cc @georgekarrv @marcosd4h

[sabrinabuckets]

Requirements:

1. Setup Azure Active directory (AD) in Fleet UI - as noted in #12605, I believe there are issues with this documentation that should be addressed prior to approving this story.
2. End user sees the Fleet default end user license agreement (EULA) during the non-Autopilot flow - It is unclear here what I am supposed to be seeing when I attempt the enrollment flow, so I cannot validate this
   • Creating this default EULA is currently in progress. Tracked in GitHub here (internal)
   • While building this feature you can use this sample EULA PDF here:
   • https://drive.google.com/file/d/1U34XpQNV8JB5WPrgneH5wtG9hH4176Z_/view?usp=drive_link
   • NOTE: We won't call this story done until the default EULA is added.
3. Host automatically enrolls to "No team" via non-Autopilot flows - I am unable to complete the enrollment at this time, I receive an error that indicates my host "might not be able to access some resources, such as Wi-Fi, VPN, or email." No further explanation for the failure is provided. I cannot find any obvious errors in my logs, but am happy to search for any specifics that might be useful
4. Host gets fleetd automatically installed on it - unable to validate
5. The host cannot be unenrolled by the end user (either in UI or programmatically) - unable to validate
6. Event is tracked in audit feed - unable to validate

[sabrinabuckets]

Noted in Noah's comment above that Win 11 Home was not supported. The device I am testing on came with Home, so I am upgrading to Pro and will retest.

[sabrinabuckets]

After upgrading to Windows 11 Pro, I am still receiving an error on sign-in and am unable to complete the enrollment flow. It remains unclear whether the error is with my app configuration in Entra ID, or elsewhere. I will need to walk through the entire process with someone to verify where the breakdown is occurring.

[fleet-release]

Windows MDM setup, Seamless enrollment unfolds, Fleet's reach in clouds grows.

[noahtalerman]

Reopening this because we don't have docs yet.

[noahtalerman]

@sabrinabuckets @marcosd4h just checking, did this make it through QA? Looks like this was moved straight from the QA column to the closed column (skipped ready for release)

[sabrinabuckets]

@noahtalerman we QA'd this on a call together with Gabe & Marcos. I didn't see it go back through the flow on the board though.

[noahtalerman]

Confirm and celebrate: Needs docs.

[noahtalerman]

Docs are in an open PR here: https://github.com/fleetdm/fleet/issues/11764

[ireedy]

C&C: @noahtalerman to talk to Mike about docs.

[noahtalerman]

C&C: @noahtalerman to work with JD to get the doc content into an article. Mike and I decided to put a freeze on committed learning docs. We still want to be able to point the user somewhere to learn.

[noahtalerman]

C&C: @spokanemac can you please help me transform this PR into an article? https://github.com/fleetdm/fleet/pull/14566

[noahtalerman]

C&C: @noahtalerman to rename "Entra" to "Azure" (old name) because the Fleet UI will use Azure for now.

[noahtalerman]

C&C: "Entra" to "Azure" rename is done here: https://github.com/fleetdm/fleet/pull/14919

[fleet-release]

Windows, set to sail, Fleet enrolls, no track fails, Secure, without fail.