Accept new terms for Apple Business Manager

[noahtalerman]

Problem

Users need to know when to accept new terms and conditions for Apple Business Manager. Users won't be able to automatically enroll new macOS hosts until they accept the terms

Business Case

Fleet should guide the user on how to be successful with automatic enrollment.

Related

Parent epic:

• 7676

Requirements

1. Fleet Premium only because Apple Business Manager features in Fleet are Fleet Premium only
2. Fleet UI and fleetctl should tell the user when it's time to accept new terms
3. Fleet UI and fleetctl should tell the user where to go to accept new terms
4. Fleet UI and fleetctl should tell the user that Apple Business Manager administrators are able to accept new terms.
5. The message (UI banner or fleetctl warning) takes precedence over the license key and sandbox expiration. This means that if the Apple Business Manager message is displayed, no other messages are displayed.

UI

• 8861

API / CLI

• 8862

[noahtalerman]

Should we always display this banner and make it not dismissible?

For folks with Fleet connected to Apple Business Manager, not being able to enroll devices seems like an issue that warrants a loud, non dismissible banner.

I think this would also allow use to reuse the Fleet Sandbox expiration UI:

cc @zhumo @michalnicp

[noahtalerman]

More information and screenshots are in this Slack thread (internal): https://fleetdm.slack.com/archives/C03PK8PJDDE/p1667327996779609

[zhumo]

@noahtalerman Yes I think always keep it around until we find out that it is resolved.

[zwass]

Do we know if Apple exposes this information via API? It looks like the message that Jamf provides is just based on the general context that Apple issued a new set of terms, not a specific indicator that the current org has not yet accepted them.

Unfortunately, I suspect this will be tricky to answer as we won't be able to see what API responses for the "not yet accepted" state might look like until Apple pushes a new update, and even then we will have a limited window to do any testing with Apple's APIs because we will want to quickly accept the new terms to restore our own access. Maybe we should try to open a fresh apple developer account for doing this kind of testing?

My suspicion would be that the Apple APIs don't expose this and instead will just look normal without showing any new devices. Complete speculation here though.

In that case, would we want the Fleet server to phone home for information about when terms may have changed?

[roperzh]

Seems like we could get that information, according to the MDM protocol reference under "Authentication Error Codes" (emphasis mine):

An authentication error commonly results in either a 400, 401, or 403 error code. [...] An HTTP 403 Forbidden error indicates one of the following:

• The MDM server does not have access to perform the specific request or the MDM serverʼs consumer key or token does not have authorization to perform the specific request. In this case, the request body contains ACCESS_DENIED.
• The organization has not accepted latest Terms and Conditions of the program. In this case, the request body contains T_C_NOT_SIGNED

And, under "Deployment Scenarios"

It is best practice to provide a helpful error message when receiving error 403, T_C_NOT_SIGNED, such as “Terms and Conditions must be accepted. Please log into the Device Enrollment Program to accept the new Terms and Conditions on behalf of your organization.”

It's unclear to me from the docs if you get a 403 on any endpoint or only in authorization-related endpoints.

[fleet-release]

A gentle path to bliss Fleet guides users onward Accept new terms, please

[fleet-release]

Achieve success, Fleet guides the way Grow with ease, now.