Automatically enroll new ABM devices in Fleet

[lukeheath]

Story

As an IT admin, I want the new Macs I order through Apple Business Manager to automatically enroll (fleetd installed) to Fleet so I can manage them.

Tasks

• [x] When a device is enrolled via DEP
  • [x] Send a InstallProfile command to install a configuration profile that:
    • [x] Contains a payload with PayloadType set to com.fleetdm.fleetd.config
    • [x] Contains a dict with values:
    • [x] enroll_secret set to the matching enroll secret for config.mdm.apple_bm_default_team
    • [x] fleet_url set to the server url
  • [x] Send a InstallEnterpriseApplication command to install a pre-built signed fleetd that will be hosted in a location to be coordinated with @zwass in #10865
• [x] When orbit starts:
  • [x] If the values for --enroll_secret and --fleet-url are not configured, try to read them from a configuration profile
  • [x] To get the profile config, shell out to /usr/bin/profiles:
    • [x] Run /usr/bin/profiles -L -o stdout-xml, which will give you a list of all configuration profiles installed in XML format
    • [x] Parse the output and loop through the profiles for the profile with PayloadType set to com.fleetdm.fleeetd.config, extract enroll_secret and server_url from there

[zwass]

Do we have a plan already for how this will be done? I have an idea:

Have Orbit read configuration information from macOS profiles on startup. That way we can make a single global fleetd package that can be signed and notarized and deployed to DEP enrolled hosts for all Fleet deployments. Then when a new DEP device enrolls we can first push a profile with the necessary configs (probably enroll_secret, fleet_url, update channels, maybe some others?) and then install the fleetd package with InstallEnterpriseApplication.

Does this make sense? Happy to chat about this more next week.

[roperzh]

@zwass I really like that idea, I have updated the spec with your suggestion, do you mind taking a look to make sure we're on the same page? please feel free to directly edit if you want!

[zwass]

Yes, those specs look right, thank you! I think using the profiles tool is a fine approach for now. Later we can use cgo to hit the native API if we feel it's necessary.

[lukeheath]

Hey team! Please add your planning poker estimate with Zenhub @mna @roperzh

[lukeheath]

Hey team! Please add your planning poker estimate with Zenhub @mna @roperzh

[lukeheath]

@roperzh @zwass - Following up on this item in the specs:

Send a InstallEnterpriseApplication command to install a pre-built signed fleetd that will be hosted in a location to be coordinated with @zwass

@zwass Do you have a ticket tracking this? @spokanemac asked about it.

cc @noahtalerman

[zwass]

Created https://github.com/fleetdm/fleet/issues/10865. I can do it easily if we determine what params we want for the package. Let's take any discussion of that to the other issue.

[roperzh]

hey @noahtalerman , as part of this, we need to send a configuration profile to hosts, does this name looks good? any thoughts?

[noahtalerman]

@roperzh looks good! Minor nit: Can we use "Fleetd configuration" (capital F, lowercase c) instead? I'm trying to make sure we're consistent with sentence casing: https://fleetdm.com/handbook/marketing/content-style-guide#sentence-case

It looks like we need to update the name of the enrollment profile too: "Fleet Device Management Inc enrollment" (lowercase e)

[noahtalerman]

@roperzh are we adding a description for the profile too? I imagine it would be something like "Default configuration for the fleetd agent."

What do you think?

[roperzh]

@noahtalerman that sounds good! I'll update the enrollment profile too. Thank you!

[xpkoala]

It appears that osquery might not be installed correctly. /opt/orbit/secret.txt contains no key on hosts enrolled this way. /opt/orbit/nudge-config.json also doesn't exist, but this might be a side effect of the previous issue.

[fleet-release]

New Macs enroll fast, Nature's breeze guides them to Fleet, Effortless control.

[noahtalerman]

@noahtalerman make sure we tell users that we install fleetd automatically for new Macs.

[noahtalerman]

@noahtalerman we need a section in the macos setup docs that explains that we install fleetd automatically and a profile to configure it.

[noahtalerman]

we need a section in the macos setup docs that explains that we install fleetd automatically and a profile to configure it.

Open PR is here: https://github.com/fleetdm/fleet/pull/11260

[fleet-release]

New Macs from the sky, Enroll with Fleet seamlessly, Nature's touch in tech.