Automatically configure DEP profile for teams created by Puppet

noahtalerman commented 1 year ago

Goal

User story
As an IT admin,
I want Fleet to automatically set the DEP profile (macOS Setup Assistant) for teams created by Puppet
so that I don't have to manage this configuration manually for my teams.

Requirements

When a new team is created by the Puppet module, automatically set the macOS Setup Assistant settings to the same configured for "No team." If "No team" doesn't have a settings configured (default settings), the new team doesn't get settings configured. If "No team" settings change, existing teams' aren't updated.

Changes

[ ] When a new team is created by the Puppet module, automatically add the "No team" macOS Setup Assistant settings to it.

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Enroll a host and turn on MDM features
Set a custom setup assistant for "no team"
Create a new team using the "puppet endpoints"
In the database, check if you can see a row for the team in the mdm_apple_setup_assistants table for that host.

Addendum: using the puppet endpoints

If you want to test this without using Puppet, you can run the following commands:

Set up your environment variables:

export FLEET_TOKEN=your-token-here
export HOST_UUID=target-host-hardware-uuid
export TEAM_NAME=name-of-the-team
export MDM_PROFILE=path-to-a-profile

for example I have:

export FLEET_TOKEN=eQlQ1CI0Z6Otni3cvPd24ESsFvRJjwEyqjITpQfNLgFUZPJNBgPhdwDWlLca56c3fNqRCsWyArC9qaDmRHm0bg==
export HOST_UUID=183D8F41-E99F-46DC-BB9E-B6CD214A4B06
export TEAM_NAME=test_puppet_team
export MDM_PROFILE=mdm_profiles/limit_ad_tracking.mobileconfig

Pre-assign a configuration profile to your host:

curl -XPOST -v -H 'Content-Type: application/json' -H "Authorization: Bearer $FLEET_TOKEN" https://localhost:8080/api/latest/fleet/mdm/apple/profiles/preassign -d "{\"profile\": \"$(cat $MDM_PROFILE | base64)\", \"external_host_identifier\": \"$HOST_UUID\", \"host_uuid\": \"$HOST_UUID\", \"group\": \"$TEAM_NAME\"}"

Match the pre-assignment:

curl -XPOST -v -H 'Content-Type: application/json' -H "Authorization: Bearer $FLEET_TOKEN" https://localhost:8080/api/latest/fleet/mdm/apple/profiles/match -d "{\"external_host_identifier\": \"$HOST_UUID\"}"

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
[ ] QA (@____): Added comment to user story confirming succesful completion of QA.

noahtalerman commented 1 year ago

Hey team! Please add your planning poker estimate with Zenhub @mna @roperzh

sabrinabuckets commented 1 year ago

Following the "test without Puppet" instructions above, I was able to successfully create a new team with config that matches the No team config, and verify host was moved to that team.

noahtalerman commented 1 year ago

Confirm and celebrate: Docs are here: https://fleetdm.com/docs/using-fleet/puppet-module.

Currently helping the customer write a script to retroactively apply the DEP profiles to existing teams in Slack here (internal): https://fleetdm.slack.com/archives/C04QDDZNQ2H/p1694614604948659?thread_ts=1694540570.715079&cid=C04QDDZNQ2H

fleet-release commented 1 year ago

Fleet and Puppet dance, Auto-set DEP, no chance For manual advance.

fleetdm / fleet