UI to add/edit/delete configuration profiles and scripts on multiple teams

[willmayhone88]

Goal

User story
As a help-desk user at an MSP that offers a white-label MDM solution built on top of Fleet,
I want to use a UI to add/edit/delete configuration profiles and scripts across many of my clients (teams in Fleet)
so that I don't have to use GitOps or do repetitive actions (ex. add) to manage the same on each team.

Context

• Product designer: @RachelElysia
• Engineer: @eashaw
• Technical review: @lukeheath

@noahtalerman: The plan is to build a new Sails apps for customer-deebradel on top of the existing Fleet API so that we can move quickly w/o disrupting parallel MDM feature work in the Fleet product.

Fore more context see this Google doc (internal).

Changes

Product

• [ ] Reference documentation changes: No documentation changes.
• [ ] UI changes: Figma wireframes are here.
• [ ] CLI usage changes: No CLI changes.
• [ ] REST API changes: No API changes.
• [ ] Fleet's agent (fleetd) changes: No fleetd changes.
• [ ] Permissions changes: No permissions changes.
• [ ] Changes to paid features or tiers: Only available for customer-deebradel

Engineering

• [ ] Feature guide changes: TODO
• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Thanks for tracking this @willmayhone88!

I just met w/ customer-deebradel and they said that they want to enable this workflow specifically for help-desk and to have it work for configuration profiles, scripts, and software. Not just scripts.

I update the issue description to reflect this and moved your original issue description below.

We decided that configuration profiles are the highest priority because they plan on starting w/ onboarding new clients that have macOS hosts only sometime in October.

Configuration profiles are required for this and scripts are nice to have. Software isn't required because they use Munki for macOS. Software will be required when they onboard/migrate clients w/ Windows machines (after onboarding new macOS clients). They're planning on using Fleet to manage Windows software.

cc @pintomi1989

---

Original issue description from @willmayhone88:

Problem

As an fleet admin I'd like the ability to upload scripts and have those apply to multiple teams. This will be especially useful for those that do not have heavy gitops knowledge,or those wanting to work in the ui.

What have you tried?

When uploading scripts for multiple teams in the ui, you currently need to upload them to each team individually. This can be time consuming uploading the same script multiple times.

Potential solutions

Create a way when uploading scripts to select multiple teams, potentially a front-end app that can choose the teams for the upload, and have the api create the multiple uploads in the background.

What is the expected workflow as a result of your proposal?

Fleet user uploads a script once, and selects the relevant teams. Then api calls in the background will add to all the teams selected to then be used as needed.

[RachelElysia]

@noahtalerman

This sounds like a great feature that other Premium users would benefit from as well.

A suggestion, we could include an option to upload to multiple teams directly on the page where the frontend would send those scripts appropriately to existing APIs, maybe using our multiselect dropdown component we already have.

To me this is the quickest route and we wouldn't have to maintain a second app or rebuild in the UI if more customers wanted the same feature.

Example:

Mimic existing UI and hide it within a "Show advanced options ▽" button, when they open it, it has the current team preselected but users can modify the teams targeted on the multi-selector.

We can chat more later!

[noahtalerman]

[noahtalerman]

FYI @RachelElysia I updated the user story to reflect the decision to cut software CRUD and profile/script edit in the first pass.

[lukeheath]

@sharon-fdm Just a reminder that the team doesn't need to estimate this. @eashaw and I will be taking it on and will estimate separately before sprint kick off. Thanks!

[noahtalerman]

Mike: The thing for customer-ufa already has the ability to pull all hosts. Make sure Eric knows about this but who knows how helpful it is. ✅

Mike: Bring back edit for scripts ✅ and add in v1 of library so we start working on that ✅

Noah: Add default sort ✅

Mike: Call to action to get in the Fleet UI to see status. Don't be shy about these. "Status" column is a good idea. WONT

• UPDATE: In the first iteration we won't have any CTAs. I forgot about this and we're so close to shipping v1 that I don't want to slow us down. Tracked a separate feature request here so we don't forget: https://github.com/fleetdm/fleet/issues/20296 (@noahtalerman)

