Enroll BYOD iOS/iPadOS hosts

noahtalerman commented 1 month ago

Goal

User story
As an IT admin,
I want to enroll BYOD iPhones and iPads
so that I can install software and enforce settings on end user devices that can access organization resources/tools.

Context

Requestor(s): @noahtalerman
Product designer: @marko-lisica

@noahtalerman: My current understanding is that there's two ways/workflows to enroll BYOD iOS/iPadOS hosts:

End user downloads/installs manual enrollment profile. Fleet supports this workflow today for macOS hosts.
End user logs in using Managed Apple ID. Fleet doesn't support this workflow for macOS.

@noahtalerman: We think our customers are looking to use workflow (2). It's also the workflow we understand the least. So, let's prioritize drafting that workflow in this air guitar.

Changes

Product

[ ] UI changes: TODO
[ ] CLI usage changes: TODO
[ ] REST API changes: TODO
[ ] Permissions changes: TODO
[ ] Outdated documentation changes: TODO
[ ] Changes to paid features or tiers: TODO

Engineering

[ ] Database schema migrations: TODO
[ ] Load testing: TODO

ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Requires load testing: TODO
Risk level: Low / High TODO
Risk description: TODO

Manual testing steps

Step 1
Step 2
Step 3

Testing notes

Confirmation

[ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
[ ] QA (@____): Added comment to user story confirming successful completion of QA.

marko-lisica commented 1 month ago

@Patagonia121 This one didn't make to estimation. We plan to prioritize this in the next design sprint.

dherder commented 3 weeks ago

Adding @ddribeiro's helpful information from the older, closed issue: Support for account driven user enrollment would enable an organization to allow their employees to enroll their personally owned devices (iOS/iPadOS) into Fleet using a Managed Apple ID. User Enrollment provides several benefits to the employee and organization when enrolling personally owned devices:

Organization data is cryptographically separated from personal data. Enrollment of personal devices is streamlined as there is a standardized flow built into iOS in Settings > General Some typical MDM capabilities for organization owned devices is not available (i.e. Erase Device), offering an employee peace of mind that their personal information cannot be erased when they enroll. Organization can see limited device details (i.e. Can only see a list of managed apps, not a full list). Links: Apple Platform Deployment: User Enrollment and MDM Apple Platform Deployment: User Enrollment MDM Information

nonpunctual commented 3 weeks ago

@noahtalerman when issues like this are transferred to other issues & the prior issues are closed do you think it would be possible to always bring the labels over to the new issue? I copied them over from #19329. Is there something we can do to automate this? Thanks.

noahtalerman commented 3 weeks ago

Hey @nonpunctual, I think let's manually copy them over for now. I didn't do that this time. Apologies.

Doesn't save a ton of time to automate. If we mess up, we have a record.

noahtalerman commented 3 weeks ago

Noah: Might not be able to wipe BYOD if you install an enrollment profile.

Marko: I think you can.

Noah: Maybe it's some permissions you can change in the enrollment profile that gets installed.

@marko-lisica when you get the chance can you please drop your research on this here.

noahtalerman commented 1 week ago

Hey @zayhanlon and @mikermcneil heads up that this didn't get designed in the current design sprint. Bringing it to the next design sprint because it's a high priority for the business (OKR)

SFriendLee commented 1 week ago

Hey @noahtalerman, I shared this with Mike. He asked if you could share this with the e-group on how/if this changes the summers high-level road map.

fleetdm / fleet