Enable policy automations in the UI for teams with only inherited policies

[pintomi1989]

• customer-deebradel: https://us-65885.app.gong.io/call?id=6714360752656628702&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A650%2C%22to%22%3A699%7D%5D
• customer-preston: https://fleetdm.slack.com/archives/C061ZA91Y1J/p1728814892620719
• Community user: https://osquery.slack.com/archives/C01DXJL16D8/p1728665562736979?thread_ts=1728664402.337169&cid=C01DXJL16D8
• @allenhouchins: Apply workflows across baseline. Maybe on all my Workstations regardless of the baseline (aka teams) I've constructed in Fleet.
  • @noahtalerman: Currently, this requires a lot of copy/paste in the UI.

---

[noahtalerman]

Problem

Policy failures can be used to trigger software installs for a team

In order to do this, you must navigate to the "Policies" tab, and then use the dropdown to select what team you would like to manage the automations for

Once you have selected a team, you then click "Manage Automations" dropdown, and select "Install Software" to begin the setup process for this automation

If a team has only inherited policies, the "Manage Automations" dropdown does not appear

Because of this, you cannot configure software installs on policy failure for teams that only have inherited policies

Potential solutions

If the "Manage Automations" dropdown was enabled for teams that only have inherited policies, then this would be resolved

What is the expected workflow as a result of your proposal?

Navigate to the "Policies" tab, and then use the dropdown to select what team you would like to manage the automations for

Once you have selected a team that only has inherited policies, you then click "Manage Automations" dropdown, and select "Install Software" to begin the setup process for this automation

[martinpannier]

Aren't you also planning to allow to upload software for "All Teams"? That would be a different (and better) solution, allowing me to deploy software on a global policy

[allenhouchins]

Aren't you also planning to allow to upload software for "All Teams"? That would be a different (and better) solution, allowing me to deploy software on a global policy

@martinpannier That would address a different challenge. Being able to distribute software to “All Teams” helps with initial software deployment. What this issue would address is automated software deployment on policy failure (patch management), automated script execution on policy failure (coming in 4.58.0), and webhooks and ticket creation for policy failures for any policies assigned at the “All Teams” level.

[martinpannier]

You are correct! I'd forgotten the other policy automations. In general, being able to automate policy remediation with app install from "All Teams" is also hugely valuable, not just for initial software deployment, but for patch management across teams.

[harrisonravazzolo]

prospect-ramzel would like to be able to apply a global baseline with software install (and script exe in 4.58) to all their devices from the All Teams page. A use case - I want a baseline of software - Chrome, Slack, CrowdStrike and Okta Verify to be on every device, regardless of team. I want automation to run for any failures. The current workaround here is to copy/paste and create a policy and automation Team by Team, to which I have many.