Manage profiles for a host

[lukeheath]

Tasks

• [ ] Implement a service method that sends commands issued by Fleet
  • [ ] Keep a record of the commands issued by fleet in a new table, saving the uuid or id of the related host
  • [ ] Migrate the current RemoveProfile command that's issued when unenrolling through the API endpoint to use this service method
• [ ] When a host is enrolled into MDM, on TokenUpdate
  • [ ] Send an InstallProfile command for each profile that we need to install. kept appropriately for the host
• [ ] When a host switches team or is assigned to "no team"
  • [ ] Enqueue a RemoveProfile command for each profile that's currently installed in the host.
  • [ ] Enqueue a InstallProfile command for each profile that needs to be installed in the hostk
• [ ] When a new profile is uploaded through the CLI or the UI (different endpoints) run an InstallProfile command with the profile.
• [ ] When a profile is removed via the CLI or the UI (different endpoints) run a RemoveProfile command with the profile.
• [ ] Hook on CommandAndReportResults and make sure any records of the command are
• [ ] If the profile installation/Removal fails we won't retry. Surface the error

Details

Pasting details from a conversation in Slack:

For profiles/hosts, the state of a profile is derived from the state of the InstallProfile / RemoveProfile command used to deliver/remove the profile, it can be:

• pending (the command is enqueued but wasn't delivered to the host yet)
• failed (the command failed)
• success (the command was successful)

In terms of requirements we need to:

1. Add a new attribute to fleet.Host that aggregates the state of the profiles (eg: "pending" if there's at least one install/removal pending, "failed" if there's at least one install/removal failed, "success" otherwise)
   1. Add a new filter to /hosts that allows filtering by pending/failed/success.
   2. Add a global aggregate based on this aggregate (eg: 23 hosts pending, 33, failed and 100 succeeded)
2. Add a list of all the profiles assigned to a host + their status

I'm thinking of two options that probably will need refinement as we implement stuff:

1. Since nanomdm keeps track of all the commands sent to a device in a table, and the state of the profile is in reality the state of the command used to deliver/remove it, we could compute all of the requirements if we keep some sort of timestamp entry (maybe in the host_updates table) that tells us what InstallProfile / RemoveProfile commands are relevant. Potentially we could use a VIEW for this.
2. Add a new host_mdm_apple_profiles table with host_id, status that we use to keep track of the profile status for a host.
   1. On InstallProfile, add a new row to the table, update the status when we get the command response
   2. On RemoveProfile , update the status to pending when the command is sent, remove the row if successful or update to failed if it fails

I'm leaning towards 2, I would love your input to define the right path forward

[lukeheath]

Hey team! Please add your planning poker estimate with Zenhub @gillespi314 @mna @roperzh

[noahtalerman]

Hey @roperzh! When you get the chance, can you please file a separate technical subtask for the "profile diff’ing" between the device and the server) ?

If it's helpful, I'm happy to hop on a call to do this together.

[fleet-release]

/dashboard/?status=pending/failed/success)

A cloud city in sight, Profiles managed with ease,
Users save precious time.