Windows custom settings (configuration profiles)

[noahtalerman]

Goal

User story
As an IT admin,
I want to add Windows profiles
so that I can enforce custom settings on Windows workstations to keep them compliant and secure.

Requirements

• IT admin can export Windows profiles from Workspace ONE (WS1), edit the XML so that the only top level objects are <Replace>, and upload these to a team or "No team" in Fleet via UI, CLI, and API. This enforces custom settings on Windows workstations.
• IT admin can create the XML for Windows profiles by following instructions in the Fleet docs and upload these to a team or "No team" in Fleet via UI, CLI, and API
• IT admin can download Windows profiles via UI and API
• IT admin can delete Windows profiles via UI and API. If a profile is deleted, the profile isn't removed from the Windows workstation
• If a host is transferred to a new team, the Windows profiles from the old team aren't removed
• If a profile fails, none of the options in the profile are applied
• "Failed" profiles aren't redelivered for Windows
• Fleet contributors use this language when talking about this feature: https://docs.google.com/document/d/17loPAoQSxZDk41IPHdNgKF6mBIF4ZzRtvIqtbDLZwP4/edit

Changes

Product

• [ ] UI changes: https://www.figma.com/file/eC1C8kp9grdPMAZGvR0ibT/%2313281-Enforce-configuration-on-Windows?type=design&node-id=2-130&mode=design
• [ ] CLI usage changes: https://www.figma.com/file/eC1C8kp9grdPMAZGvR0ibT/%2313281-Enforce-configuration-on-Windows?type=design&node-id=168-4489&mode=design&t=yvv7Ff7RmirlsZ5T-4
• [ ] Permissions changes:
  • Maintainers and admins (global and team) can view, add, download, and delete Windows profiles
  • GitOps (global and team) can add and delete Windows profiles
• [ ] Documentation changes: Document Windows custom settings

Engineering

• [ ] REST API changes: API changes outlined in this PR https://github.com/fleetdm/fleet/pull/14230
• [ ] Database schema migrations: TODO
• [ ] Documentation changes complete

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): @zhumo

QA

Manual testing steps

UI: [X] Verify Zero-state [X] Validate copy changes against Figma [X] Verify UI allows upload of .xml files for any teams & “no team” by any Admin or Maintainer [X] Name of Profile is pulled from XML file [X] Verify able to download & delete files [X] Host counts/statuses are accurate [X] Controls page filters link to correct hosts [X] Verify copy for upload statuses & delete modal [X] Verify pagination [X] Verify role permissions match current for macOS profiles [X] Verify Activity Feed entries

[X] Verify that on team transfer, profiles are not removed from host but no longer show in host status [X] Verify no profile redelivery on failure, test manual remediation via team transfer

• Failed profiles will not apply any values to the host [X] Verify os settings statuses, including error messages for Failed [X] Verify on-device

CLI: [X] Verify able to apply profiles with a yaml file

• Note that getting existing config into yaml may not include existing .xml uploads from the UI, needs validation
• Note that applying an empty value for custom_settings will remove all currently configured profiles
• Note that changing or removing an existing value in the yaml will edit or delete the corresponding file [X] Apply should fail with MDM off, or with only macOS/Windows turned on
• Verify does this mean OS-specific profiles will fail? [X] Apply should fail if the yaml includes an invalid file [X] Apply should fail if the yaml includes a missing file [X] Apply should fail if duplicate file name is included [X] Test with BitLocker profile (should fail) [X] Test with Windows Updates (should fail)

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.

[noahtalerman]

@marko-lisica heads up that I'm linking to your research doc here and in the issue description so other folks that come across this issue can check it out.

[noahtalerman]

@marko-lisica I chatted with @marcosd4h today and we ran into an interesting UX question regarding sending one MDM command for many OMA URIs v. sending one command for each OMA URI.

I think the key problem we want to solve is this: as an IT admin, I want to be able to see a raw feed of the Windows MDM commands that Fleet ran so that I can inspect a specific command during debugging.

I recorded my thoughts here in a Loom: https://www.loom.com/spaces/All-Fleet-67132/folders/historicalmisc-86bc8a2d884c4313ac3a4da785510ccd

[noahtalerman]

Research

https://docs.google.com/document/d/1Ie-BsUsaBKZiDspogeP1c4ac4AdrV8wYLYBA7pN3WPY/edit#heading=h.zcar6kjvw47a

[noahtalerman]

Double check profiles w/ mdm_bridge table. In the response of mdm_bridge query, if the profiles's OMA URIs and values are matching what's in the profile, profile status is set to "Verified." If not, profile is set to "Failed."

• DONE Marko: Special Fleet error message for not matching values.
• TODO Marko: Does double check work for the strange WMI URIs we get from WS1 profiles?

