search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.02k stars 419 forks source link

Use BYOD endpoint for MacOS devices that require scripts to be enabled, and Fleet desktop to be disabled #22358

Open pintomi1989 opened 2 weeks ago

pintomi1989 commented 2 weeks ago

@allenhouchins: Don't care about self-service but this isn't common. Some MDM solutions allow for this scoping but the "why" is unclear for enterprises.

https://us-65885.app.gong.io/call?id=6714360752656628702&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A2049%2C%22to%22%3A2074%7D%5D

Problem

The BYOD endpoint for iOS and iPadOS currently works for MacOS enrollment as well

It does not currently give options for enabling scripts or disabling Fleet desktop

If scripts need to be enabled, or Fleet desktop needs to be disabled, that is not currently possible

What have you tried?

N/A

Potential solutions

Allow some customization of the agent install when using the BYOD for iOS and iPadOS endpoint, so that users can select whether or not to enable scripts, and whether or not to enable Fleet desktop

What is the expected workflow as a result of your proposal?

Use the BYOD endpoint to enroll MacOS devices that will automatically have script enabled, and Fleet desktop disabled

ddribeiro commented 2 weeks ago

Some added context here: The issue is that the fleetd-base.pkg that we're hosting at https://download.fleetdm.com/archive/stable/2024-09-24_03-05-24/fleetd-base.pkg is built with the following.

    <dict>
        <key>ORBIT_USE_SYSTEM_CONFIGURATION</key>
        <string>true</string>
        <key>ORBIT_ORBIT_CHANNEL</key>
        <string>stable</string>
        <key>ORBIT_OSQUERYD_CHANNEL</key>
        <string>stable</string>
        <key>ORBIT_UPDATE_URL</key>
        <string>https://tuf.fleetctl.com</string>
        <key>ORBIT_FLEET_DESKTOP</key>
        <string>true</string>
        <key>ORBIT_DESKTOP_CHANNEL</key>
        <string>stable</string>
        <key>ORBIT_UPDATE_INTERVAL</key>
        <string>15m0s</string>
    </dict>

This same package gets deployed to all Fleet customers who enroll their Macs by installing an MDM enrollment profile before installing fleetd.

For customer-deebradel's configuration, they need a package that has <key>ORBIT_ENABLE_SCRIPTS</key><string>true</string> and <key>ORBIT_FLEET_DESKTOP</key><string>false</string>.

We currently don't offer a way to customize the package that gets deployed. I think offering customization for the environment variables used by fleetd is the ideal way to solve this.

JoStableford commented 2 weeks ago

Linked to Unthread ticket:

Enable Script Feature by Default and Disable Fleet Desktop #3003)

noahtalerman commented 5 days ago

Hey @zayhanlon, @pintomi1989, and @marko-lisica, I peeled this user story off of this customer request and brought the user story into the design sprint.

Marko I assigned you because I think it makes sense for the MDM team to take this request.