List hosts that are pending automatic enrollment

[noahtalerman]

Goal

As a user, in the Fleet UI, I want to be able to see macOS hosts that are waiting to be automatically enrolled a macOS host to Fleet so that I can change this host's team before the device user unboxes the host.

Child Issues

• 8876

• 8879

• 8878

• 9219

Requirements

• On Hosts page, see hosts MDM status and filter by that status
• Fleet admin sees the pending hosts, able to transfer to desired team. Premium only feature
• Pending hosts are treated as offline, macOS hosts in the Fleet UI and API. This means that these hosts appear in aggregate counts that include offline, macOS hosts.

Figma

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=9868%3A316280

[noahtalerman]

Decision: Use a default automatic (DEP) enrollment profile.

[noahtalerman]

Decisions:

• Punt on adding Shipped date for hosts awaiting enrollment. Why? This adds UX complexity to the Hosts table because only hosts awaiting enrollment have a ship date. Shipped date adds a relatively low amount of value because the user can head to Apple Business Manager to see this information.
• Make Serial number column turned on by default for all users: TODO @noahtalerman: File an issue. Why? This way, new Fleet users know serial number information is available and can be used to identify which host, awaiting enrollment, is which.

This was discussed during product design review on 2022-10-06 (noahtalerman).

[noahtalerman]

TODO @noahtalerman: What does the Host details page look like for hosts that are awaiting enrollment? Do we block a user from getting to this page?

[noahtalerman]

@zhumo I assigned you this issue. The wireframes have been reviewed and approved.

[noahtalerman]

@zwass can you please break out child issues for this epic?

[noahtalerman]

@zwass I'm unassigning you. I want to take this issue back to design/drafting.

Michal helped Mo and I understand the backend and UX complexities of including "pending" hosts (waiting to be unboxed) in the same list as hosts that are already enrolled to Fleet.

The Fleet backend would have to handle ingesting data from osquery for most hosts (already enrolled) and data from Apple Business Manager for some hosts (pending). Then, the backend would have to expose this information in the same GET /hosts API route.

The Fleet UI would have to handle not including some hosts (pending) when running live queries or reporting on software and policies.

[noahtalerman]

@zwass @michalnicp @zhumo I prefer to include the "pending" hosts (DEP and waiting to be unboxed) in the same list as hosts that are already enrolled to Fleet.

You can see what this would look like in the Fleet UI here in Figma: https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=9868%3A316280

Reasoning:

• We'd like the user to be able to use transfer pending hosts to a team the same way they transfer all other hosts. Either via the Hosts table in the UI or the POST /hosts/transfer API route.
• We'd like these pending hosts to appear as offline. I think this means the Fleet product is already equipped to handle the logic for not running live queries or reporting software and policies for these hosts.
• Response to the concern for the complexity around ingesting host data from Apple Business Manager. I understand this concern. I foresee that Fleet will have to handle ingesting host data from other third parties in the future. For example, in the future Fleet may display AWS hosts that don't yet have Fleet Desktop (osquery) installed.

What do you think?

[zhumo]

@noahtalerman

Which door is faster for us to walk through? Which door is more costly for us to walk through now vs. later? Which door can't we walk back out of once we've walked through? I think that's my key factors: optionality and speed.

Re: some of the bullets...

We'd like the user to be able to use transfer pending hosts to a team the same way they transfer all other hosts.

This can still happen but in a separate table right? I suppose this means we would need a separate API route and that's the problem?

How will I tell what are the ones that need my attention? Is there a new column? Seems like pending hosts being offline is quite hidden and would not fulfill the use case.

concern for the complexity around ingesting host data from Apple Business Manager.

I agree here. We will be doing more of this in the future. The question is what do we do now and what do we do later so that we cover the use cases while minimizing eng work? It could very well be that doing more of the work upfront will be better on both counts. I think understanding more of that background above will help us make a call.

[noahtalerman]

UPDATE: We decided to use the existing API routes and table (option 4 below). See the reasoning below (noahtalerman 2022-11-07)

The question is what do we do now and what do we do later so that we cover the use cases while minimizing eng work?

