Prevent end user from disabling Fleet agent on macOS

nonpunctual commented 4 months ago

Goal

User story
As an IT admin,
I want to prevent end users from disabling Fleet agent on macOS,
so that I can make sure hosts are managed.

Context

Requestor(s): @nonpunctual
Product designer: @marko-lisica

The System Settings > General > Login Items UI exposes macOS 3rd party background / launchctl processes as switches, which is great for a consumer Mac user, bad for a managed device. Apple did not originally intend for these settings to be controlled via MDM. This effectively meant every management & security solution would have become useless overnight if a user simply could turn them off with a switch. Apple eventually changed their design to allow these settings to be controlled via MDM. Jamf deploys a Config Profile at enrollment that prevents a user from modifying this switch for the Jamf service.

Changes

Product

[ ] Changes:
- During enrollment deliver configuration profile that prevents the end user from toggling off Fleet agent in System Settings > Genreral > Login items (Allow in the background)
- Deliver same configuration profile to already enrolled profiles
- NOTE: This is a configuration profile that I tested on my Mac and it worked. Here's a blog post explaining this in detail.

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman commented 4 months ago

@nonpunctual thanks for tracking this.

Bringing it to feature fest.

noahtalerman commented 3 months ago

Hey @nonpunctual, heads up, we brought this into the upcoming design sprint (4.49).

nonpunctual commented 3 months ago

I did not get a screen shot of it but there is also a Notification Center message when the login item is added. Not a huge deal but maybe want to consider if we want to supress it or leave it. Transparency says show it - lots of orgs do this. Paranoia says don' to prevent users from looking at the toggles. Thanks.

marko-lisica commented 3 months ago

Feedback from Mike M.

"As a user on the "OS settings" page, I want to know there are more things that Fleet is installing that I can't see in the below list. (A tooltip of static text roughly summarizing in like one sentence the two profiles we default install would be fine)"

nonpunctual commented 3 weeks ago

noahtalerman commented 2 weeks ago

Brock: We can make a public version of the profile.

Noah: Do we dogfood this? I think let's dogfood this. cc @lukeheath

Zach: Let's add this to the deployment docs.

fleetdm / fleet