Add disk encryption notification banners to host details and device user pages, and reset key modal to device user page

[lukeheath]

Tasks

Note: all banners should only be shown if config.mdm.enabled_and_configured is true AND the mdm solution of the host is Fleet (mdm.name === "Fleet")

Premium users only Add new disk encryption notification banners to host details and device user pages as shown in Figma here.

My device page:

• [x] "Reset your key" banner – mdm.macos_settings.disk_encryption === "action_required" && mdm.macos_settings.action_required === "rotate_key"
• [x] When the user clicks on the "Reset key" CTA:
  • [x] Send a request to the endpoint specified in https://github.com/fleetdm/fleet/issues/9496 to notify the server that the user has requested the key to be reset.
  • [x] Show the modal specified in Figma

• [x] "Log out of your device or restart" banner – mdm.macos_settings.disk_encryption === "action_required" && mdm.macos_settings.action_required === "log_out"

Host Details page:

• [x] End user action required banner – mdm.macos_settings.disk_encryption === "action_required" -

• [x] Add new reset key modal to device user page only as shown in Figma here.

[RachelElysia]

Hey team! Please add your planning poker estimate with Zenhub @ghernandez345 @jacobshandling @lukeheath

[lukeheath]

@noahtalerman After the user clicks the "Start" button, we'll show a loading spinner for ~1 second. What do you think we should show after that spinner completes?

[jacobshandling]

@lukeheath @noahtalerman

• Is #9437 indeed the (an?) endpoint that will be used for this UI?
• Can you please clarify the precise conditions under which to render each banner (see questions in the issue description)?

[lukeheath]

@jacobshandling Yes, that's the endpoint we'll use. I'll defer to @noahtalerman to clarify the conditions for the banner display.

[noahtalerman]

@jacobshandling the banner on the Host details page (for IT admin) appears if the end user needs to take action: Either log out / restart OR reset their key.

"Log out of your device or restart" banner on My device page appears if the end user needs to log out / restart.

"Reset your key" banner on My device page appears if the end user needs to reset their key.

Does that help?

[jacobshandling]

@noahtalerman thanks – how are those conditions determined? I believe this is the same question @gillespi314 and I posed here: https://github.com/fleetdm/fleet/issues/9437

[noahtalerman]

Can you please clarify the precise conditions under which to render each banner (see questions in the issue description)?

@gillespi314 @roperzh will the conditions be included in the API?

cc @jacobshandling

[gillespi314]

@jacobshandling I'm not as close to the disk encryption work as others, but here's my understanding:

There are five potential disk encryption states described in the aggregate disk encryption ticket. I assume that these are the also the potential values for host.mdm.macos_settings in the API response for GET /hosts/{id} and GET /device/{token}/desktop endpoints but the specs aren't clear in the backend ticket. It would be helpful for @noahtalerman and @roperzh to confirm.

1. "applied" (should this be "latest"?)

   • hosts_mdm_apple_profiles records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" has been successfully installed on the host.
   • host_disk_encryption records for the host id show both (A) base64_encrypted is not empty and (B) decryptable is true.

2. "action_required"

   • hosts_mdm_apple_profiles records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" has been successfully installed on the host.
   • host_disk_encryption records for the host id show either (A) base64_encrypted is empty or (B) decryptable is false.

3. "enforcing" (should this be "pending"?)

   • hosts_mdm_apple_profiles records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" is pending install.

4. "failed" (should this be "failing"?)

   • hosts_mdm_apple_profiles records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" failed to install.

5. "removing_enforcement" (is this still the desired string?)

   • hosts_mdm_apple_profiles records for the host uuid shows that profile identifier "com.fleetdm.fleet.mdm.filevault" pending remove.

It isn't clear to me how those states would map to the different banners on the device user page. Both seem like they would fall under "action_required".

My takeaway: We seem to be missing specifications that would allow the UI to differentiate between "Log out" and "Reset key" banners.

[gillespi314]

From the epic:

Log out if end user had disk encryption turned on for the first time. Reset key if end user already had disk encryption turned on

@noahtalerman @lukeheath, how would you like to modify the API specs? Please take a look at the five states that I outlined above and let us know what changes we should make. I'm guess we probably want to expand on the "action required" value to signal to the UI what should be displayed.

@roperzh, let's discuss what you think would be a good db query the API handler could use for this.

[roperzh]

I think there are two different set of questions here:

1. How will the API signal to the UI what banner needs to be displayed
2. What are the underlying back-end conditions to signal the states needed in 1.

@gillespi314 let's discuss 2 in https://github.com/fleetdm/fleet/issues/9437 and focus on agreeing on the API side here so we can unblock both the back-end ticket and this UI work.

@lukeheath I agree with Sarah, to summarize her message, the mdm.disk_encryption enum you outlined in https://github.com/fleetdm/fleet/issues/9437 can have five values: applied, action_required, enforcing, failed, removing_enforcement.

There are two answers we need from you as the API DRI:

1. We're missing something on the API that signals the UI what action is required from the user ("log out" or "rotate key".) I wonder if you want to add those states as part of the mdm.disk_encryption or want to add a separate key like mdm.action_required
2. We need you to confirm the names of the keys for mdm.disk_encryption. Do you want the names to match the keys of the profiles summary response? (eg: latest instead of applied)

[lukeheath]

Thanks for working through this, y'all.

@roperzh Thank you for the excellent summary!

1. It sounds like we need an mdm.action_required enum.

2. These keys look good to me: applied, action_required, enforcing, failed, removing_enforcement.

   • I do not think we want "latest" for disk encryption because it is a bit different than profiles. Profiles can frequently get out of date as new profiles are added, so latest makes sense. For disk encryption enforcement, it's not something. that can get out of date.

[roperzh]

@lukeheath @jacobshandling I have updated https://github.com/fleetdm/fleet/issues/9437 with all the possible values and how to get them (Luke could you please take a final look? 🙏 )

@jacobshandling I have updated this ticket description to answer your questions! lmk if something is still unclear

[jacobshandling]

@lukeheath @roperzh @noahtalerman @gillespi314 looks good, thanks everyone for working this out!

Unrelated to the above, are there plans yet to make the reset key modal functional?

[roperzh]

@jacobshandling yes! I'll be working on that soon

[roperzh]

Heads-up: I updated the issue description with the latest changes to the desired behavior, and added a new bullet that needs to be completed.

Let me know if you'd want me to create a new issue instead.

[fleet-release]

Encryption banners rise, In cloud city, keys reset, Secured devices thrive.