Open lukeheath opened 1 month ago
Thanks for writing this up @lukeheath!
Define Fleet best practice to use DDM or a failing policy calendar automation to update host OS versions, but not both.
For Fleet the organization, maintenance windows (aka calendar automations) are the best practice.
Determine how best to communicate this to the user so they understand what happens if they set both DDM and a failing policy calendar automation.
I don't think this should be possible. DDM and calendar automations are two different modes of notification and enforcement.
My first thought is that Controls > OS updates could have 2, mutually exclusive modes:
(1) behaves like Software Updates (DDM) does today.
(2) creates a policy for the user under-the-hood using the min version. No deadline because each end user's calendar event will be unique.
Thoughts?
@noahtalerman That solution would be perfect, so long as we make that setting configurable via GitOps.
Problem
As part of preparing for the 14.5 macOS rollout to our endpoints, we went to Controls > Target and set the macOS version to 14.5 and the deadline to 2024-05-31.
Then, we realized we wanted to auto-remediate it using the calendar automation before then, and the 2024-05-31 could serve as a fail-safe and an opportunity for users to upgrade earlier.
After configuring both, we began to receive questions from confused end users. They saw they had "Scheduled maintenance" on their calendar to update their OS on 2024-05-21, but they were also getting pop-up reminders to do it themselves (DDM). Worse yet, the DDM pop-up was showing our failsafe date of 2024-05-31, which caused the end user to wonder if scheduled maintenance was actually happening on 2024-05-31.
To fix this, we set a OS version target with deadline for "Workstations (Canary)" to dogfood DDM, and did not a version target for "Workstations". Instead, we set a failing policy with a calendar automation that will send an MDM command to the host to update.
One big drawback of this approach is we have to update our Tines flow for every update. Because we can't set the version target in Fleet without enabling DDM, we have to leave it empty, which means we can't retrieve the target dynamically and have to hard code it into the Tines workflow, which creates a maintenance headache, and also a failure point if the workflow isn't updated properly for every release.
Potential solutions