Setup Experience: Custom Commands for macOS

BillysCoolJob commented 2 weeks ago

@allenhouchins: Force standard account on first Mac boot. This would only work if the Mac is in ABM b/c it needs to be able to receive MDM commands. Engineers can be admins but Finance team is restricted to standard b/c they don't need it and they might screw things up. Easy compliance checkbox. You have to explain "why" if you let folks be admin.
@noahtalerman: Some organizations want to create a shared admin account on their Macs (that enroll via DEP). This way, they can log in to the Mac when it's sent back to their organization to wipe it and prepare it for the next user. IT admins can do this w/ an MDM command during new Mac boot. There might be other MDM commands I want to run to configure the device during boot.

Problem

When a macOS device is engaging in the enrollment process, I want to be able to send commands from Fleet rather than only through an external API service (eg. Tines, external API gateway) Specific commands that I am referencing: https://developer.apple.com/documentation/devicemanagement/commands_and_queries Such commands are useful in the device setup experience.

The specific commands I am looking to implement are these: https://developer.apple.com/documentation/devicemanagement/accountconfigurationcommand/command

What have you tried?

I have spoken with the support team and they recommended signing up to an automation platform in order to facilitate this. I was able to do this with Tines and get it working. Additionally I have been looking at spinning up our own AWS lambda to respond to the API calls. That being said, it is a lot of additional overhead/vendor integration for such a small feature that I need. Obviously using an external API source is useful for alerts and other API related queries but for sending commands to devices, I would like to keep that inside of Fleet.

Potential solutions

Fleet ideally would have a section or additional options under the setup experience menu to add custom command plist xml files to run during enrollment.

What is the expected workflow as a result of your proposal?

Click Controls > Setup Experience > Setup assistant > Show advanced options > Release device manually

From here there could be menu that appears or ungreyed out to add in custom plist xml files to run during the setup.

UI Mockup: mockupcustomcommands

noahtalerman commented 3 days ago

@BillysCoolJob is this admin account used in troubleshooting workflows? (e.g. help desk can use that admin account to install apps on users behalf)

If not, what is this admin account used for?

BillysCoolJob commented 3 days ago

Hey @noahtalerman so really this is not actually for setting up an admin account but to specify that when the initial user is set up, the users account should not be an administrator account with the SetPrimarySetupAccountAsRegularUser field. An admin account does need to be configured if using the SetPrimarySetupAccountAsRegularUser variable but the main purpose is so that users are not admins by default. We would then use local admin accounts for help desk troubleshooting if the need did arise, but that is a secondary objective.

allenhouchins commented 3 days ago

@BillysCoolJob - Makes sense. Thank you!

fleetdm / fleet