search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.11k stars 427 forks source link

Allow macOS declarative configuration (DDM) to be delivered on a per-host basis to enable use during scheduled maintenance #21100

Open lukeheath opened 3 months ago

lukeheath commented 3 months ago

Problem

We are unable to consistently trigger macOS updates across a group of hosts during scheduled maintenance.

What have you tried?

Sending an MDM command to schedule an OS update to the host at the time of scheduled maintenance with InstallASAP set. It works on a subset of hosts, but it is not consistently respected across all macOS versions and configurations currently enrolled in dogfood.

Apple is in the process of moving away from MDM commands in favor of declarative configuration (DDM).

Potential solutions

Instead of using an MDM command, we could deliver a new declarative configuration with the TargetLocalDateTime property set to one minute in the future.

What is the expected workflow as a result of your proposal?

At the time of scheduled maintenance, we send the following declarative configuration to the host: 

{
    "Type": "com.apple.configuration.softwareupdate.enforcement.specific",
    "Identifier": "com.fleetdm.config.swu",
    "Payload": {
        "TargetOSVersion": "14.6",
        "TargetBuildVersion": "",
        "TargetLocalDateTime": "2024-08-12T16:50:00",
        "DetailsURL": "https://fleetdm.com/handbook/business-operations/security#enabling-automatic-updates"
    }

This would trigger the more consistent DDM OS update flow at the time of scheduled maintenance on a per-host basis, which should unlock our OS update scheduled maintenance workflow.

More info

lukeheath commented 3 months ago

fyi @mikermcneil @spokanemac @noahtalerman

noahtalerman commented 3 months ago

Heads up @lukeheath, just calling your attention to this, I think we chatted about a similar approach in a separate issue here: https://github.com/fleetdm/fleet/issues/19140#issuecomment-2122686299

spokanemac commented 3 months ago

@lukeheath A few clarifications on this:

  1. The DDM config would need to be sent when the maintenance window is set, and anytime it is rescheduled.
  2. The DDM config must be on the device at least 2 hours before the scheduled time to allow for advanced download.
  3. Once within 1 hour of the scheduled time, DDM config changes will not be recognized (the train has left the station).
  4. A "no notifications" flag can be set that disables advanced notifications. Setting this means users will only see two notifications in the notification center: One 1 hour before the deadline and one at the deadline.
lukeheath commented 3 months ago

@spokanemac Thanks for the clarifications, I've added to the issue description. It sounds like this biggest change in our workflow is it would put some restrictions on rescheduling the event:

  1. You cannot move to a time within 2 hours.
  2. You cannot move it at all within 1 hour.

Is that correct?

spokanemac commented 3 months ago
  • You cannot move to a time within 2 hours.

Cannot add a new profile to a time within 2 hours (to allow time for pre-staging the install, etc.)

  • You cannot move it at all within 1 hour.

Correct.

spokanemac commented 2 months ago

https://github.com/fleetdm/fleet/issues/20500

spokanemac commented 1 month ago

Sonoma 14.7 and Sequoia 15 are out. When 15.1 is released, we'll want to enforce it for those upgraded to 15. We can only enforce 14.7 with the current configuration and hope those on 15 run updates. fleetdm/confidential#8050

noahtalerman commented 2 weeks ago

Hey @lukeheath I pulled this request off of feature fest b/c it doesn't meet the criteria for prioritization: https://github.com/fleetdm/fleet/pull/23184/files#diff-c99d12c3af50c0c2aca2b9ef7597c02ccfe87678291956ff0b2e83d63978ea38R370