Profiles: Manage profiles

[noahtalerman]

User story

As an IT admin, I want to be able to add/remove configuration profiles to my macOS hosts so that I can enforce settings for my end users.

Requirements

• In UI and CLI, add/delete a profile. Automatically applied to all hosts (Fleet Free) or hosts on no team (Fleet Premium)
• In UI and CLI, add/delete a profile for a team (Fleet Premium)
• In CLI, edit a profile. Edit a profile for a team.
• In UI, download a profile so that I can see it and/or add it back later.
• Only global admins, global maintainers, team admins, and team maintainers can see and modify profiles.
• Managing profiles doesn't require deploying additional infrastructure (ex. file storage solution). Fleet can store the contents of the file instead.
• Transfer host between teams automatically kicks off updating profiles for this host.
• In docs, recommend iMazing to create profiles.
• Update the permissions documentation
• Document how to migrate profiles from old MDM solution. A v1 of these docs can be found in this comment: https://github.com/fleetdm/fleet/issues/8360#issuecomment-1424290304

Design

UI

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=10517%3A316027

CLI

Update config YAML file

Example config YAML file:

apiVersion: v1
kind: config
spec:
  macos_settings:
    custom_settings:
      - /path/to/configuration_profile_B.mobileconfig
      - /path/to/configuration_profile_C.mobileconfig
    ...

• Add a custom_settings key under the macos_settings top level key in the config YAML file.
• custom_settings accepts an array of paths to profiles (.mobileconfig file). Path is relative to directory that the YAML file is in.
• For Fleet Free, this updates profiles on all hosts. For Fleet Premium users this updates profiles on all hosts with no team.
• If the user applies a profile with the same identifier (PayloadIdentifier) as a profile that already exists, the profile is edited.
  • Identifier is unique at the team (or no team) level. If a profile with the same identifier is applied at the team level, this profile is edited. If a profile with the identifier doesn't exist at the team level, a new profile is created.

Empty

• If the user applies a config file with an empty custom_settings the profiles are deleted from all hosts (for Premium: hosts on no team). Matches the behavior of agent_options.

Errors

• Error if the file does not exist. Error message matches the current behavior of fleetctl apply: Error: open does/not/exist: no such file or directory
• Error if Fleet is not connected to Apple (MDM is not turned on in Fleet)
• Error if the user tries to add more than 1 profile with the same name (PayloadDisplayName). Display this error message: Couldn’t edit custom_settings. More than one configuration profile have the same name (PayloadDisplayName).
  • Name is unique at the team (or no team) level.
• Error if the user tries to add more than 1 profile with the same identifier (PayloadIdentifier). Display this error message: Couldn’t edit custom_settings. More than one configuration profile have the same name (PayloadIdentifier).
• Error if the user tries to add a profile with FileVault related payloads. Display this error message: Couldn’t edit custom_settings. The configuration profiles can’t include FileVault settings. To control these settings, use the macos_settings.disk_encryption option.

User added profiles in UI

• If user added profiles in the UI, the custom_settings array doesn't include these configuration profiles when the user gets the config YAML.
• When applying the config file, the configuration files specified in custom_settings overrides the configuration files added in the UI. For example, if the user added configuration profile A in the UI and they apply configuration profile B and C using config YAML. Fleet deletes A and adds B and C.

Update config YAML file

Example team YAML file:

apiVersion: v1
kind: team
spec:
  team:
    name: Worksations
    macos_settings:
      custom_settings:
        - /path/to/configuration_profile_B.mobileconfig
        - /path/to/configuration_profile_C.mobileconfig
    ...

• Add a custom_settings key under the macos_settings top level key in the team YAML file.
• custom_settings accepts an array of paths to profiles (.mobileconfig file). Path is relative to directory that the YAML file is in.
• This updates profiles for all hosts assigned to the team.
• Use the same "Empty" behavior from the config file above (above).
• Use the same "Errors" behavior from the config YAML file (above).
• Use the same "User added profiles in the UI" behavior from the config YAML file (above).

API

TODO

Docs

Add a new macOS updates section to the Controls doc page

URL for section: fleetdm.com/docs/using-fleet/controls#macos-settings

Copy:

How to create a custom configuration profile:

1. Download and install [iMazing Profile Creator](iMazing Profile Creator). Fleet recommends using iMazing Profile Creator to create configuration profiles.
2. Open iMazing Profile Creator and select macOS in the top bar. This filters the list of settings to macOS only.
3. In your menu bar select File > Save As... and save your configuration profile. Make sure you save it as .mobileconfig.
4. Upload the configuration profile in Fleet.

Update the permissions documentation

[fleet-release]

Clouds billow, Benefits for admins flow, Manage profiles with ease.