Uninstall App Store apps

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

2.93k stars 409 forks source link

Uninstall App Store apps #20729

Open PezHub opened 1 month ago

PezHub commented 1 month ago

Problem

As an admin, I want the ability to reclaim licenses for VPP Apps deployed to hosts from Fleet.

Example: Assign a VPP app to a Team and deploy it to a host -

If the admin deletes the VPP app from Fleet UI or from a Team, I want the license to be reclaimed
If the host moves to a different Team, after having the VPP app installed, I want Fleet to uninstall the application and reclaim the license.
If the user uninstalls the VPP Application from the host, the app should still remain licensed to the host (via serial#) and the user or admin should still have the option to reinstall. In other words, the license does not get reclaimed in this scenario

Potential solutions

this would bring us parity with Kandji MDM https://support.kandji.io/support/solutions/articles/72000560478-configure-apps-and-books

marko-lisica commented 1 month ago

@noahtalerman I think this is part of the #20320. If users uninstall the VPP app, they would expect to get the license back.

noahtalerman commented 1 month ago

If the host moves to a different Team, after having the VPP app installed, I want Fleet to uninstall the application and reclaim the license.

@marko-lisica how do we handle install statuses and other software features when a host moves teams?

For example, if a host has software installed, does it still have the "Installed" status when it moves teams? Do we want it to? Or, do we want the software to be uninstalled as @PezHub is describing.

PezHub commented 1 month ago

related #20730

noahtalerman commented 1 month ago

@marko-lisica do you know how we get the license back? Does it just happen when we run the MDM command to uninstall the App Store app?

marko-lisica commented 1 month ago

@noahtalerman We must use Apple's API -> Disassociate asset in order to get licence back.

PezHub commented 1 month ago

good discussion here regarding licenses

IMO this makes the most sense and would match what other MDMs do: if the end user deletes an app from their device, that license remains assigned to that device. The end user can always re-install that app so long as the license assignment remains at the device level. If an admin deletes the VPP license assignment to that serial number, the app is removed from the end user device.

I updated the ticket summary

noahtalerman commented 1 week ago

Pulling this off of the drafting board. It was accidentally left on the drafting board when we decided to push this feature.