Test macOS MDM workflows on macOS Sonoma

[noahtalerman]

Goal

User story
As an IT admin,
I want Fleet to test the macOS MDM features on macOS Sonoma
so that I can be confident my workflows will continue to work when I upgrade my Macs to Sonoma.

Context

Noah: This ticket QA only. No code changes to Fleet.

QA

Manual testing steps

1. ✅ Turn MDM on for a Mac manually. Docs are here.
2. ✅ Automatically enroll a Mac w/ end user auth enables, a EULA, and a bootstrap package. Docs are here.
3. ✅ Migrate a DEP Mac using the default workflow. Docs are here
4. ✅ Migrate a DEP Mac using the end user workflow. Docs are here
5. ✅ Turn on/off disk encryption. Go through the reset disk encryption key flow. Docs are here
6. ✅ Add, edit, and remove profiles. Docs are here
7. ✅ Send a custom MDM command. Docs are here
8. ✅ Trigger Nudge by setting minimum version and deadline for OS updates. Docs are here
9. ✅ Run a custom script. Docs are here
10. ✅ Add profiles to a host using Fleet's Puppet module. Docs are here
    • This one might require help from the MDM engineering team (they have Puppet environments set up)
    • Validated in customer env
11. ✅ Turn off MDM for a host
12. ✅ Populate the Full Name and Account Name during local account creation with the end user's IdP attributes
13. ✅ Require end users to wait for configuration profiles before they can use their new Mac

Testing notes

For each of the above flows, please record whether or not the features work as expected.

Also, for each flow, add any notes about unique or interesting behavior. If there's something particularly interesting, please record a Loom video.

[sabrinabuckets]

The issue description is updated with these results (noahtalerman 2023-09-26)

• Turn MDM on for a Mac manually: Validated
• Automatically enroll a Mac w/ end user auth enables, a EULA, and a bootstrap package: Validated
• Migrate a DEP Mac using the default workflow: Validated
• Migrate a DEP Mac using the end user workflow: Validated
• Turn on/off disk encryption. Go through the reset disk encryption key flow: ~Validated general flow, unable to validate profile verification or key escrow due to existing bug~ Validated
• Add, edit, and remove profiles: Validated
• Send a custom MDM command: Validated
• Trigger Nudge by setting minimum version and deadline for OS updates: Not validated: there are no point revisions to upgrade yet
• Run a custom script: Validated

[noahtalerman]

TODO: Add profiles to a host using Fleet's Puppet module. Docs are here

@roperzh if adding profiles on Sonoma works, is there anymore testing we need to do to call this^ one done?

[noahtalerman]

@sabrinabuckets for when you're back: I updated the issue description to reflect your report in this comment.

Looks like there are 3 more flows to test. Is that right?

UPDATE: Looks like there are now 5 more flows to test. Does that look right? (added Roberto's suggestions)

[roperzh]

@noahtalerman from the list, I would try to validate disk encryption again, specifically the part about escrow:

Turn on/off disk encryption. Go through the reset disk encryption key flow: Validated general flow, unable to validate profile verification or key escrow due to existing bug

off the top of my head, I can also think of:

• Turn off MDM for a host (under the hood sends a RemoveProfile command for the enrollment profile)
• Automatic account configuration during DEP setup

[noahtalerman]

UPDATE: macOS Sonoma was released today. We've confirmed that 7 of the 12 macOS MDM features listed in this issue's description work on Sonoma. Testing the remaining 5 are still TODO.

@zayhanlon @dherder @ksatter tagging you folks in case customers bring this up.

cc @zhumo

[dherder]

@willmayhone88 fyi

[sabrinabuckets]

@roperzh which flow specifically are you referring to here: Automatic account configuration during DEP setup? It reads to me like pre-configuring a user account during the ADE flow, which I know is possible but didn't realize we had implemented?

Disk encryption flow was re-validated after my DB reset, I've noted that accordingly. Turning off MDM for a host has been validated.

[noahtalerman]

which flow specifically are you referring to here: Automatic account configuration during DEP setup?

@sabrinabuckets this feature here: #10744

[sabrinabuckets]

@noahtalerman is that feature only supported with Okta as the IdP, or should it work with any? Is the configuration process documented? Because I don't see it with the End User Auth docs.

[noahtalerman]

@sabrinabuckets it should work with any IdP (@roperzh please correct me if I'm wrong).

It looks like we missed documenting #10744. Great catch.

Here's instructions for testing it up:

1. Enable end user auth. Docs here.
   • In your end user auth app in your IdP set one of these to what you want the Full Name to be.
   • In your IdP set Name ID to what you want you want the Username to be. If the Name ID is an email we only use what comes before "@"
2. Update your macOS Setup Assistant settings (DEP profile) so that await_device_configuration is set to true. This will pause the device at the "Remote Management" screen during setup until it's released.
3. When the host has all profiles set to "Verifying" in Fleet, send the Release Device from Await Configuration MDM command using fleetctl or the API. This will let the device onto the next steps in setup including the user account creation screen.

@roperzh am I missing anything? Details on what to configure on the IdP side?

[noahtalerman]

Hey @sabrinabuckets moving this one back to awaiting QA column in the release board because there's some testing left before we call it done (scope expanded a bit).

[sabrinabuckets]

@noahtalerman those instructions don't really tell me what I need to do. The ADE profile seems to have been auto-generated, and I don't know where it lives or how to find & edit it. I am also struggling to understand what the point is of a process that requires a device to be "paused at Remote Management" and then need an MDM command to release? Based solely on that description, I cannot see how this is a flow that anyone would actually use. Am I misunderstanding the steps?

[willmayhone88]

@sabrinabuckets One of the main purposes of this workflow is that you must have valid credentials linked to your organizations IdP, in order to even enroll your device into the company's MDM. It helps prevent unauthorized users from enrolling a device, just in case your organization deploys custom software/scripts or anything they would want confidential, as part of the enrollment process.

[sabrinabuckets]

@willmayhone88 I understand the point of auth here, just not of the workflow as described.

[noahtalerman]

@sabrinabuckets I just opened a PR with docs for this feature: #10744. PR is here: https://github.com/fleetdm/fleet/pull/14217/files

I think the instructions are a lot better than my above comment here.

This PR also includes docs for another feature: Require end users to wait for configuration profiles before they can use their new Mac.

@willmayhone88 please feel free to jump in on that PR if I'm missing something!

These docs should answer questions on why an organization would want to use these features.

When you get the chance, can you please test these features by following the instructions? That's what our users/customers will be doing.

If it's still unclear lets hop on a call :)

[noahtalerman]

@sabrinabuckets heads up, macOS 14.1 is out so we can test OS updates (Nudge) on Sonoma

[sabrinabuckets]

Able to verify Nudge properly enforces 14.1 update.

[fleet-release]

Sonoma upgrade near, MDM workflows tested, Fleet ensures no fear.