Automatically install VPP apps by label on iOS/iPadOS hosts

[ddribeiro]

customer-preston: Gong snippet: https://us-65885.app.gong.io/call?id=4603070994563133162&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A159%2C%22to%22%3A362%7D%5D

• @noahtalerman: User requested this because they want to deploy an app from Apple's App Store across many hosts that are already enrolled to Fleet.
• @noahtalerman: White-label MSP requested this because their retail client want to deploy an app from the App Store to all of their kiosk iPads. They also want the end users of these iPads to only be able to use that app on the iPads. We think it could be because their retail client wants their customers to be able to see a map of the store w/o being able to close the map or navigate to other apps on the iPad.
  • @noahtalerman: In the interim the white-label MSP can use Fleet's activity webhook to know when a iPad enrolls and hit the install App Store app API to install the app on the client's iPads. They can also add a configuration profile (see Apple docs here) to set the iPads to single app mode.
  • @noahtalerman: Eventually the MSP might be able to hit the Fleet API to send the App Store app to many iPads.
• @noahtalerman: User requested this because they want to install Slack on all their company-owned (aka corporate) iPhones and BYOD iPhones and iPads.
  • @noahtalerman: In the interim TODO

  • @noahtalerman: Eventually TODO

[noahtalerman]

Problem

As an MSP building on the Fleet API, I want to assign labels to VPP apps that are in my Fleet software library and have those apps automatically install on iOS/iPadOS devices with that label.

Currently, iOS/iPadOS VPP apps can be assigned to a device, but the trigger to install it is done manually.

What have you tried?

The customer thought about using policy automations to trigger the install of a VPP app on iOS/iPadOS devices, but policies are not currently supported on those platforms.

Potential solutions

Fleet could add label support to VPP apps to target specific hosts with that label. Similar to how this works with Custom settings today, the admin would set inclusions/exclusions by label for each app.

Since VPP apps don't install automatically like custom settings do today, there would probably need to be an Install automatically attribute for each VPP app. The admin could set this attribute when adding the VPP app to their Fleet server, either through the UI or the Add App Store App API endpoint.

This would allow Fleet to automatically install VPP apps on iOS/iPadOS hosts where policy automations are not currently possible.

What is the expected workflow as a result of your proposal?

The MSP's product already assigns manual labels to hosts in Fleet based on what configuration the host should get ( (only custom settings for now). The product would assign these same labels to VPP apps via the Fleet API. When a host and app share the same label, the app would be automatically installed on the host.

[noahtalerman]

@pintomi1989 I don't think this Gong recording is enough. We want to understand what the use case is from preston's perspective.

Can you please ask preston to show us wireframes of what they're trying to build in their MDM product?

[noahtalerman]

Can you please ask preston to show us wireframes of what they're trying to build in their MDM product?

Hey @pintomi1989 just giving you another ping! as a reminder. I don't think we can move this one forward to feature fest until we see what they're trying to build.

[noahtalerman]

Moving this one to feature fest. See our current understanding of the use cases in the issue description.