search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.65k stars 379 forks source link

Avoid OS update confusion between DDM and maintenance windows #19140

Open lukeheath opened 1 month ago

lukeheath commented 1 month ago

Problem

As part of preparing for the 14.5 macOS rollout to our endpoints, we went to Controls > Target and set the macOS version to 14.5 and the deadline to 2024-05-31.

Then, we realized we wanted to auto-remediate it using the calendar automation before then, and the 2024-05-31 could serve as a fail-safe and an opportunity for users to upgrade earlier.

After configuring both, we began to receive questions from confused end users. They saw they had "Scheduled maintenance" on their calendar to update their OS on 2024-05-21, but they were also getting pop-up reminders to do it themselves (DDM). Worse yet, the DDM pop-up was showing our failsafe date of 2024-05-31, which caused the end user to wonder if scheduled maintenance was actually happening on 2024-05-31.

To fix this, we set a OS version target with deadline for "Workstations (Canary)" to dogfood DDM, and did not a version target for "Workstations". Instead, we set a failing policy with a calendar automation that will send an MDM command to the host to update.

One big drawback of this approach is we have to update our Tines flow for every update. Because we can't set the version target in Fleet without enabling DDM, we have to leave it empty, which means we can't retrieve the target dynamically and have to hard code it into the Tines workflow, which creates a maintenance headache, and also a failure point if the workflow isn't updated properly for every release.

Potential solutions

  1. Define Fleet best practice to use DDM or a failing policy calendar automation to update host OS versions, but not both.
  2. Determine how best to communicate this to the user so they understand what happens if they set both DDM and a failing policy calendar automation.
noahtalerman commented 1 month ago

Thanks for writing this up @lukeheath!

Define Fleet best practice to use DDM or a failing policy calendar automation to update host OS versions, but not both.

For Fleet the organization, maintenance windows (aka calendar automations) are the best practice.

Determine how best to communicate this to the user so they understand what happens if they set both DDM and a failing policy calendar automation.

I don't think this should be possible. DDM and calendar automations are two different modes of notification and enforcement.

My first thought is that Controls > OS updates could have 2, mutually exclusive modes:

  1. Software Update notifications (DDM)
  2. Maintenance windows

(1) behaves like Software Updates (DDM) does today.

(2) creates a policy for the user under-the-hood using the min version. No deadline because each end user's calendar event will be unique.

Thoughts?

lukeheath commented 1 month ago

@noahtalerman That solution would be perfect, so long as we make that setting configurable via GitOps.