Uninstall App Store apps

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.12k stars 431 forks source link

Uninstall App Store apps #20729

Open PezHub opened 3 months ago

PezHub commented 3 months ago

Problem

As an admin, I want the ability to reclaim licenses for VPP Apps deployed to hosts from Fleet.

Example: Assign a VPP app to a Team and deploy it to a host -

If the admin deletes the VPP app from Fleet UI or from a Team, I want the license to be reclaimed
If the host moves to a different Team, after having the VPP app installed, I want Fleet to uninstall the application and reclaim the license.
If the user uninstalls the VPP Application from the host, the app should still remain licensed to the host (via serial#) and the user or admin should still have the option to reinstall. In other words, the license does not get reclaimed in this scenario

Potential solutions

this would bring us parity with Kandji MDM https://support.kandji.io/support/solutions/articles/72000560478-configure-apps-and-books

marko-lisica commented 3 months ago

@noahtalerman I think this is part of the #20320. If users uninstall the VPP app, they would expect to get the license back.

noahtalerman commented 3 months ago

If the host moves to a different Team, after having the VPP app installed, I want Fleet to uninstall the application and reclaim the license.

@marko-lisica how do we handle install statuses and other software features when a host moves teams?

For example, if a host has software installed, does it still have the "Installed" status when it moves teams? Do we want it to? Or, do we want the software to be uninstalled as @PezHub is describing.

PezHub commented 3 months ago

related #20730

noahtalerman commented 3 months ago

@marko-lisica do you know how we get the license back? Does it just happen when we run the MDM command to uninstall the App Store app?

marko-lisica commented 3 months ago

@noahtalerman We must use Apple's API -> Disassociate asset in order to get licence back.

PezHub commented 3 months ago

good discussion here regarding licenses

IMO this makes the most sense and would match what other MDMs do: if the end user deletes an app from their device, that license remains assigned to that device. The end user can always re-install that app so long as the license assignment remains at the device level. If an admin deletes the VPP license assignment to that serial number, the app is removed from the end user device.

I updated the ticket summary

noahtalerman commented 2 months ago

Pulling this off of the drafting board. It was accidentally left on the drafting board when we decided to push this feature.

JoStableford commented 2 weeks ago

Linked to Unthread ticket:

Assistance needed with uninstalling an app and freeing up a VPP license #3400)

RachelElysia commented 2 weeks ago

Both myself and a customer were confused why there was no uninstall button, hence the closed ticket #23264

Fleet's VPP app guide is not very explicit that users cannot uninstall a VPP app using Fleet.

[x] Short term solution: Update guide to explicitly state the above. UPDATE 10/30: The VPP app guide was updated to be explicit that users cannot uninstall a VPP app using Fleet

cc: @georgekarrv thanks for responding on this

RachelElysia commented 2 weeks ago

Short term solution: Update guide to explicitly state the above.

@zayhanlon also +1 this

noahtalerman commented 2 weeks ago

users cannot uninstall a VPP app using Fleet.

Hey @marko-lisica IIRC there's a workaround for this using an Apple API?

@RachelElysia great call on updating the guide now. If there's a workaround, maybe it makes sense to add that to the guide?

Pulled this one onto feature fest to be weighed during the next feature fest.

marko-lisica commented 2 weeks ago

Hey @noahtalerman, there is a workaround to use Apple API directly. Disassociate Assets API more specifically.

This is curl example that can be used:

curl -X POST https://vpp.itunes.apple.com/mdm/v2/assets/disassociate \
-H "Authorization: Bearer {vpp_token}" \
-H "Content-Type: application/json" \
-d '{
    "assets": [
        {
            "adamId": "1091189122",
            "pricingParam": "STDQ"
        }
    ],
    "serialNumbers": [
        "R641592WRN"
    ]
}'

You should download VPP token from ABM (Account name in bottom left corner > Preferences > Payments and Billing > Download Content Token for your location). The downloaded token is base64 string that should be used to replace {vpp_token}

adamId is App Store app ID that can be retrieved from app URL (e.g. 1487937127 from https://apps.apple.com/ba/app/craft-write-docs-ai-editing/id1487937127)

And inside serialNumbers define host serial numbers that you want to remove a license from.

noahtalerman commented 2 weeks ago

@pintomi1989 heads up, in the interim, before we work on this improvement, preston could help their client using the workaround above.