Add new configuration option to set default team for Apple Business Manager

[lukeheath]

Goal

As a Fleet admin, I want to be able to connect Fleet to my Apple Business Manager account so that I can automatically enroll new, macOS hosts to Fleet. This way, I can order a new MacBook that automatically appears in Fleet when it's unboxed.

Related

• Parent epic: #7515

• 8725

Requirements

• Fleet Premium only.
• Fleet admin can configure the team that ABM hosts are added to when they automatically enroll.

Tasks

1

• [x] Add new configuration option mdm.apple_bm_default_team.
  • Can be set via config yaml fleetctl apply, or (eventually) via the UI.
  • The PATCH /config endpoint is the corresponding API endpoint that will apply this new config.
  • The new configuration option must also be returned by GET /config if set (which it should do automatically)

Example

apiVersion: v1
kind: config
spec:
  mdm:
    apple_bm_default_team: Workstations

2

• [x] Validate new configuration option.
  • Verify that the team exists. Reject if the team does not with an error message. Note: it is case-insensitive.
  • Can only be set if license is premium (similar to the transparency_url config option)
  • Only global admin can set it (this is already the authorization required for updating the AppConfig)

3

• [x] Update Fleet docs to include the new apple_bm_default_team configuration option.
  • In https://fleetdm.com/docs/using-fleet/configuration-files#organization-settings
  • In https://fleetdm.com/docs/using-fleet/rest-api#modify-configuration for the new parameter accepted in this API endpoint

4

• [x] Update fleetctl get mdm-apple-bm to return the configured default team (https://github.com/fleetdm/fleet/issues/8726)
  • only the API implementation should have to be updated. It couldn't return it when it was implemented as the default team config option did not exist yet.

[mna]

@noahtalerman the old spec mentioned:

Add new configuration option apple_bm_default_team. Can be set via config yaml fleetctl apply, command line flag, or environment variable.

Note that this is not a server config, but an app one, so it cannot be set by command-line flag nor environment variable. Presumably there will also be a frontend ticket to add a UI option to set it? Otherwise it would be just via fleetctl apply and a yaml file.

[mna]

@noahtalerman about this validation:

Verify that the team exists. Reject if the team does not with an error message.

It's fine to validate this when the default team is set, but nothing prevents the team from being deleted afterwards. It doesn't impact this ticket, but worth mentioning, as the ticket that will use this config option will also have to validate that the team still exists.

[mna]

Estimate: 2

[noahtalerman]

Note that this is not a server config, but an app one, so it cannot be set by command-line flag nor environment variable.

Right. I think "Can be set via config yaml fleetctl apply, command line flag, or environment variable" was a typo in the old spec.

Presumably there will also be a frontend ticket to add a UI option to set it?

@mna that's right. The UI is illustrated here in Figma. Screenshot is below:

[noahtalerman]

It's fine to validate this when the default team is set, but nothing prevents the team from being deleted afterwards. It doesn't impact this ticket, but worth mentioning, as the ticket that will use this config option will also have to validate that the team still exists.

@mna I think this makes sense.

Verify that the team exists. Reject if the team does not with an error message.

What I meant by this^ is whenever the user runs fleetctl apply, Fleet should validate that the team specified in mdm.apple_bm_default_team exists. If it doesn't exist, the user sees an error.

[mna]

What I meant by this^ is whenever the user runs fleetctl apply, Fleet should validate that the team specified in mdm.apple_bm_default_team exists. If it doesn't exist, the user sees an error.

@noahtalerman yes, definitely, that's how I understood it too and I included this validation in the spec, just wanted to point out that the team could still be deleted later on so the code that applies that setting (not in the scope of this ticket) should also make that validation.

[noahtalerman]

just wanted to point out that the team could still be deleted later on so the code that applies that setting (not in the scope of this ticket) should also make that validation.

Ah, ok. Makes sense. Thanks.

[fleet-release]

Connect new hosts to Fleet Team enrolls them quickly and neat Safety and security