Hey @marko-lisica heads up, I moved these here (removed from issue description). Also moved the below down here so we don't lose it:

• New activity types for Windows profile should be added: created_windows_profile, deleted_windows_profile, and edited_windows_profile

[noahtalerman]

Hey @marko-lisica this is the language I think we should be using when talking about MDM commands and profiles: https://docs.google.com/document/d/17loPAoQSxZDk41IPHdNgKF6mBIF4ZzRtvIqtbDLZwP4/edit

When you get the chance, can you please check it out and let me know what you think? Thanks!

[noahtalerman]

For later: Check if there's a way to reset Windows a host to default. I think this will results in the same behavior we see on macOS on host team transfer.

[noahtalerman]

@georgekarrv this story is ready for specs (moved to "Settled"). I scheduled a call for us to stub out some subtasks.

Because this story is large I want to try something new: scheduling time w/ individual folks on eng team to hone in on specific sub tasks.

Let's discuss during our call.

[noahtalerman]

George:

• UI changes:
  • Add Windows profiles to OS settings tab
  • Integrate w/ new API endpoints for status counts, profiles list, download, and delete
  • Add Windows profiles Host details page
  • TODO: Need design for changes to host vitals API endpoint. We already have this for macOS

[noahtalerman]

Need to design API changes for list of profiles on Host details page for Windows hosts. We already have something like this for macOS hosts.

@marko-lisica George and I realized we're missing these^ API designs. Can you please take a crack at them and then schedule time to review w/ me on Monday? Thanks!

[noahtalerman]

@marko-lisica heads up, I think we need to solve this problem in the UI: As an IT admin, I want to know that a "Pending" Windows profile will still get delivered after I delete it.

More context in this Loom: https://www.loom.com/share/873032eca0964a26b67dec413b67ee93?sid=ab2edef6-8b26-4ef2-81e1-7bdc5dbe5c1b

[noahtalerman]

@marko-lisica also a reminder in case you missed this: https://github.com/fleetdm/fleet/issues/13281#issuecomment-1751396499

I think we still need these API changes designed.

[marko-lisica]

@marko-lisica heads up, I think we need to solve this problem in the UI: As an IT admin, I want to know that a "Pending" Windows profile will still get delivered after I delete it.

How does it work for macOS profiles? Is there way to remove the macOS profile?

[noahtalerman]

Hey @marko-lisica when you get the chance, can you please update the example response in the fleetctl get mdm-command-result Figma here to reflect what the response would be if an IT admin uploaded the profile example in your gist here?

Today I was trying to explain to @marcosd4h that we want to generate one entry in the results list when an IT admin uploads one profile (or 3 entries for 3 profiles). I was using your profile gist as an example.

I think it would help the team's understanding if result XML was for the profile in the gist.

[noahtalerman]

Discussed w/ @marcosd4h today (on Windows profiles):

Each Windows profile is sent as one command in Fleet. Each command shows up as one entry in fleetctl get mdm-command results response w/ it's results.

So, if the IT admin uploads 3 profiles, there will be 3 entries in the fleetctl get mdm-command results

Added the above to Figma here.

Also, we want to show the entire response XML from a Windows MDM command in fleetctl get mdm-command results. Added this to Figma here.

cc @georgekarrv @roperzh @gillespi314 @marko-lisica

[noahtalerman]

If a profile fails, none of the options in the profile are applied

Heads up @georgekarrv @sabrinabuckets I called this out explicitly in the requirements (it's in Figma here)

@marko-lisica @marcosd4h and I decided that we'll do this by wrapping the profiles in the <Atomic> tags (Windows protocol tag). The IT admin won't see the <Atomic> tags when the download the profile via the Fleet UI/API.

[noahtalerman]

@marko-lisica, @georgekarrv and I noticed that Figma doesn't include specs for updating the profile status filter on the Hosts page (here's the link). Should we change this to "OS settings"?

[marko-lisica]

Should we change this to "OS settings"?

@noahtalerman @georgekarrv We should change this. I've spaced this already in BitLocker designs, but seems it wasn't clear enough. I'll add a note to Windows profiles here.

[mna]

@noahtalerman @marko-lisica Clarification for permissions, the spec mentions:

maintainers, admins, and GitOps users (global and team) can view, add, download, and delete Windows profiles

But gitops cannot view/download, it can only batch-apply via fleetctl, correct? Basically, we want the same permissions that already exist for macOS profiles?

[noahtalerman]

we want the same permissions that already exist for macOS profiles?

@mna that's right. Thanks for catching that. I updated the story's description to reflect this.

cc @marko-lisica

[sabrinabuckets]

Manual testing completed

[noahtalerman]

Confirm and celebrate:

• Needs docs. Try merging in w/ macOS custom settings page. Remove excess content.
• Make sure pricing page calls out cross-platform (macOS + Windows)

[noahtalerman]

Confirm and celebrate:

• Needs docs. Try merging in w/ macOS custom settings page. Remove excess content.
• Make sure pricing page calls out cross-platform (macOS + Windows)

@noahtalerman

[noahtalerman]

C&C: Docs and pricing page PR is here: #16398

[fleet-release]

Windows profiles stream, Like a river through the cloud, Workstations secure.