search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.92k stars 405 forks source link

Add additional options for managing software updates through DDM #20500

Open ddribeiro opened 1 month ago

ddribeiro commented 1 month ago

Problem

When using Fleet to manage macOS software updates, I would like additional options to manage which software updates get applied to my hosts and when.

Specifically, I'd like options to enforce different versions such as:

  1. Minimum version (exists in Fleet today)
  2. Latest version -x
  3. Latest major release
  4. Latest minor release

Additionally, options to manage when the update gets enforced:

  1. Specific date (exists in Fleet today)
  2. Relative date (enforce x days after release)

Example: I'd like to tell Fleet that the latest major release of macOS should be enforced across my organization 14 days after release.

What have you tried?

I tried to look for this option in the Fleet UI under Controls > OS updates > macOS. However, today I am only able to enforce a minimum version and a specific enforcement date.

Potential solutions

In addition to the "Deadline" field that Fleet currently supports, this problem could be solved in the UI by adding a "Specific date/Relative date" toggle to give Fleet admins the option for how they want to enforce their software updates.

Specific date would work exactly like it does today. The admin would choose a date they want to enforce the software update by. Relative dates would allow a user to define a number of days to enforce the software update after release. Similar to how Windows updates are managed today in Fleet.

Options would also be provided to let the Fleet admin decide what updates they want to enforce based on the criteria listed in the Problem section above.

What is the expected workflow as a result of your proposal?

Admins would log into Fleet and navigate to Controls > OS updates and select the options that aligned with their organization's policies for software updates. Providing options that align with a variety of policies would increase adoption of this feature in Fleet.

JoStableford commented 1 month ago

Related to a Slack conversation

nonpunctual commented 1 month ago

https://github.com/fleetdm/fleet/issues/20501

noahtalerman commented 1 month ago

Thanks for tracking this @ddribeiro! Great feature request.

Specifically, I'd like options to enforce different versions such as:

  1. Minimum version (exists in Fleet today)
  2. Latest version -x
  3. Latest major release
  4. Latest minor release

Additionally, options to manage when the update gets enforced:

  1. Specific date (exists in Fleet today)
  2. Relative date (enforce x days after release)

Do you know if these items are supported by Apple's DDM protocol? Are they options in the software update declaration profile?

Wondering if Fleet would have to build the logic for relative date or if Apple offers it in the protocol.

JoStableford commented 1 month ago

Related to a Slack conversation

ddribeiro commented 4 weeks ago

@noahtalerman, I don't this is supported by the DDM protocol. There is only TargetLocalDateTime property which takes a date in a yyyy-mm-ddThh:mm:ss format. As seen here: https://developer.apple.com/documentation/devicemanagement/softwareupdateenforcementspecific

So it looks like the logic for these additional controls would have to be built into Fleet and passed to the declaration.

spokanemac commented 3 weeks ago

@noahtalerman The DDM protocol does not support relative dates; as far as I can tell, they are calculated by the MDM.