Closed lukeheath closed 1 year ago
Hey team! Please add your planning poker estimate with Zenhub @ghernandez345 @jacobshandling @lukeheath
@noahtalerman After the user clicks the "Start" button, we'll show a loading spinner for ~1 second. What do you think we should show after that spinner completes?
@lukeheath @noahtalerman
@jacobshandling Yes, that's the endpoint we'll use. I'll defer to @noahtalerman to clarify the conditions for the banner display.
@jacobshandling the banner on the Host details page (for IT admin) appears if the end user needs to take action: Either log out / restart OR reset their key.
"Log out of your device or restart" banner on My device page appears if the end user needs to log out / restart.
"Reset your key" banner on My device page appears if the end user needs to reset their key.
Does that help?
@noahtalerman thanks – how are those conditions determined? I believe this is the same question @gillespi314 and I posed here: https://github.com/fleetdm/fleet/issues/9437
Can you please clarify the precise conditions under which to render each banner (see questions in the issue description)?
@gillespi314 @roperzh will the conditions be included in the API?
cc @jacobshandling
@jacobshandling I'm not as close to the disk encryption work as others, but here's my understanding:
There are five potential disk encryption states described in the aggregate disk encryption ticket. I assume that these are the also the potential values for host.mdm.macos_settings
in the API response for GET /hosts/{id}
and GET /device/{token}/desktop
endpoints but the specs aren't clear in the backend ticket. It would be helpful for @noahtalerman and @roperzh to confirm.
"applied" (should this be "latest"?)
hosts_mdm_apple_profiles
records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" has been successfully installed on the host.host_disk_encryption
records for the host id show both (A) base64_encrypted
is not empty and (B) decryptable
is true."action_required"
hosts_mdm_apple_profiles
records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" has been successfully installed on the host.host_disk_encryption
records for the host id show either (A) base64_encrypted
is empty or (B) decryptable
is false."enforcing" (should this be "pending"?)
hosts_mdm_apple_profiles
records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" is pending install."failed" (should this be "failing"?)
hosts_mdm_apple_profiles
records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" failed to install."removing_enforcement" (is this still the desired string?)
hosts_mdm_apple_profiles
records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" pending remove.It isn't clear to me how those states would map to the different banners on the device user page. Both seem like they would fall under "action_required".
My takeaway: We seem to be missing specifications that would allow the UI to differentiate between "Log out" and "Reset key" banners.
From the epic:
Log out if end user had disk encryption turned on for the first time. Reset key if end user already had disk encryption turned on
@noahtalerman @lukeheath, how would you like to modify the API specs? Please take a look at the five states that I outlined above and let us know what changes we should make. I'm guess we probably want to expand on the "action required" value to signal to the UI what should be displayed.
@roperzh, let's discuss what you think would be a good db query the API handler could use for this.
I think there are two different set of questions here:
1
.@gillespi314 let's discuss 2
in https://github.com/fleetdm/fleet/issues/9437 and focus on agreeing on the API side here so we can unblock both the back-end ticket and this UI work.
@lukeheath I agree with Sarah, to summarize her message, the mdm.disk_encryption
enum you outlined in https://github.com/fleetdm/fleet/issues/9437 can have five values: applied
, action_required
, enforcing
, failed
, removing_enforcement
.
There are two answers we need from you as the API DRI:
mdm.disk_encryption
or want to add a separate key like mdm.action_required
mdm.disk_encryption
. Do you want the names to match the keys of the profiles summary response? (eg: latest
instead of applied
)Thanks for working through this, y'all.
@roperzh Thank you for the excellent summary!
It sounds like we need an mdm.action_required
enum.
These keys look good to me: applied, action_required, enforcing, failed, removing_enforcement.
latest
makes sense. For disk encryption enforcement, it's not something. that can get out of date.@lukeheath @jacobshandling I have updated https://github.com/fleetdm/fleet/issues/9437 with all the possible values and how to get them (Luke could you please take a final look? 🙏 )
@jacobshandling I have updated this ticket description to answer your questions! lmk if something is still unclear
@lukeheath @roperzh @noahtalerman @gillespi314 looks good, thanks everyone for working this out!
Unrelated to the above, are there plans yet to make the reset key modal functional?
@jacobshandling yes! I'll be working on that soon
Heads-up: I updated the issue description with the latest changes to the desired behavior, and added a new bullet that needs to be completed.
Let me know if you'd want me to create a new issue instead.
Encryption banners rise, In cloud city, keys reset, Secured devices thrive.
Tasks
Premium users only Add new disk encryption notification banners to host details and device user pages as shown in Figma here.
My device page:
mdm.macos_settings.disk_encryption === "action_required" && mdm.macos_settings.action_required === "rotate_key"
mdm.macos_settings.disk_encryption === "action_required" && mdm.macos_settings.action_required === "log_out"
Host Details page:
[x] End user action required banner –
mdm.macos_settings.disk_encryption === "action_required"
-[x] Add new reset key modal to device user page only as shown in Figma here.