Add ability to turn on MDM for a host (manual enrollment)

[noahtalerman]

Goal

As a device user, I want to be able to turn on MDM for my device so that I can let my organization keep my device up to date.

As a Fleet admin, maintainer, and observer, I want to be able to know when a host turns on MDM.

Note: Apple requires that the device user turns on MDM. The Fleet admin/maintainer can't do this remotely

Related

• Parent epic: #7726

• 8175

• 8609

UI

• https://github.com/fleetdm/fleet/issues/8986
• https://github.com/fleetdm/fleet/issues/8987
• https://github.com/fleetdm/fleet/issues/8998

Backend

• https://github.com/fleetdm/fleet/issues/8997

Figma

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=9814%3A315910

Requirements

• End user installs MDM profile via My Device page
• Event is tracked in audit feed
• The certificate in the keychain should specify that it comes from Fleet. Related issue: #8175

[noahtalerman]

Canvas with user flow (internal): https://docs.google.com/drawings/d/1qWaioOPKA2JusIAwqHO1MnIzwe49WjvYxlV9jpDhfRE/edit

[noahtalerman]

@lucasmrod is it possible to include the MDM enrollment profile (.mobileconfig) in the fleet-osquery.pkg?

I'm trying to understand if this is possible: Fleet administrator distributes a .pkg that both installs Orbit/Fleet Desktop and the MDM enrollment profile. During fleet-osquery.pkg installation steps, the end user is led through the steps to enable the MDM enrollment profile.

[lucasmrod]

Good question.

Enrolling to an MDM server as part of the installation adds complexity to the installer process. What if there was a temporary network error during enrollment? Should the installer fail/revert? And the user can try again later? I'll take a look at what's possible.

PS: One other alternative is to add a "enroll to MDM" option to the Fleet Desktop menu?

[noahtalerman]

The notes and TODOs below were recorded discussed between Noah and Mo on 2022-10-05

Two potential paths…

• Create package with enrollment profile
  • Default enrollment profile is used. User cannot update this in the UI
  • Mo: Still need to handhold user through profile installation. This could be on My device page.
  • TODO Noah
  • Mo: Fleet Desktop is required for MDM. If you don’t have Fleet Desktop, you need to distribute a package with it to use MDM.
  • TODO Noah
• Add “MDM features enabled” policy. Shows user how to find the enrollment URL in Fleet Desktop.
  • Mo: We might need a “Turn on MDM setting”
  • Mo: Is there a use case for a team that has an end state of some MDM and some not? Do we need to handle this? Maybe you have some workstations that will never have MDM.
  • TODO Noah

TODO Noah: Check with Guillaume about templates for profiles (which should we start with?) Default enrollment profile is used. User cannot update this in the UI TODO Mo: Try putting in a fake cert to DEP in SHK account. What happens? TODO Mo: Try putting in a fleet cert into SHK APNS account. What happens? Still works?

[lucasmrod]

Looping @michalnicp

[noahtalerman]

DECISION: For now, there will be no way for the user to only turn on MDM for a specific team. May come back to this before launch.

• Potential value: Fleet Premium is the way to only prompt some users for MDM enrollment (via teams).

DECISION: Fleet Desktop checkbox removed for macOS. Why? Fleet Desktop is required for manual enrollment to MDM.

DECISION: Assume that every Mac will show the “Give permission” UI (Host details and My device pages) if Apple Developer is connected (APNs is set up).

DECISION: User downloads the enrollment profile (.mobileconfig) on the My device page.

• As opposed to…Fleet Desktop reaches out to Fleet to download the profile.

This was discussed during product design review on 2022-10-07 (noahtalerman).

[lucasmrod]

Hi folks!, some questions:

DECISION: For now, there will be no way for the user to only turn on MDM for a specific team. May come back to this before launch.

I don't follow. Do you mean that when MDM is ON, then it's ON for all teams?

DECISION: Assume that every Mac will show the “Give permission” UI (Host details and My device pages) if Apple Developer is connected (APNs is set up).

