One Fleet server for many MDM customers

zwass commented 1 year ago

Problem

Some customers would like to be able to manage multiple clients' workstations using one Fleet server:

All clients use the same APNs cert/key.
All clients use the same WSTEP cert/key.
- Noah: This one could be pushed to a follow up pass.
One client, of the customer, can have many MDM servers (tokens) in ABM.
One client has one Azure AD connection.
- Noah: This one could be pushed to a follow up pass.
One client has one VPP connection.

Scenarios:

Customer is a managed service provider and wants to be able to manage workstations on behalf of multiple separate organizations (that are their customers).
Customer is an organization that has separate business units (possibly through acquisitions) with separate ABM accounts.

Each team can be configured with a separate APNS cert/key and DEP token. UPDATE: Might not be necessary. We can use one APNs cert/key pair for many customers (noahtalerman 2024-07-03).
- Noah: The current plan is to use one APNs cert/key for many customers. Other MDM solutions are already doing.
- Noah: For DEP, the customer is setting up Apple Business Manager on behalf of their clients.
New teams can be created and configured via API (this likely means solving the problem of storing secrets -- could be done through AWS Secrets Manager or similar, maybe we would also want an option to store them encrypted in the DB for non-cloud deployments?
Upon DEP enrollment, hosts automatically join the corresponding team.
End user authentication workflows would have to unique SAML authentication streams per team.
- Noah: Not a requirement in the first pass. Something aspiration for later.
Admin SSO would also need to be configured per team.
Noah: The customer today has one VPP connection per client. Consider one VPP can be used for many teams. If we go w/ the approach of one ABM to one team then it would be lot easier to point many teams to the same VPP. Each client has one location.

@dherder drew up a diagram describing what this could look like

marko-lisica commented 7 months ago

@zayhanlon @zwass We didn't get to this one in the current design sprint. Adding it to feature fest.

noahtalerman commented 4 months ago

Hey @dherder, heads up, we didn't have room to take this one in the current design sprint (4.48).

phtardif1 commented 1 month ago

We now also have a European MSP (confidential) that requires same set of features and willing to work with us on developing and bringing to market

alexmitchelliii commented 3 weeks ago

@noahtalerman prospect ibara would like to participate in design reviews with the team if that works for you.

noahtalerman commented 3 weeks ago

@alexmitchelliii sounds good. I added a reminder to the MDM design review doc to invite them to design review when we have wireframes for this story.

noahtalerman commented 3 weeks ago

Alex: Think about the user journey from the customer's perspective as someone who’s trying to automate provisioning a new customer of theirs.

cc @marko-lisica

marko-lisica commented 4 days ago

Hey @pintomi1989, we didn't design this one in the current sprint. We'll work on it next sprint.