search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.1k stars 427 forks source link

Edit configuration profiles #23402

Open jb2barrels opened 6 days ago

jb2barrels commented 6 days ago

Problem

Uploading a new .mobileconfig into Controls > OS settings > Custom settings > + Add profile will error with the following: "Couldn't upload. A configuration profile with this identifier (PayloadIdentifier) already exists."

This is an expected error as a policy (profile?) does exist with that identifier. Although to replace the existing configuration requires deleting the mobileconfig then re-adding it. This causes a gap in which the policy is no longer applied while a new policy is applied.

Instead there should be an option to replace the mobileconfig over the top of an existing PayloadIdentifier. This is to ensure there is no gap on the end device from the policy being removed.

Potential solutions

An example of this feature already exists by using fleetctl. This will replace the mobileconfig on the end device, without having to uninstall the existing profile.

What is the expected workflow as a result of your proposal?

Two potential works flows I potentially see:

  1. Prompt with an error saying PayloadIdentifier already exists. Yes/No confirmation dialog asking if you want to replace existing configuration with the same identifier.
  2. A separate button next to '+ Add Profile' labeled '+ Replace profile' . If an identifier does not already exist with that PayloadIdentifier, it should instead error saying no existing profile found to replace.
noahtalerman commented 6 days ago

@jb2barrels thanks for tracking this.

This sounds like a quick UX win. Bring this to Fleet's next feature fest: https://fleetdm.com/handbook/company/product-groups#feature-fest

jb2barrels commented 6 days ago

@noahtalerman

I see on the duplicate request #19215 you closed it. Although shortly after closing, fleet-release commented on that same closed issue:

Config edit now seamless, No delay in security, Fleet's strength in the clouds.

Does that mean this has now been implemented for an upcoming release?

bfreezy commented 5 days ago

FWIW this functionality, updating profiles in place, sort of exists in the /api/v1/fleet/mdm/profiles/batch endpoint. Caveat with that endpoint is you need to send every profile you currently have configured in Fleet.

Would be nice if there was a PATCH method on the /api/v1/fleet/configuration_profiles to update individual profiles as needed.

getvictor commented 4 days ago

@noahtalerman You mentioned this is a quick UX win. We will also need a new endpoint. Probably ~3 points of backend work. (It doesn't make sense for the frontend to use the batch endpoint since a team may have a lot of profiles.)