Mike: Show an .xml (Windows) profile ✅

Mike: As part of QA let's see if "pending" scripts are actually canceled. Did all of these contingencies make it into API docs? Did the error message make sense? TODO

Reminder to ask Eric to let us know when the API stinks so we can learn. ✅

[RachelElysia]

Estimation with @eashaw

Configuration profiles page: Read operations (page, teams and all teams view, dropdown, download) - 3-5 Add/Edit/Delete - 3

Scripts page (after building Configuration profiles page): Read operations (page, teams and all teams view, dropdown, download) - 2 Add/Edit/Delete - 2

Total: 10-12 pts

Parking lot: Q: What does it mean to add a profile to the library but not deploy it? A: Noah: We don't have this concept in the fleet database, so it will need to be done on Sails. Experiment with adding it into the gitops repo but not deploying it to hosts.

[lukeheath]

Maturity review notes:

Brock: What if it’s an 8021x with a cert to authenticate with a corporate wifi network. Those profiles are usually set to auto-join because the admins never want the users to have to enter credentials.

Brock: We need to be careful about this because the wifi will drop if the 8021x profile is every removed. So we want to make sure that if an updated cert is ever added, it’s delivered on top of the 8021x and the old one isn’t removed first.

Noah: For the edit the profile workflow. The expected behavior is we’re just redelivering the profile so we expect the credentials to get updated but we should verify.

[sharon-fdm]

@eashaw, kind reminder to discuss whether this needs a document.

[lukeheath]

@eashaw I'm going to unassign myself for now from the issue, but just let me know if I can assist.

[eashaw]

The app we built has been merged and lives in ee/bulk-operations-dashboard/

QA instructions:

Set up:

1. Set up a Fleet instance with MDM enabled (Windows and macOS)
2. Update the sails_custom__fleetApiToken and sails_custom__fleetBaseUrl configuration values in ee/bulk-operations-dashboard/docker-compose.yml to contain the URL of the Fleet instance and an API token of a user on the instance.
3. Start the dashboard container with docker-compose up —build
4. Open the dashboard at localhost:1337 and login with the default admin login (email: admin@example.com, password: abc123)
   • [ ] /profiles:
   • [ ] Add a profile and don’t assign a team.
   • [ ] Switch the team filter, the profile not assigned to a team should not be visible
   • [ ] Add a .mobileconfig profile
   • [ ] Add a new .json profile
   • [ ] Add a new .xml profile
   • [ ] Reassign an undeployed profile to a team
   • [ ] Reassign the previously undeployed profile to all teams
   • [ ] Download a profile
   • [ ] Unassign a profile from all teams and download the profile
   • [ ] Delete a profile
   • [ ] Upload a profile on the Fleet instance and refresh the dashboard, the profile that was uploaded should be there.
   • [ ] Edit the profile to unassign it from all teams, Check the Fleet instance to make sure the profile is not present on any teams.
   • [ ] Edit the profile to add it to a team.
   • [ ] Edit the profile and reupload a different profile on the dashboard. It should show an error about the bundle identifier not matching.
   • [ ] Replace the profile with the version that was uploaded on the Fleet instance.
   • [ ] /scripts:
   • [ ] Add a script, and don’t assign a team
   • [ ] Switch the team, the script not assigned to a team should not be visible
   • [ ] Add a .sh script
   • [ ] Add a .ps1 script
   • [ ] Reassign the undeployed script to a team
   • [ ] Reassign a script to all teams
   • [ ] Download a script
   • [ ] Unassign a script from all teams and download the script
   • [ ] Delete a script
   • [ ] Upload a script on the Fleet instance and refresh the dashboard; the script that was uploaded should be there.
   • [ ] Edit the script to unassign it from all teams, Check the Fleet instance to make sure the script is not present on any teams.
   • [ ] Edit the script to add it to a team.
   • [ ] Edit the script and reupload a different script on the dashboard.
   • [ ] Replace the script with the version that was uploaded on the Fleet instance.

[lukeheath]

@eashaw Thank you for building this and for the detailed test plan. Really appreciate it!

@xpkoala Let me know if I can assist you in getting this up and running locally and talking to your local Fleet API.