Can you elaborate? I don't follow.

DECISION: User downloads the enrollment profile (.mobileconfig) on the My device page. As opposed to…Fleet Desktop reaches out to Fleet to download the profile.

@GuillaumeRoss do you have any security concerns around the MDM enroll profile being linked "within Fleet"? (Fleet Desktop tray -> My device -> on browser's My device page you can download the enroll profile). Am guessing this is a-ok assuming enroll profile is signed?

[noahtalerman]

@zwass can you please break out child issues for this epic?

[ghernandez345]

@noahtalerman @mike-j-thomas UI question here. This seems to be a new UI that we don't have that is similar to a couple of message components we have already. would it be possible to alter the design to use one of the components we already have?

for this new component...

could this change to use something like this...

or this?

also @mike-j-thomas may be worth getting these two components into the styleguide.

[ghernandez345]

@noahtalerman @mike-j-thomas is this loading spinner state on the download button essential? I ask as this adds time to figure out and implement detecting the download status and changing the UI based on that. I don't think excluding this would degrade the UI for the user as they would still see the browser's native UI downloading the file.

native browser UI for downloads on chrome

[ghernandez345]

@noahtalerman sorry I'm still not clear on the MDM manual enrollment flow. It isn't clear to me if these changes are meant to be part of this issue.

[zhumo]

Hey @ghernandez345 some (partial) responses to your questions:

1. I'm gonna leave the component decision to Noah. Just want to share my opinion that it should capture attention and not be dismissable. Not against using a component or making a new component, but we should make sure we're solving the user need, which is getting people to install MDM.
2. We do this elsewhere right? The spinner doesn't need to match the download progress, just to be clear. But I think if push comes to shove, we need some kind of responsiveness between the button and the native Chrome download UX. As in, I don't push the button multiple times because the state doesn't change.
3. I think the purpose behind this is that we are using Fleet Desktop to communicate to users that they need to install MDM. Thus, the designs are removing the Fleet Desktop option and making it default. Without that, users will not get those instructions. Noah can confirm though. I do want to think through whether this exactly is the best solution to that problem though. Open to thoughts here.

[noahtalerman]

Thanks Mo!

This seems to be a new UI that we don't have

@ghernandez345 I was imagining that we'd use this component (appears on the Host details page > Software tab if the user has at least one vulnerable software item):

Would this work?

is this loading spinner state on the download button essential?

I think yes. We need some loading state in the UI to indicate that Fleet is actively requesting the enrollment profile. Once, the download begins in the browser, the loading state is removed. This way, the user doesn't click the button multiple times.

I think we use this loading state and logic when requesting an installer in Fleet Sandbox. Here's a screenshot of the expected behavior for Fleet Sandbox:

this adds time to figure out and implement detecting the download status and changing the UI based on that

@ghernandez345 how much time will this add?

It isn't clear to me if these changes are meant to be part of this issue.

@zhumo is right. We'd like to make the installers include Fleet Desktop by default because we are using Fleet Desktop to communicate to end users that they need to turn on MDM.

@ghernandez345 I think up to you if the chances to the Add hosts modal are part of this issue or moved into a separate issue. If you move these into a separate issue, can you please add a link to the new issue in this issue? (#7957)

[mna]

@lukeheath Now that I estimated #8997 I think all tickets have been estimated for this epic, if you want to move it to "Estimated" (I'll let you do it in case there's something I've missed in the process).

[zhumo]

confirm and celebrate: @noahtalerman we need docs to tell the IT admin where to point end users and also what to expect end users to experience as part of enrolling.

[fleet-release]

Device now secure Fleet keeps us up to date
Peaceful clouds drift by

[noahtalerman]

@noahtalerman we need docs to tell the IT admin where to point end users and also what to expect end users to experience as part of enrolling.

These docs address this: https://fleetdm.com/docs/using-fleet/mobile-device-management#instructions-for-end-users

[fleet-release]

Device control made clear,
Organizations' peace of mind,
Fleet helps us stay secure.