search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.16k stars 433 forks source link

Scope configuration profiles to iPhones/iPads based on label #20522

Open ddribeiro opened 4 months ago

ddribeiro commented 4 months ago

Problem

As an admin, I need a scoping mechanism for mobile devices.

For desktop hosts, I'm able to apply a dynamic label to my hosts by building a query. The current label framework is insufficient for mobile devices because application of a label is dependent on osquery. Mobile devices can't run osquery.

What have you tried?

To solve this, I created a team for iOS hosts in accordance with Fleet's best practices, so I can add iOS specific profiles to that team. However, there are a few shortcomings to this method:

  1. I lose the ability to take advantage of profiles that are cross platform between macOS and iOS by deploying a profile once.
  2. There are use cases for wanting to limit profile scope further than device platform. For example, I might want to deploy a profile only to hosts running iOS 17.
  3. Creating new teams for subtle differences among hosts that are otherwise similar leads to fragmentation that can be difficult to manage.

Potential solutions

A potential solution would be to add the ability to apply dynamic lables to iOS hosts like I'm able to do for macOS hosts today.

I think a "big picture" solution to this would be to add the ability to add labels to hosts based on attributes derived from Fleet instead of the device itself. This would apply to all platforms supported by Fleet, but the biggest benefit would be on iOS where there is no osquery agent to run queries against.

What is the expected workflow as a result of your proposal?

As a result of this, I'd be able to group iOS and macOS hosts on the same team in a way that makes sense for my organization. I'd be able to deploy certain profiles only to iOS hosts on that team and other profiles to both macOS and iOS hosts.
JoStableford commented 4 months ago

Related to a Slack conversation

noahtalerman commented 4 months ago

I lose the ability to take advantage of profiles that are cross platform between macOS and iOS by deploying a profile once.

Hey @ddribeiro, this is interesting...what profiles specifically are customers wanting to apply to macOS and iOS hosts?

I'd be able to group iOS and macOS hosts on the same team in a way that makes sense for my organization.

I'm asking the above because up until this point, my understanding is that it's the best practice to group iOS and macOS hosts on different teams.

Why? macOS and iOS hosts have very different risk/compliance needs (enforce different settings), and thus their security baseline is different, and thus their "team" in Fleet is different.

I could be wrong about the above though.

There are use cases for wanting to limit profile scope further than device platform. For example, I might want to deploy a profile only to hosts running iOS 17.

This makes sense. Could be it's own request maybe.

noahtalerman commented 4 months ago

Dale: Based on this iPhone/iPad attribute, apply this specific profile.

For example, I want to apply X configuration profile if the iPhone is on iOS 18+

marko-lisica commented 3 months ago

Hey @ddribeiro, heads up, we didn't get to this air guitar in the last design sprint. We added it back to feature fest.