Override default disk encryption settings on macOS and windows

willmayhone88 commented 2 months ago

Goal

User story
As an IT admin enforcing disk encryption on the Controls > OS settings > Disk encryption page,
I want to override Fleet's default disk encryption settings w/ a custom profile
so that I can customize the end user experience (ex. `DeferDontAskAtUserLogout` and `DeferForceAtUserLoginMaxBypassAttempts` on macOS).

Context

Product designer: @marko-lisica

Changes

Product

[ ] UI changes: Figma link
[ ] CLI usage changes: Figma link
[ ] REST API changes: #19168
[ ] Permissions changes: Admin and GitOps can edit and view custom settings for disk encryption. Team roles can do the same on the teams they have permission.
[ ] Outdated documentation changes: TODO

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman commented 2 months ago

@willmayhone88, thanks for tracking this.

Makes sense to have an "Advanced" option for disk encryption to override the profile that Fleet uses today.

dherder commented 1 month ago

This should also be done for Windows Disk Encryption (Bitlocker)

noahtalerman commented 1 month ago

Hey @willmayhone88 I updated this issue to the user story format and moved your original issue description below.

Please take a look at the user story in the issue description and let me know if you have any feedback. Thanks!

Problem

Currently you cannot add a configuration profile for additional FileVault 2 options such as, "DeferDontAskAtUserLogout, DeferForceAtUserLoginMaxBypassAttempts" via a configuration profile, due to FileVault 2 settings being managed by Fleet. If trying to upload a profile that contains these settings, you are presented with an error. Some organizations need the ability to configure those options. Requesting the ability to manage additional FileVault 2 options, that Apple allows.

Potential solutions

One option would be to have these settings configurable either through the Fleet UI, or through a Fleet configuration file.
Another option would be to have the ability to upload a custom configuration profile with FileVault 2 settings.

nonpunctual commented 1 month ago

@noahtalerman do you want a separate issue for BitLocker config customization?

JoStableford commented 1 month ago

Related to a Slack conversation

noahtalerman commented 1 month ago

do you want a separate issue for BitLocker config customization?

@nonpunctual yes please.

In that issue can you please include which BitLocker options the requester is trying to tweak? Thanks :)

This defines the problem more specifically which makes it more helpful to consider all possible solutions.

nonpunctual commented 4 days ago

fleetdm / fleet