Makes sense!

Ok, I'm thinking about these 4 doors (options):

1. 2 new API routes (GET /dep_hosts, and POST /dep_hosts/transfer) and 1 new table (DEP hosts)
2. 2 new API routes and existing table (Hosts)
3. Existing API routes (GET /hosts and POST /hosts/transfer) and 1 new table
4. Existing API routes and existing table

My understanding is that option (1) is not fast. This is because we will have to build new API routes and a new table. Option (1) is not flexible. It would be very difficult to later present all hosts in one table.

Option (2) is not fast. This is because I think it would take a large amount of effort to modify the Hosts table to handle data from 2 API routes. Option (2) is not anymore flexible than option (1).

Option (3) is not fast. This is because we would have to build a new table and exclude pending hosts from the existing table. This option is flexible because it would take relatively little effort to later display all hosts in the existing table.

Option (4) is fast. We would use the existing table. From conversations with Luke Michal, we learned that it will not take significantly more effort to ingest data when compared to option (1) and (2). This option is flexible. It would take a small amount of effort to later create separate tables if we want to.

[noahtalerman]

Luke: Will the API and UI still work when we have these Apple Business Manager hosts (don't have most pieces of information) ?

Luke: If required properties in the API can now be empty, this would be a breaking change.

[noahtalerman]

UPDATE: I carved out the "event is tracked" requirement into a separate issue here: #8609

This way, the engineering team is not blocked while we answer the question below.

(noahtalerman 2022-11-07)

@zhumo the "Automatic enrollment" row in the xDM roadmap specifies "Event is tracked in audit feed":

Should this event be when the host is unboxed (automatically enrolled to Fleet)? Or, when the host shows up as "pending" in Fleet (not yet enrolled but appears in ABM)?

If we choose one of the above to start, I think tracking when the host is unboxed is more valuable. This tells the Fleet admin when they're able to run queries, update settings, and install apps on the host.

Currently, this issue only tracks this event^

That said, tracking when the host shows up as "pending" is also valuable. As an IT admin, I know that I can now change this host's team.

[noahtalerman]

@zwass I assigned you this issue. Can you please file child issues? Thanks :)

[zhumo]

@noahtalerman I agree with your assessment. Original intent of that was when the host is on MDM. That's because:

1. The audit feed is intended for audit, which the key thing to track is when a host enters and exits management.
2. The thing about when it appears in the list is more of a nice-to-have and can probably done in some other way. I don't anticipate requiring the user to repeatedly check the audit feed.

[lukeheath]

@noahtalerman From estimation:

Rachel: On the host list of pending hosts, should there be a tooltip explaining why the user can't click on host details?

[noahtalerman]

Rachel: On the host list of pending hosts, should there be a tooltip explaining why the user can't click on host details?

Yes! @RachelElysia great idea. I added a tooltip to the Figma page (screenshot below).

@chris-mcgillicuddy, Rachel, and Luke, what do you think about the copy? Is it clear? Can it be more concise?

cc @lukeheath

[chris-mcgillicuddy]

The tooltip copy looks good to me, @noahtalerman ! I'm having trouble shortening it without losing helpful context.

[lukeheath]

@gillespi314 Heads up: I've updated this epic to include a "Child issues" section with links to all issues required to complete this epic. Since you've been the lead on this feature, please review the list and let me know if you spot anything we're missing to meet the requirements of the epic or implement the UI as shown in Figma. Thank you!

[zhumo]

confirm and celebrate: @noahtalerman need some docs around telling IT admins what the "pending" means, what happens, where to look, default team.

[fleet-release]

Clouds of ease, Hosts seen and managed quickly, Admin's work made light.

[noahtalerman]

confirm and celebrate: @noahtalerman need some docs around telling IT admins what the "pending" means, what happens, where to look, default team.

The above is addressed by these docs: https://fleetdm.com/docs/using-fleet/mobile-device-management#apple-business-manager-abm

[fleet-release]

Autoenroll's benefit seen, Ease of admin in Fleet, A smoother onboarding.