Block the end user from logging into third-party tools via IdP (Okta device trust/device health/device posture)

[noahtalerman]

Goal

User story
As a endpoint operator,
I want to block the end user from logging into third-party tools (via IdP) if they're failing policies that require end user action to resolve
so that I have an enforcement mechanism for these policies.

Steps:

• [ ] Rapidly wireframe the entire workflow at a new daily design review
• [ ] After wireframes, prototype and report progress at new daily design reviews. We don't check in code yet, no PRs to the Fleet repo. …do we prioritize and build here? it depends. Otherwise we do it after.…
• [ ] Dogfood …likely this is where we build it…

Changes

Product

• [ ] UI changes: https://www.figma.com/file/EESNNt3dNZ8dmREv8JM9XD/%2316236-Best-practice-for-device-health?type=design&node-id=2-130&mode=design
• [ ] CLI usage changes: TODO
• [ ] REST API changes: TODO
• [ ] Permissions changes: TODO
• [ ] Outdated documentation changes: TODO
• [ ] Changes to paid features or tiers: TODO

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

• Requestor(s): _____

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Rachael: There's some designs in air guitar we did for a social media customer.

[noahtalerman]

Hey @mike-j-thomas!

If you have 30-60 mins, can you please help me with the designs for the new website pages I mocked up in Figma here?

In this Loom video, I walk through what these pages are for and what I could use your help on.

[noahtalerman]

@zwass here's the image we want to show end user's when they're failing > 0 policies.

@mike-j-thomas heads up, Zach and I decided to simplify the flow into one screen^ (Figma here)

If you have 30 mins, it would be awesome if you could touch up that screen so that we feel good about it when we show customers/prospects. Thanks!

[mike-j-thomas]

Hey @noahtalerman and @zwass, I added my touched-up version of your page to the Figma file. I think it could benefit from a line of text in the last step to try logging in again when the policy has been resolved (unless it does it automatically?)

[noahtalerman]

Thanks @mike-j-thomas!

Heads up, I removed the tooltips and tooltip indicators for now so that we can move quickly. The plan is for @zwass to pop open a page with just the .png (no extra functionality for now)

benefit from a line of text in the last step to try logging in again when the policy has been resolved (unless it does it automatically?)

Agreed. This won't happen automatically for now. Maybe something like "After all policies are passing, try logging in again"?

I think we can add that in a second pass later.

@zwass I exported the .png from Figma and attached it here:

[noahtalerman]

@mike-j-thomas FYI I unassigned you and removed this from the digital experience board.

[noahtalerman]

Mike M:

Try this w/ Slack native app. What happens?

Success criteria:

• Shouldn’t block you from getting access on your phone

[noahtalerman]

Zach:

Break glass is important to folks. Example, an engineer is paged because of an incident but they can’t resolve the issue until they update macOS.

Best demo:

1. Someone is on a laptop with MDM off
2. End user sees screen
3. A bunch of other policies are satisfied because there are profiles that get pushed

[mike-j-thomas]

@noahtalerman, @zwass, I added the extra step to Figma, as discussed in Slack.

[noahtalerman]

Thanks @mike-j-thomas!

I tweaked the copy in your extra step and removed the button.

I think "passing" is easier to understand and, even though this is for a POC/demo, we might as well design this as if we could use it today (button doesn't work for now).

@zwass here's the updated PNG:

[zwass]

PoC: https://github.com/fleetdm/fleet/pull/17304/files

[noahtalerman]

Hey @zwass and @dherder, heads up, we didn't get to designs for this one in the last design sprint.

Bringing it back to feature fest.

Zach, do you have any updates on adding multi-factor auth (MFA) to the POC? If we have that working, would be great to record another video so we can post it and show folks we're making progress.

[zwass]

I made progress on that but it's not complete yet. Hopefully next week it will be complete, but I may have to divert my attention to make slides for the BSides workshop.

[zwass]

Okay here's the PoC including MFA: https://www.loom.com/share/aea68e80b3154c3daebf3362a5547faf?sid=e8a613d5-a2ff-4124-877d-c873934b1cd0

Code is in the draft PR (#17304)

[noahtalerman]

Thanks @zwass!

I filed a g-demand request here to get that video posted so that we can show the community/prospects our progress.

FYI @Drew-P-drawers

[noahtalerman]

Mike: For device health, by default, end users must have agent installed someday can use calendar data to differentiate vacation.

Imagine the computer showed their real name and the computer's status "Out of office" Maybe: because not sure all orgs mark vacation days consistently they don't

[zwass]

@nonpunctual, @dherder, and I discussed the possibility of putting a very minimal amount of work for this into production which would allow customers to build viable workarounds to identify the devices. This would essentially entail merging the changes in the desktop.go file into Fleet Desktop: https://github.com/fleetdm/fleet/pull/17304/files#diff-3f41fa9ae040208ca903cd5556278bdde20b910633cb33141917e131e837c40f. There should be some additional QA work performed around it as well.

I'd estimate a couple days of work to get it productionized and tested.

This would then allow users to build/deploy their own equivalent of the rest of the functionality once they can properly identify the device an authentication request is coming from.

[nonpunctual]

attn: @pintomi1989

[noahtalerman]

@zayhanlon let's see how we can slot this into the roadmap instead of bringing it through feature fest.

[noahtalerman]

We should get a T shirt size on this issue to help w/ planning.