Closed ddribeiro closed 1 week ago
Customer: Apple's documentation on MDM enrollment profile: https://developer.apple.com/documentation/devicemanagement/mdm
We might want to include a CheckInURL
to make this work. Currently we are only including a ServerURL
in our enrollment profile. The documentation says only ServerURL
is a required field and is used if CheckInURL
is not specified.
Hey @lukeheath, @zayhanlon, @ddribeiro and I just met w/ customer-deebradel
.
We learned that this problem is a blocker for them rolling out their white label solution build on Fleet in early Sept.
I added the P2
label. I think this one we'll have to make space for this one in the current sprint (we can't wait). Next steps are design + estimation. Getting this ready for estimation will be the top priority for the MDM team.
Luke, any concerns? Happy to jump on a call if it's helpful.
👍 On expedited drafting.
@ddribeiro @noahtalerman Question for later: How could we have caught this sooner to avoid expedited drafting?
I'm concerned about capacity for the MDM team, so this may make more sense to send over to Endpoint Ops. Their P2s look a little lighter. Up to @georgekarrv
FYI This will be the last story I approve to come into the current sprint as any additional disruptions risks the entire sprint.
Hey @ddribeiro heads up, I updated this issue to user story format and moved your great issue description below here for safekeeping:
As an IT admin, I'd like to deploy Fleet to macOS hosts by having end users download and install a manual enrollment profile. Once the device is enrolled in MDM, the customer can build an automation to install fleetd
as a bootstrap package to complete the enrollment in 1 step to the end user.
The issue is, this method of enrollment always assigns the host to "No team" in Fleet. This means a customer will have to manually assign devices to teams after they are enrolled. This can cause confusion and lead to a disorganized Fleet instance if many devices enroll at once.
Fleet deploys a configuration profile named Fleetd configuration
that contains a payload that includes the EnrollmentSecret
based on the Team the host is assigned to.
I tried to create a custom MDM enrollment profile that contains this team specific payload, hoping it would assign my host to the correct team upon enrollment. Unfortunately, this does not work as it seems the profile is pushed based on Team assignment on the server. Fleet does not read the contents of the payload to determine Team membership.
Fleet's current manual enrollment profile contains a ServerURL
key directing the host to the MDM server:
<key>ServerURL</key>
<string>https://dogfood.fleetdm.com/mdm/apple/mdm</string>
A potential solution might be to build a team specific enrollment profile that has the current ServerURL
with query parameters with Team specific information like:
<key>ServerURL</key>
<string>https://dogfood.fleetdm.com/mdm/apple/mdm?team_id=1</string>
Fleet might be able to assign the device to the proper team based on the query string in the URL. I believe other MDM's might do something similar but I'm not sure how this is achieved in practice.
How this affects the enrollment flows supported in Fleet:
Assuming we go w/ the SeverURL
approach, I updated the issue description with my understanding on the above.
Automatic (DEP):
- (???) Use enroll secret in “fleetd configuration” profile
Hey @roperzh when you get the chance, I'm still struggling to understand the "fleet configuration" profile in the automatic enrollment flow. Recorded a Loom here.
Can you please take a look? Thanks!
@georgekarrv, @roperzh, and @ddribeiro I updated the issue description w/ the plan we discussed.
Please let me know if I'm missing anything.
Still TODO:
ServerURL
approach? Can MDM take this on? Do we need help from Endpoint ops?cc @lukeheath
pasting from Slack:
I was thinking about OTA https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//[…]SW1 The diagram looks scary but we're doing 90% of it (just as part of normal enrollment). The new steps would be 4 and 5 under "Phase 1", where we could associate the host to the right team. This is what I have seen other MDM solutions do
Update on this story.
I'm getting the feeling that we want to draft/design "Enroll BYOD iOS/iPadOS hosts" (#19448) before we start writing code for this story.
I'm confident we're headed in the right direction (solution in the issue description) but it's worth taking the extra time to connect the pieces.
The plan is to have designs for #19448 ready by Weds design review so we can estimate that day (2024-08-14).
@roperzh I added you to that call to bounce some technical questions.
Heads up @zayhanlon that this might affect our ability to ship this [customer-deebradel](https://github.com/fleetdm/fleet/labels/customer-deebradel)
blocker as part of the current release (2024-08-26) unless we pause other work. Will give you a more detailed update when we estimate on Weds.
cc @georgekarrv
@marko-lisica for design review today:
Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @gillespi314 @jahzielv @mna @roperzh
This is how this flow looks like e2e:
https://github.com/user-attachments/assets/130f95da-f55a-4465-b3ba-55d87f3658d3
Regarding the extra prompts due to the profile being unverified, per @marko-lisica on Slack:
QA Notes: confirmed admins can enroll BYOD hosts to specific teams by leveraging enrollment urls generated from the UI from the desired team page.
Steps:
macOS - I confirmed the copy change when Turning on MDM. the additional steps (5 & 6) to enter your password have been added.
- [ ] Reference documentation changes: Update reference docs or create a new page on if/how Fleet uses all the keys in the enrollment profile and what the best practice is for modifying the keys.
- UPDATE: Instead, let's move the new API endpoint to the REST API docs b/c it's intended for use in automations (we don't want to break it)
TODO @noahtalerman
UPDATE: PR is here: https://github.com/fleetdm/fleet/pull/22457
Enrollment profile, Guides devices to their team, Smooth as river stream.
Goal
Context
Public Google doc on how we arrived at solution is here.
Changes
Product
How this affects the enrollment flows supported in Fleet:
enroll_secret
query param inURL
(enrollment profile) determines the team. Ifenroll_secret
isn't specified, the host enrolls to "No team."--enroll-secret
flag used to package (fleetctl package
command) fleetd agent determines the team.Engineering
QA
Risk assessment
Manual testing steps
Testing notes
Confirmation