shell out to `profiles` to fetch DEP profiles when signaled by the server

[roperzh]

Problem

If a device is enrolled via DEP, when the MDM server changes (eg: migrating from another MDM solution into Fleet) the device needs to re-fetch the enrollment profile from Apple's servers.

Generally the flow looks like:

• The IT admin creates a new DEP enrollment profile in Fleet
• The IT admin assigns the hosts to Fleet in the Apple Business Manager UI (https://business.apple.com)
• The host needs to run sudo profiles renew --type enrollment to fetch the new enrollment profile

We're trying to make the last step there to happen automatically without user action, for this Orbit is going to run sudo profiles renew --type enrollment, when the Fleet server asks.

Related

Parent epic

• https://github.com/fleetdm/fleet/issues/8153

API work

• https://github.com/fleetdm/fleet/issues/9277

Requirements

• [x] use the existing /api/fleet/orbit/config to detect that it needs to run the command

  • it needs to run it if the notifications.renew_enrollment_profile field in the response is set to true

• [x] shell out and run sudo profiles renew --type enrollment (sudo might not actually be needed as orbit runs as root)

[lukeheath]

Hey team! Please add your planning poker estimate with Zenhub @gillespi314 @mna @roperzh

[lukeheath]

Please add your planning poker estimate with Zenhub @marcosd4h

[fleet-release]

Peaceful flows, Renewal of profiles done, A seamless process.